Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //

Compliance

10/2/2013
05:00 PM
50%
50%

Securing More Vulnerabilities By Patching Less

Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors

As a penetration tester, Mauricio Velazco frequently looked for information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.

When he moved over to the other side of the firewall, Velazco -- now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm -- duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.

Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.

"The intelligence part is important: People should, instead of focusing on the vulnerabilities and on the numbers, focus on the attackers," Velazco says. "We have to mitigate risk before the exploit happens. If you try to mitigate after, that is more costly, has more impact, and is more dangerous for your company."

Velazco will present his experiences using intelligence on attackers to create a better vulnerability management program next week at the Information Systems Security Association (ISSA) conference in Nashville.

The idea of intelligence-driven defense -- using information on risk and attacker behavior to inform decisions -- is not new. In 2011, security researcher Dan Guido analyzed the vulnerabilities exploited by the top toolkits in the cybercriminal underground and found that only 27 of the possible 8,000 vulnerabilities released over two years were actually included in the kits. Two simple steps could protect systems against those attacks, he found.

Guido recently updated the presentation and found that companies could be protected from every attack in current exploit kits by upgrading to Windows 7, not using Java in the Internet zone, enforcing data-execution protection, securing Adobe Reader, and using Microsoft's Enhanced Mitigation Experience Toolkit to lock down systems. Just by observing attacker behavior, it's obvious that they focus on a few applications -- Microsoft Office, Adobe Reader, Java, and Internet Explorer -- to get the maximum impact from their exploits, he says.

"You don't really have to be in quote-unquote threat intelligence to understand that trend," says Guido, now CEO at Trail of Bits, a security consultancy. "That should have been drilled into people over the past five or six years, well enough that, if you are not patching those applications within days of the fixes coming out, you are failing."

[Attackers are increasingly cribbing code from existing exploits, rather than creating new ones. See Expert: Attacks, Not Vulnerabilities, Are Keys To IT Defense.]

Some vulnerability management firms provide an exploitability metric to help companies prioritize their patches. Qualys, for example, created a metric two years ago that allows companies to filter their vulnerabilities by exploitability rating. Yet only about 600 customers are currently using it, says Wolfgang Kandek, chief technology officer for the vulnerability management firm.

While compliance mandates require a more comprehensive approach to patching, a mature company should have two tracks for patching vulnerabilities: a fast track for the most critical and a more measured track for fixing the rest, he says.

"As a first good challenge, fixing all the vulnerabilities that have exploits available in any of the major databases is a good step," Kandek says.

Measuring criticality by the Common Vulnerability Scoring System (CVSS) score is not a good approach, as researchers have already found that the scores are not good indicators of exploitability. In a presentation at BSides Las Vegas, Risk I/O data scientist Michael Roytman found that fixing a random CVSS-10 vulnerability gave a firm only a 3.5 percent chance of having patched a critical flaw. Fixing a random vulnerability exploited by the Metasploit project increased that chance to 25 percent.

In addition, companies need to scrutinize the common vectors more closely, says Trail of Bits' Guido. Just patching the latest vulnerabilities is not enough because that does not protect the company against unknown vulnerabilities.

"There is a wealth of vulnerabilities out there, and you are not going to find them all. People are not going to tag them all with CVE numbers," Guido says. "So you have to make it so you know if someone takes advantage of one and have a response to that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
50%
50%
Peter Fretty,
User Rank: Moderator
10/15/2013 | 4:01:08 PM
re: Securing More Vulnerabilities By Patching Less
Unfortunately, patching every known vulnerabilities one at a time is almost impossible. It's time for better development practices in the first place with a sincere focus on developing highly secure software rather than relying on patches to fix issues over time. As the industry works towards this goal, organizations need to embrace next generation firewalls (i.e. Sophos UTM) with granular monitoring capabilities in order to stay ahead of the ever evolving threat landscape.

Peter Fretty
MROBINSON000
50%
50%
MROBINSON000,
User Rank: Apprentice
10/4/2013 | 10:56:48 AM
re: Securing More Vulnerabilities By Patching Less
Indeed, it is extremely important that companies focus not just on fixing known vulnerabilities, but closing potential attack vectors too. Also, it is important to develop a software vulnerability management system that will allow prioritizing vulnerabilities. Often times, there are more vulnerabilities to be fixed than time to fix them. Hence, a vulnerability classification and a prioritization framework will help you determine which you should address first. I would like to further recommend the following article for anyone interested in this topic http://blog.securityinnovation...
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Breaches Are Inevitable, So Embrace the Chaos
Ariel Zeitlin, Chief Technology Officer & Co-Founder, Guardicore,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.
CVE-2019-16761
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the [email protected] npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0...
CVE-2019-16762
PUBLISHED: 2019-11-15
A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any...
CVE-2019-13581
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A heap-based buffer overflow allows remote attackers to cause a denial of service or execute arbitrary ...
CVE-2019-13582
PUBLISHED: 2019-11-15
An issue was discovered in Marvell 88W8688 Wi-Fi firmware before version p52, as used on Tesla Model S/X vehicles manufactured before March 2018, via the Parrot Faurecia Automotive FC6050W module. A stack overflow could lead to denial of service or arbitrary code execution.