Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


05:00 PM

Securing More Vulnerabilities By Patching Less

Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors

As a penetration tester, Mauricio Velazco frequently looked for information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.

When he moved over to the other side of the firewall, Velazco -- now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm -- duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.

Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.

"The intelligence part is important: People should, instead of focusing on the vulnerabilities and on the numbers, focus on the attackers," Velazco says. "We have to mitigate risk before the exploit happens. If you try to mitigate after, that is more costly, has more impact, and is more dangerous for your company."

Velazco will present his experiences using intelligence on attackers to create a better vulnerability management program next week at the Information Systems Security Association (ISSA) conference in Nashville.

The idea of intelligence-driven defense -- using information on risk and attacker behavior to inform decisions -- is not new. In 2011, security researcher Dan Guido analyzed the vulnerabilities exploited by the top toolkits in the cybercriminal underground and found that only 27 of the possible 8,000 vulnerabilities released over two years were actually included in the kits. Two simple steps could protect systems against those attacks, he found.

Guido recently updated the presentation and found that companies could be protected from every attack in current exploit kits by upgrading to Windows 7, not using Java in the Internet zone, enforcing data-execution protection, securing Adobe Reader, and using Microsoft's Enhanced Mitigation Experience Toolkit to lock down systems. Just by observing attacker behavior, it's obvious that they focus on a few applications -- Microsoft Office, Adobe Reader, Java, and Internet Explorer -- to get the maximum impact from their exploits, he says.

"You don't really have to be in quote-unquote threat intelligence to understand that trend," says Guido, now CEO at Trail of Bits, a security consultancy. "That should have been drilled into people over the past five or six years, well enough that, if you are not patching those applications within days of the fixes coming out, you are failing."

[Attackers are increasingly cribbing code from existing exploits, rather than creating new ones. See Expert: Attacks, Not Vulnerabilities, Are Keys To IT Defense.]

Some vulnerability management firms provide an exploitability metric to help companies prioritize their patches. Qualys, for example, created a metric two years ago that allows companies to filter their vulnerabilities by exploitability rating. Yet only about 600 customers are currently using it, says Wolfgang Kandek, chief technology officer for the vulnerability management firm.

While compliance mandates require a more comprehensive approach to patching, a mature company should have two tracks for patching vulnerabilities: a fast track for the most critical and a more measured track for fixing the rest, he says.

"As a first good challenge, fixing all the vulnerabilities that have exploits available in any of the major databases is a good step," Kandek says.

Measuring criticality by the Common Vulnerability Scoring System (CVSS) score is not a good approach, as researchers have already found that the scores are not good indicators of exploitability. In a presentation at BSides Las Vegas, Risk I/O data scientist Michael Roytman found that fixing a random CVSS-10 vulnerability gave a firm only a 3.5 percent chance of having patched a critical flaw. Fixing a random vulnerability exploited by the Metasploit project increased that chance to 25 percent.

In addition, companies need to scrutinize the common vectors more closely, says Trail of Bits' Guido. Just patching the latest vulnerabilities is not enough because that does not protect the company against unknown vulnerabilities.

"There is a wealth of vulnerabilities out there, and you are not going to find them all. People are not going to tag them all with CVE numbers," Guido says. "So you have to make it so you know if someone takes advantage of one and have a response to that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
10/15/2013 | 4:01:08 PM
re: Securing More Vulnerabilities By Patching Less
Unfortunately, patching every known vulnerabilities one at a time is almost impossible. It's time for better development practices in the first place with a sincere focus on developing highly secure software rather than relying on patches to fix issues over time. As the industry works towards this goal, organizations need to embrace next generation firewalls (i.e. Sophos UTM) with granular monitoring capabilities in order to stay ahead of the ever evolving threat landscape.

Peter Fretty
User Rank: Apprentice
10/4/2013 | 10:56:48 AM
re: Securing More Vulnerabilities By Patching Less
Indeed, it is extremely important that companies focus not just on fixing known vulnerabilities, but closing potential attack vectors too. Also, it is important to develop a software vulnerability management system that will allow prioritizing vulnerabilities. Often times, there are more vulnerabilities to be fixed than time to fix them. Hence, a vulnerability classification and a prioritization framework will help you determine which you should address first. I would like to further recommend the following article for anyone interested in this topic http://blog.securityinnovation...
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to the admin api has exposed some internal hidden fields when an association has been loaded with a to many reference. Users are recommend to update to version You can get the update to regularly via the Auto-U...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. In versions prior to private files publicly accessible with Cloud Storage providers when the hashed URL is known. Users are recommend to first change their configuration to set the correct visibility according to the documentation. The visibilit...
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 are vulnerable to system information leakage in error handling. Users are recommend to update to version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Versions prior to 5.6.10 suffer from an authenticated stored XSS in administration vulnerability. Users are recommend to update to the version 5.6.10. You can get the update to 5.6.10 regularly via the Auto-Updater or directly via the download overview.
PUBLISHED: 2021-06-24
Shopware is an open source eCommerce platform. Potential session hijacking of store customers in versions below We recommend to update to the current version You can get the update to regularly via the Auto-Updater or directly via the download overview. For older versions o...