Managing vulnerabilities is a significant challenge for many organizations. The main difficulties with managing this manifest in two key areas.
The first is that the list isn’t static. It seems that new vulnerabilities are discovered almost daily, adding to our list (assuming we are scanning regularly). In what are considered relatively small environments, the list of vulnerabilities can run into the thousands, for enterprises it can seem like a tsunami of vulnerabilities.
The other key area of concern revolves around the vulnerabilities that need to be addressed first.
Many organizations sort their list by severity, starting with high severity and working down through the medium, low and finally the informational vulnerabilities. Others will use CVSS score or PCI severity. For smaller environments with a few tens or hundreds of systems it may be possible to get to the bottom of the list. For many, however, the task of completing the high severities alone can seem insurmountable (and often is).
The primary objective should be to discover which of those vulnerabilities pose the greatest risk to your organisation and severity, or CVSS score or PCI severity, simply isn’t enough. If you can mitigate the vulnerabilities through which you are most likely to be attacked as task #1, then you can reduce the attack surface you are presenting to the outside world dramatically.
Kmart and David Jones have both recently suffered intrusions via WebSphere vulnerabilities. While we don’t have specifics on which vulnerabilities were actually used there is speculation in the press that both were related to one recently discovered. There have been 235 WebSphere vulnerabilities discovered (or updated) in the past 3 years alone (according to the National Vulnerability Database). Many of those, like the vulnerability suspected of being used, are medium severity vulnerabilities.
If our list of vulnerabilities has thousands of high severity vulnerabilities with more being added daily, how will we ever get to those that might cause immediate harm?
This is where your vulnerability management solution choice is critical.
The tool you choose needs to understand what makes a vulnerability into a significant risk to your environment and that’s the availability of an exploit. A vulnerability without a known exploit is, for a hacker, similar to having to navigate around the outskirts of the city to get to the other side of a busy street with fast moving traffic. It’s a lot of work to get there but if there’s a clearly signed crossing then anyone would take that route, it’s easy.
Hackers are using vulnerability scanners; they are looking for the same information you are. They are comparing the discovered vulnerabilities to the lists of exploits that they have to hand. If they find an IP address with an easily exploitable vulnerability, then it’s simple to get in and take a look around. If there’s something of value then we’re going to hear about it in the press, if not no-one may ever know. The picture of the hacker spending hours, days, weeks or even months to break into your network is the exception and then the hacker needs to know there’s value in breaking in. For many, it’s just a drive-by/opportunist activity.
You need tools that will not only find all the vulnerabilities across all your platforms; not just Windows, Linux and Unix but also infrastructure devices such as Cisco, Juniper, etc. What about mobile devices, Android, IOS, BlackBerry, Windows Phone? Cloud systems such as AWS, GoGrid, Rackspace, etc? Wherever your data lives you need to be scanning but that’s just adding vulnerabilities that need to be worked through. If your tool gives you the number of known exploits available for each vulnerability (including exploit toolkits) then we have a much better filter to target our efforts.
If you mitigate the vulnerabilities with known exploits first then you are no longer an easy target, the hacker is much more likely to move along. You are getting the biggest return for your investment and the largest reduction in risk for the effort involved in the mitigations. Unsurprisingly, when you sort the list of vulnerabilities by the number of exploits, medium, low and information severity vulnerabilities bubble quickly to the top of the list.
BeyondTrust’s Retina Vulnerability Management solutions give you the visibility you need to see across your estate and the focus to help you attack the vulnerabilities with exploits first. The BeyondTrust Research team is updating our vulnerability database continually with details of new vulnerabilities and newly published exploits which are delivered directly to your Retina implementations. Retina gives you the opportunity to take back control. Contact us today for a free trial.
Brian Chappell | BeyondTrust | Director, Technical Services | EMEAI & APAC
Brian Chappell, Chief Security Strategist, EMEA & APAC
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.