Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/27/2007
09:22 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Vulnerability Management Grows Up

Tools are evolving to handle more than patch check-boxes, Burton Group says

Vulnerability management isn't just about slapping on the latest patches anymore.

That's because a vulnerability isn't always just a publicly identified bug by Microsoft or CERT. "Vulnerabilities can be problems in configurations, missing patches, software that was loaded on a machine that shouldn’t be there, or security mechanisms that are not loaded or up-to-date and should be," says Eric Maiwald, senior analyst with the Burton Group and author of two vulnerability management reports for Burton, which were published late last week.

Maiwald says vulnerability management should be how an organization identifies, classifies, prioritizes, and deals with these exceptions due to business requirements -- and how they remediate problems and verify that all is well.

Trouble is, some vulnerability management products out there just scan for known bugs and don't detect human error in system configurations, for instance, he says. "And other products are very good at identifying configuration issues or missing software or going about deploying software, but they don't tell you about missing patches or have the ability to deploy them."

Maiwald says the gradual integration of these features is coming, albeit slowly. It all started last year when Symantec purchased BindView, and most recently, Altiris, as well as with PatchLink, which purchased vulnerability management vendor Harris STAT. In his report, Maiwald notes that the integrated products remain mostly in the planning stages, however.

The missing link is an integrated vulnerability tool that not only finds the holes, but can gauge the risk as well. "What is the real problem with these vulnerabilities?" he says.

Not all bugs are exploitable. "Say I have a vulnerability in my Unix machine, but because it's sitting in a particular zone of the network with some perimeter protections, someone from the Internet can't get to that machine to execute that exploit."

So that vulnerability doesn't carry the same risk as one that would be accessible to someone via the Net, he notes.

Enterprises also must consider risk from the business perspective rather than just go about wielding a patch checklist. "If a system has limited business value, it's less important than a vulnerability in a server that holds our credit card numbers," Maiwald says.

Maiwald says a few products are offering some of the capabilities, however -- McAfee, Archer Technologies, nCircle, and Symantec with its BindView policy manager, for instance. "You have to look at the entire enterprise... And you have to get vulnerability information and marry it with some knowledge of value and consequence associated with a particular breach."

And underlying this is the fact that patch management is mostly reactive. "You're always behind the power curve," he says, waiting for a publicly disclosed bug to get patched before you can get protected.

A better approach, of course, is more secure and clean applications and operating systems, according to Maiwald. But no one can write flawlessly secure software. A more likely scenario, he says, is for vendors to limit bugs: "Providing a window of breathing room so the enterprise doesn't have to patch [right] this minute."

Burton's reports on the evolution of vulnerability management, "Vulnerability Management Becomes Technical Security Policy Management" and "The Changing Face of Vulnerability Management," are available to Burton Group clients at http://www.burtongroup.com.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Burton Group
  • Symantec Corp. (Nasdaq: SYMC)
  • McAfee Inc. (NYSE: MFE)
  • PatchLink Corp.
  • Archer Technologies LLC
  • nCircle Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    NSA Appoints Rob Joyce as Cyber Director
    Dark Reading Staff 1/15/2021
    Vulnerability Management Has a Data Problem
    Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: This is not what I meant by "I would like to share some desk space"
    Current Issue
    2020: The Year in Security
    Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
    Flash Poll
    Assessing Cybersecurity Risk in Today's Enterprises
    Assessing Cybersecurity Risk in Today's Enterprises
    COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-28452
    PUBLISHED: 2021-01-20
    This affects the package com.softwaremill.akka-http-session:core_2.12 from 0 and before 0.6.1; all versions of package com.softwaremill.akka-http-session:core_2.11; the package com.softwaremill.akka-http-session:core_2.13 from 0 and before 0.6.1. CSRF protection can be bypassed by forging a request ...
    CVE-2020-28483
    PUBLISHED: 2021-01-20
    This affects all versions of package github.com/gin-gonic/gin. When gin is exposed directly to the internet, a client's IP can be spoofed by setting the X-Forwarded-For header.
    CVE-2021-21269
    PUBLISHED: 2021-01-20
    Keymaker is a Mastodon Community Finder based Matrix Community serverlist page Server. In Keymaker before version 0.2.0, the assets endpoint did not check for the extension. The rust `join` method without checking user input might have made it abe to do a Path Traversal attack causing to read more f...
    CVE-2020-25686
    PUBLISHED: 2021-01-20
    A flaw was found in dnsmasq before version 2.83. When receiving a query, dnsmasq does not check for an existing pending request for the same name and forwards a new request. By default, a maximum of 150 pending queries can be sent to upstream servers, so there can be at most 150 queries for the same...
    CVE-2020-25687
    PUBLISHED: 2021-01-20
    A flaw was found in dnsmasq before version 2.83. A heap-based buffer overflow was discovered in dnsmasq when DNSSEC is enabled and before it validates the received DNS entries. This flaw allows a remote attacker, who can create valid DNS replies, to cause an overflow in a heap-allocated memory. This...