Risk //


05:00 PM

Securing More Vulnerabilities By Patching Less

Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors

As a penetration tester, Mauricio Velazco frequently looked for information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.

When he moved over to the other side of the firewall, Velazco -- now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm -- duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.

Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.

"The intelligence part is important: People should, instead of focusing on the vulnerabilities and on the numbers, focus on the attackers," Velazco says. "We have to mitigate risk before the exploit happens. If you try to mitigate after, that is more costly, has more impact, and is more dangerous for your company."

Velazco will present his experiences using intelligence on attackers to create a better vulnerability management program next week at the Information Systems Security Association (ISSA) conference in Nashville.

The idea of intelligence-driven defense -- using information on risk and attacker behavior to inform decisions -- is not new. In 2011, security researcher Dan Guido analyzed the vulnerabilities exploited by the top toolkits in the cybercriminal underground and found that only 27 of the possible 8,000 vulnerabilities released over two years were actually included in the kits. Two simple steps could protect systems against those attacks, he found.

Guido recently updated the presentation and found that companies could be protected from every attack in current exploit kits by upgrading to Windows 7, not using Java in the Internet zone, enforcing data-execution protection, securing Adobe Reader, and using Microsoft's Enhanced Mitigation Experience Toolkit to lock down systems. Just by observing attacker behavior, it's obvious that they focus on a few applications -- Microsoft Office, Adobe Reader, Java, and Internet Explorer -- to get the maximum impact from their exploits, he says.

"You don't really have to be in quote-unquote threat intelligence to understand that trend," says Guido, now CEO at Trail of Bits, a security consultancy. "That should have been drilled into people over the past five or six years, well enough that, if you are not patching those applications within days of the fixes coming out, you are failing."

[Attackers are increasingly cribbing code from existing exploits, rather than creating new ones. See Expert: Attacks, Not Vulnerabilities, Are Keys To IT Defense.]

Some vulnerability management firms provide an exploitability metric to help companies prioritize their patches. Qualys, for example, created a metric two years ago that allows companies to filter their vulnerabilities by exploitability rating. Yet only about 600 customers are currently using it, says Wolfgang Kandek, chief technology officer for the vulnerability management firm.

While compliance mandates require a more comprehensive approach to patching, a mature company should have two tracks for patching vulnerabilities: a fast track for the most critical and a more measured track for fixing the rest, he says.

"As a first good challenge, fixing all the vulnerabilities that have exploits available in any of the major databases is a good step," Kandek says.

Measuring criticality by the Common Vulnerability Scoring System (CVSS) score is not a good approach, as researchers have already found that the scores are not good indicators of exploitability. In a presentation at BSides Las Vegas, Risk I/O data scientist Michael Roytman found that fixing a random CVSS-10 vulnerability gave a firm only a 3.5 percent chance of having patched a critical flaw. Fixing a random vulnerability exploited by the Metasploit project increased that chance to 25 percent.

In addition, companies need to scrutinize the common vectors more closely, says Trail of Bits' Guido. Just patching the latest vulnerabilities is not enough because that does not protect the company against unknown vulnerabilities.

"There is a wealth of vulnerabilities out there, and you are not going to find them all. People are not going to tag them all with CVE numbers," Guido says. "So you have to make it so you know if someone takes advantage of one and have a response to that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
10/15/2013 | 4:01:08 PM
re: Securing More Vulnerabilities By Patching Less
Unfortunately, patching every known vulnerabilities one at a time is almost impossible. It's time for better development practices in the first place with a sincere focus on developing highly secure software rather than relying on patches to fix issues over time. As the industry works towards this goal, organizations need to embrace next generation firewalls (i.e. Sophos UTM) with granular monitoring capabilities in order to stay ahead of the ever evolving threat landscape.

Peter Fretty
User Rank: Apprentice
10/4/2013 | 10:56:48 AM
re: Securing More Vulnerabilities By Patching Less
Indeed, it is extremely important that companies focus not just on fixing known vulnerabilities, but closing potential attack vectors too. Also, it is important to develop a software vulnerability management system that will allow prioritizing vulnerabilities. Often times, there are more vulnerabilities to be fixed than time to fix them. Hence, a vulnerability classification and a prioritization framework will help you determine which you should address first. I would like to further recommend the following article for anyone interested in this topic http://blog.securityinnovation...
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
Disappearing Act: Dark Reading Caption Contest Winners
Marilyn Cohodas, Community Editor, Dark Reading,  3/12/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.