Vulnerabilities / Threats
2/14/2013
07:30 AM
Quick Hits
Quick Hits
Quick Hits
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Assessing Risk And Prioritizing Vulnerability Remediation

Vulnerabilities crop up constantly in your IT environment. How do you choose which ones to tackle first? Here are some risk-based recommendations

Excerpted from "Assessing Risk and Prioritizing Vulnerability Remediation," a new, free report posted this week on Dark Reading's Vulnerability Management Tech Center.]

A man is aboard a raft with five holes. Some of the holes are bigger than others, with the biggest of the bunch sending water spouting upward. But even the smallest of holes can sink the raft if left unattended for too long. So how does the man prioritize which of the holes to leave open while he tends to the other four?

The central question in this story is not unlike the challenge IT administrators face when they deal with the problem of remediating vulnerable applications. Making the wrong decision when it comes to remediation management can sink even the tightest-run ship in the IT world, and the problem isn't going away.

On the contrary: A thriving market for exploit kits and application vulnerabilities ensures that an endless number of financially motivated cyber criminals, hacktivists and attempts at corporate espionage will continue to keep security teams up at night. It also means that patching security holes and closing exploitable windows will remain a vital part of enterprise security strategies for years to come.

For organizations of all sizes, prioritizing vulnerability remediation can be the difference between a breach and a repelled attack recorded in security logs. The challenge lies in dealing with the volume of fixes that need to be deployed. Deciding what holes to plug -- and when -- begins with organizations understanding their environment: What assets are on the network? Which applications and data are critical? And what's the risk to the business if vulnerabilities in these assets, applications and data are successfully compromised?

Interestingly, the number of vulnerabilities may be declining among the major enterprise software vendors. According to the 2012 Mid-Year Trend and Risk Report from IBM's X-Force research team, the top 10 enterprise software vendors have seen their percentage of the overall number of vulnerabilities drop from 30% in 2011 to

22% in the first half of 2012. However, the same report found that the percentage of vulnerabilities without a patch available in the first half of 2012 was 47%--the highest IBM said it has seen since 2008. The X-Force team speculates that the increase is due to a jump in vulnerabilities in small Web apps and software made by smaller companies.

But it is often not the newer vulnerabilities that catch corporations off-guard. According to a recent report from security vendor Solutionary, 58% of the vulnerabilities targeted by the most popular exploit kits in the fourth quarter of 2012 were more than two years old.

"The motto for risk prioritization should be 'know thyself,'" said Andrew Storms, director of security operations at nCircle. "In order to prioritize any kind of patching you need to identify your critical systems and understand exactly where your business-critical information is. This isn't always as easy as it sounds--it requires an in-depth understanding of how users interact with critical business information and intellectual property."

For a detailed discussion of how to measure the risks associated with a new vulnerability -- and how to prioritize the fixes -- download the free report on vulnerability remediation.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

CVE-2014-2393
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in Open-Xchange AppSuite 7.4.1 before 7.4.1-rev11 and 7.4.2 before 7.4.2-rev13 allows remote attackers to inject arbitrary web script or HTML via a Drive filename that is not properly handled during use of the composer to add an e-mail attachment.

CVE-2011-5279
Published: 2014-04-23
CRLF injection vulnerability in the CGI implementation in Microsoft Internet Information Services (IIS) 4.x and 5.x on Windows NT and Windows 2000 allows remote attackers to modify arbitrary uppercase environment variables via a \n (newline) character in an HTTP header.

CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

Best of the Web