Risk
2/19/2014
09:02 AM
Connect Directly
RSS
E-Mail
50%
50%

5 Tactics To Help Triage Patching

Refine risk measurements to better prioritize the patching of vulnerabilities

In a perfect world, patching vulnerable software would be simple: security and information-technology professionals would deploy software updates immediately and no conflicts, crashes or challenges would arise.

But in reality, most companies will never catch up with their vulnerability workload, and instead try to triage and fix the most serious issues. For those firms, the lack of information about the criticality and exploitability of flaws hampers efforts to prioritize their patch program and leaved companies attempting to apply as many updates as possible, says Morten Stengaard, chief technology officer for vulnerability management firm Secunia.

"There are thousands of applications in their infrastructure over which they absolutely have no control, and there is no way that they will get around to all of it," he says. "If they can get to the truly critical ones and then work on the others as they have time, that is by far preferred."

Patching the right vulnerabilities is key to keeping a business's network safe. Researchers have found that less than 3 percent of vulnerabilities have actually been targeted by attackers, and there is little correlation between a vulnerabilities rank on the Common Vulnerability Scoring System (CVSS) and its likelihood of being used in an attacks, researchers have found.

While companies should not rely on patching their vulnerable software as a primary defense against attackers, it is a solid strategy to harden the business's network, Ed Bellies, CEO of risk management firm Risk I/O. While fixing vulnerabilities may not fend off advanced attackers, proper patching will help a company raise its network above the other low-hanging fruit that tempt online attackers, he says.

[Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors. See Securing More Vulnerabilities By Patching Less.]

"The vast majority of the breaches that are coming out are really targets of opportunity," he says. "They are not coming after me because of who I am. They are coming after me because I have a vulnerability that they know how to exploit."

Here are five tactics that experts recommend companies take to make their patching workload manageable, while still improving their security.

1. Know your assets
Companies first need to know what systems and information technology they need to manage inside their network. A variety of assets discovery tools, configuration management applications and vulnerability scanners can help with the task, but devices always seem to escape notice, says Ross Barrett, senior manager of security engineering at Rapid7.

"It is so much easier said than done--even medium-sized organizations have trouble keeping track of their products," he says. "But you can't patch it, if you don't know its there, so it's really important to do."

As they catalog their assets, companies should also assign a business value to each asset, to help prioritize patches in the future, Barrett says.

2. Focus on risk, not reducing counts
Evaluating the risks of a vulnerability is also a complex task. Many companies use the Common Vulnerability Scoring System as a way to prioritize their patching, but the CVSS has little bearing on how likely a vulnerability is to be targeted. At last year's Black Hat USA, two researchers presented data that showed that the CVSS score failed to predict whether a vulnerability will be used to attack systems.

With a lack of data, many companies may focus on fixing vulnerabilities in the most prevalent software or applying patches that have a history of high quality. The productivity of many security teams is measured by the number of issues they resolve, and fixing the easiest and least time-consuming seems a better use of their time, but it is not, Secunia's Morten says.

"Focus on the quality of the vulnerability, the criticality of the issue, instead of the quantity that you are fixing," he says. "You need to know how it impacts your infrastructure, because there is not a second chance when you are attacked."

Companies should look at the exploitability of a vulnerability. Issues that have been added to the Metasploit database are also highly likely to be exploited, he says.

3. Suss out your attack surface
Once companies have a good idea of their inventory of computers, servers, network hardware and other information-technology assets, they need to find vulnerabilities that may be exposed in those products.

That is not an easy job, says Ron Gula, CEO and chief technology officer of Tenable Network Security, a vulnerability and threat detection firm

"Vulnerabilities have a tendency to hide within your network," he says. "Organizations must employ multiple strategies for uncovering all of the vulnerabilities in their environment."

Active vulnerability scans can detect patch levels and likely vulnerabilities in known assets. Passive vulnerability scanning, which monitors network traffic and examines packets to gather information on software that the business may not know about, can help catch issues that the business would otherwise miss. Log analysis can similarly be helpful in discovering missed assets and detecting attacks.

4. Look for data that reveals threats
Paying attention to attacker activity can also help companies prioritize their patching. If attackers have added an exploit for a vulnerability to a common attack tool, then that vulnerability should go to the top of the list.

Businesses should also look for anomalies on their own networks using log management and big data analyticis. Recent research has shown the error reports, for example, can hint at the existence of attacks that are targeting certain applications. Security firm Websense in new research published today showed that the analysis of reports created by the Windows Error Reporting tool could reveal attacks in progress.

"These are not by any means a smoking gun, but for companies that are knee deep in activity, can prioritize their risk based on the anomalies that are seeing," says Alex Watson, director of security research for Websense.

5. Reduce criticality by other means
Finally, companies can attempt to lower the priority of vulnerabilities by adding defenses that interfere with an attacker's ability to exploit flaws. In a 2011 study of exploit kits, researcher Dan Guido found that two mitigations--turning on data-execution protection (DEP) and barring Java from running in the Internet zone--would stop 90 percent of the exploits included in attacker's toolkits in the preceding two years.

Removing administrator rights for normal business operations is another example of a mitigation and can have a dramatic impact on the criticality of vulnerabilities, making the difference between a successful attack and a successful defense. Of the 147 critical vulnerabilities published by Microsoft in 2013, 92 percent would be mitigated by removing administrator rights, according to research published on Feb. 18 by security firm Avecto.

"The dangers of admin rights have been well-documented for some time, but what’s more concerning is the number of enterprises we talk to that are still not fully aware of how many admin users they have," Paul Kenyon, co-founder and EVP of Avecto, said in a statement. "It’s astounding just how many vulnerabilities can be overcome by the removal of admin rights."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-5242
Published: 2014-10-21
Directory traversal vulnerability in functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to include and execute arbitrary local files via a .. (dot dot) in the name parameter in a get_template action.

CVE-2012-5243
Published: 2014-10-21
functions/suggest.php in Banana Dance B.2.6 and earlier allows remote attackers to read arbitrary database information via a crafted request.

CVE-2012-5702
Published: 2014-10-21
Multiple cross-site scripting (XSS) vulnerabilities in dotProject before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via the (1) callback parameter in a color_selector action, (2) field parameter in a date_format action, or (3) company_name parameter in an addedit action to i...

CVE-2013-7406
Published: 2014-10-21
SQL injection vulnerability in the MRBS module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

CVE-2014-2531
Published: 2014-10-21
SQL injection vulnerability in xhr.php in InterWorx Web Control Panel (aka InterWorx Hosting Control Panel and InterWorx-CP) before 5.0.14 build 577 allows remote authenticated users to execute arbitrary SQL commands via the i parameter in a search action to the (1) NodeWorx , (2) SiteWorx, or (3) R...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.