Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/27/2007
09:22 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Vulnerability Management Grows Up

Tools are evolving to handle more than patch check-boxes, Burton Group says

Vulnerability management isn't just about slapping on the latest patches anymore.

That's because a vulnerability isn't always just a publicly identified bug by Microsoft or CERT. "Vulnerabilities can be problems in configurations, missing patches, software that was loaded on a machine that shouldn’t be there, or security mechanisms that are not loaded or up-to-date and should be," says Eric Maiwald, senior analyst with the Burton Group and author of two vulnerability management reports for Burton, which were published late last week.

Maiwald says vulnerability management should be how an organization identifies, classifies, prioritizes, and deals with these exceptions due to business requirements -- and how they remediate problems and verify that all is well.

Trouble is, some vulnerability management products out there just scan for known bugs and don't detect human error in system configurations, for instance, he says. "And other products are very good at identifying configuration issues or missing software or going about deploying software, but they don't tell you about missing patches or have the ability to deploy them."

Maiwald says the gradual integration of these features is coming, albeit slowly. It all started last year when Symantec purchased BindView, and most recently, Altiris, as well as with PatchLink, which purchased vulnerability management vendor Harris STAT. In his report, Maiwald notes that the integrated products remain mostly in the planning stages, however.

The missing link is an integrated vulnerability tool that not only finds the holes, but can gauge the risk as well. "What is the real problem with these vulnerabilities?" he says.

Not all bugs are exploitable. "Say I have a vulnerability in my Unix machine, but because it's sitting in a particular zone of the network with some perimeter protections, someone from the Internet can't get to that machine to execute that exploit."

So that vulnerability doesn't carry the same risk as one that would be accessible to someone via the Net, he notes.

Enterprises also must consider risk from the business perspective rather than just go about wielding a patch checklist. "If a system has limited business value, it's less important than a vulnerability in a server that holds our credit card numbers," Maiwald says.

Maiwald says a few products are offering some of the capabilities, however -- McAfee, Archer Technologies, nCircle, and Symantec with its BindView policy manager, for instance. "You have to look at the entire enterprise... And you have to get vulnerability information and marry it with some knowledge of value and consequence associated with a particular breach."

And underlying this is the fact that patch management is mostly reactive. "You're always behind the power curve," he says, waiting for a publicly disclosed bug to get patched before you can get protected.

A better approach, of course, is more secure and clean applications and operating systems, according to Maiwald. But no one can write flawlessly secure software. A more likely scenario, he says, is for vendors to limit bugs: "Providing a window of breathing room so the enterprise doesn't have to patch [right] this minute."

Burton's reports on the evolution of vulnerability management, "Vulnerability Management Becomes Technical Security Policy Management" and "The Changing Face of Vulnerability Management," are available to Burton Group clients at http://www.burtongroup.com.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Burton Group
  • Symantec Corp. (Nasdaq: SYMC)
  • McAfee Inc. (NYSE: MFE)
  • PatchLink Corp.
  • Archer Technologies LLC
  • nCircle Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Data Leak Week: Billions of Sensitive Files Exposed Online
    Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    The Year in Security: 2019
    This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-12420
    PUBLISHED: 2019-12-12
    In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
    CVE-2019-16774
    PUBLISHED: 2019-12-12
    In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
    CVE-2018-11805
    PUBLISHED: 2019-12-12
    In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
    CVE-2019-5061
    PUBLISHED: 2019-12-12
    An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
    CVE-2019-5062
    PUBLISHED: 2019-12-12
    An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...