Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/27/2007
09:22 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Vulnerability Management Grows Up

Tools are evolving to handle more than patch check-boxes, Burton Group says

Vulnerability management isn't just about slapping on the latest patches anymore.

That's because a vulnerability isn't always just a publicly identified bug by Microsoft or CERT. "Vulnerabilities can be problems in configurations, missing patches, software that was loaded on a machine that shouldn’t be there, or security mechanisms that are not loaded or up-to-date and should be," says Eric Maiwald, senior analyst with the Burton Group and author of two vulnerability management reports for Burton, which were published late last week.

Maiwald says vulnerability management should be how an organization identifies, classifies, prioritizes, and deals with these exceptions due to business requirements -- and how they remediate problems and verify that all is well.

Trouble is, some vulnerability management products out there just scan for known bugs and don't detect human error in system configurations, for instance, he says. "And other products are very good at identifying configuration issues or missing software or going about deploying software, but they don't tell you about missing patches or have the ability to deploy them."

Maiwald says the gradual integration of these features is coming, albeit slowly. It all started last year when Symantec purchased BindView, and most recently, Altiris, as well as with PatchLink, which purchased vulnerability management vendor Harris STAT. In his report, Maiwald notes that the integrated products remain mostly in the planning stages, however.

The missing link is an integrated vulnerability tool that not only finds the holes, but can gauge the risk as well. "What is the real problem with these vulnerabilities?" he says.

Not all bugs are exploitable. "Say I have a vulnerability in my Unix machine, but because it's sitting in a particular zone of the network with some perimeter protections, someone from the Internet can't get to that machine to execute that exploit."

So that vulnerability doesn't carry the same risk as one that would be accessible to someone via the Net, he notes.

Enterprises also must consider risk from the business perspective rather than just go about wielding a patch checklist. "If a system has limited business value, it's less important than a vulnerability in a server that holds our credit card numbers," Maiwald says.

Maiwald says a few products are offering some of the capabilities, however -- McAfee, Archer Technologies, nCircle, and Symantec with its BindView policy manager, for instance. "You have to look at the entire enterprise... And you have to get vulnerability information and marry it with some knowledge of value and consequence associated with a particular breach."

And underlying this is the fact that patch management is mostly reactive. "You're always behind the power curve," he says, waiting for a publicly disclosed bug to get patched before you can get protected.

A better approach, of course, is more secure and clean applications and operating systems, according to Maiwald. But no one can write flawlessly secure software. A more likely scenario, he says, is for vendors to limit bugs: "Providing a window of breathing room so the enterprise doesn't have to patch [right] this minute."

Burton's reports on the evolution of vulnerability management, "Vulnerability Management Becomes Technical Security Policy Management" and "The Changing Face of Vulnerability Management," are available to Burton Group clients at http://www.burtongroup.com.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Burton Group
  • Symantec Corp. (Nasdaq: SYMC)
  • McAfee Inc. (NYSE: MFE)
  • PatchLink Corp.
  • Archer Technologies LLC
  • nCircle Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    How Attackers Could Use Azure Apps to Sneak into Microsoft 365
    Kelly Sheridan, Staff Editor, Dark Reading,  3/24/2020
    Malicious USB Drive Hides Behind Gift Card Lure
    Dark Reading Staff 3/27/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: This comment is waiting for review by our moderators.
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-10940
    PUBLISHED: 2020-03-27
    Local Privilege Escalation can occur in PHOENIX CONTACT PORTICO SERVER through 3.0.7 when installed to run as a service.
    CVE-2020-10939
    PUBLISHED: 2020-03-27
    Insecure, default path permissions in PHOENIX CONTACT PC WORX SRT through 1.14 allow for local privilege escalation.
    CVE-2020-6095
    PUBLISHED: 2020-03-27
    An exploitable denial of service vulnerability exists in the GstRTSPAuth functionality of GStreamer/gst-rtsp-server 1.14.5. A specially crafted RTSP setup request can cause a null pointer deference resulting in denial-of-service. An attacker can send a malicious packet to trigger this vulnerability.
    CVE-2020-10817
    PUBLISHED: 2020-03-27
    The custom-searchable-data-entry-system (aka Custom Searchable Data Entry System) plugin through 1.7.1 for WordPress allows SQL Injection. NOTE: this product is discontinued.
    CVE-2020-10952
    PUBLISHED: 2020-03-27
    GitLab EE/CE 8.11 through 12.9.1 allows blocked users to pull/push docker images.