Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk //


05:00 PM

Securing More Vulnerabilities By Patching Less

Companies need to focus on not just fixing known vulnerabilities, but closing potential attack vectors

As a penetration tester, Mauricio Velazco frequently looked for information on the latest attacks because corporate information systems were rarely patched against the exploitation of just-reported vulnerabilities.

When he moved over to the other side of the firewall, Velazco -- now the head of threat intelligence and vulnerability management at The Blackstone Group, an investment firm -- duly implemented a patching process for his company that attempted to keep up with its regulated responsibilities. It quickly became clear, however, that fixing vulnerabilities using the criticality of the bugs to prioritize patching kept the IT staff busy, but it did not make the company much safer.

Thinking back to his time as a penetration tester, Velazco realized that patching the vulnerabilities he chased as an attacker would be a much better use of his time. The strategy paid off: Compromises within the company fell, he says.

"The intelligence part is important: People should, instead of focusing on the vulnerabilities and on the numbers, focus on the attackers," Velazco says. "We have to mitigate risk before the exploit happens. If you try to mitigate after, that is more costly, has more impact, and is more dangerous for your company."

Velazco will present his experiences using intelligence on attackers to create a better vulnerability management program next week at the Information Systems Security Association (ISSA) conference in Nashville.

The idea of intelligence-driven defense -- using information on risk and attacker behavior to inform decisions -- is not new. In 2011, security researcher Dan Guido analyzed the vulnerabilities exploited by the top toolkits in the cybercriminal underground and found that only 27 of the possible 8,000 vulnerabilities released over two years were actually included in the kits. Two simple steps could protect systems against those attacks, he found.

Guido recently updated the presentation and found that companies could be protected from every attack in current exploit kits by upgrading to Windows 7, not using Java in the Internet zone, enforcing data-execution protection, securing Adobe Reader, and using Microsoft's Enhanced Mitigation Experience Toolkit to lock down systems. Just by observing attacker behavior, it's obvious that they focus on a few applications -- Microsoft Office, Adobe Reader, Java, and Internet Explorer -- to get the maximum impact from their exploits, he says.

"You don't really have to be in quote-unquote threat intelligence to understand that trend," says Guido, now CEO at Trail of Bits, a security consultancy. "That should have been drilled into people over the past five or six years, well enough that, if you are not patching those applications within days of the fixes coming out, you are failing."

[Attackers are increasingly cribbing code from existing exploits, rather than creating new ones. See Expert: Attacks, Not Vulnerabilities, Are Keys To IT Defense.]

Some vulnerability management firms provide an exploitability metric to help companies prioritize their patches. Qualys, for example, created a metric two years ago that allows companies to filter their vulnerabilities by exploitability rating. Yet only about 600 customers are currently using it, says Wolfgang Kandek, chief technology officer for the vulnerability management firm.

While compliance mandates require a more comprehensive approach to patching, a mature company should have two tracks for patching vulnerabilities: a fast track for the most critical and a more measured track for fixing the rest, he says.

"As a first good challenge, fixing all the vulnerabilities that have exploits available in any of the major databases is a good step," Kandek says.

Measuring criticality by the Common Vulnerability Scoring System (CVSS) score is not a good approach, as researchers have already found that the scores are not good indicators of exploitability. In a presentation at BSides Las Vegas, Risk I/O data scientist Michael Roytman found that fixing a random CVSS-10 vulnerability gave a firm only a 3.5 percent chance of having patched a critical flaw. Fixing a random vulnerability exploited by the Metasploit project increased that chance to 25 percent.

In addition, companies need to scrutinize the common vectors more closely, says Trail of Bits' Guido. Just patching the latest vulnerabilities is not enough because that does not protect the company against unknown vulnerabilities.

"There is a wealth of vulnerabilities out there, and you are not going to find them all. People are not going to tag them all with CVE numbers," Guido says. "So you have to make it so you know if someone takes advantage of one and have a response to that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Peter Fretty
Peter Fretty,
User Rank: Moderator
10/15/2013 | 4:01:08 PM
re: Securing More Vulnerabilities By Patching Less
Unfortunately, patching every known vulnerabilities one at a time is almost impossible. It's time for better development practices in the first place with a sincere focus on developing highly secure software rather than relying on patches to fix issues over time. As the industry works towards this goal, organizations need to embrace next generation firewalls (i.e. Sophos UTM) with granular monitoring capabilities in order to stay ahead of the ever evolving threat landscape.

Peter Fretty
User Rank: Apprentice
10/4/2013 | 10:56:48 AM
re: Securing More Vulnerabilities By Patching Less
Indeed, it is extremely important that companies focus not just on fixing known vulnerabilities, but closing potential attack vectors too. Also, it is important to develop a software vulnerability management system that will allow prioritizing vulnerabilities. Often times, there are more vulnerabilities to be fixed than time to fix them. Hence, a vulnerability classification and a prioritization framework will help you determine which you should address first. I would like to further recommend the following article for anyone interested in this topic http://blog.securityinnovation...
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-16
The JSON web services in Liferay Portal 7.3.4 and earlier, and Liferay DXP 7.0 before fix pack 97, 7.1 before fix pack 20 and 7.2 before fix pack 10 may provide overly verbose error messages, which allows remote attackers to use the contents of error messages to help launch another, more focused att...
PUBLISHED: 2021-05-16
Denial-of-service (DoS) vulnerability in the Multi-Factor Authentication module in Liferay DXP 7.3 before fix pack 1 allows remote authenticated attackers to prevent any user from authenticating by (1) enabling Time-based One-time password (TOTP) on behalf of the other user or (2) modifying the othe...
PUBLISHED: 2021-05-16
The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.
PUBLISHED: 2021-05-16
Delta Industrial Automation CNCSoft ScreenEditor Versions 1.01.28 (with ScreenEditor Version 1.01.2) and prior are vulnerable to an out-of-bounds read while processing project files, which may allow an attacker to execute arbitrary code.
PUBLISHED: 2021-05-16
Cross-site scripting (XSS) vulnerability in the Asset module's categories administration page in Liferay Portal 7.3.4 allows remote attackers to inject arbitrary web script or HTML via the site name.