Every year thousands of software vulnerabilities are revealed across thousands of products, and exploitation of vulnerabilities can cause widespread damage. Chief security officers do not need to be reminded of the high stakes surrounding software vulnerability management. The numbers speak for themselves. In 2015, there were 16,081 vulnerabilities discovered in 2,484 vulnerable products.
The cost is massive for organisations that must deal with a successful vulnerability exploit by a hacker. According to PricewaterhouseCoopers (PwC), the average financial loss attributed to cybersecurity incidents was $2.5 million in 2015. And that cost does not consider the unquantifiable brand and reputational damage caused by a successful hack.
The good news is that 84 per cent of all registered vulnerabilities had patches available on the day of disclosure (based on the Flexera Software Vulnerability Review 2016). Consequently, organisations can have the utmost impact decreasing their risk profile by proactively patching known vulnerabilities before they are exploited, and reducing the attack surface.
The quickest and most cost-effective way to do so starts with vulnerability intelligence.
Which threats are relevant to your organisation?
With an overwhelming number of software vulnerabilities reported every day, security departments can easily become astonished with the most basic aspects of addressing the problem, such as answering, ‘Which vulnerabilities apply to us?’
Companies need to filter out the known vulnerabilities and focus on those impacting the organisation. That involves comprehensive asset discovery and inventory to determine which systems are potentially threatened by the known vulnerabilities. Teams can then concentrate their attention once the universe of known vulnerabilities are winnowed down to only the subset impacting the enterprise.
Of course, getting an accurate picture of IT assets in inventory is easier said than done. Most companies can’t accomplish this without implementing software asset management (SAM) processes and technology. Fortunately, SAM has recently emerged as a bulwark against wasteful software spend - and many leading organisations around the world have already implemented SAM, or are in the process of doing so. SAM solutions allow organisations to automate the process of discovering and inventorying their software and hardware assets.
The challenge is for security and IT operations teams to recognise their need for asset discovery and inventory, and collaborate to gather this data. If an organisation has a SAM implementation in-house, security teams should be cognisant of this and utilise the discovery and inventory data as the common ‘version of the truth’ for determining which vulnerabilities apply to them. As SAM and security continues to converge, SAM tools will increasingly integrate capabilities with software vulnerability management tools - which will help siloed security and IT operations teams work better together.
Refining security efforts with vulnerability intelligence
Let’s say that a company’s IT environment holds thousands of different applications and systems, all interconnected. Every year as thousands of vulnerabilities are discovered in thousands of products - some are extremely critical and their exploitation can cause extensive damage - these need to be dealt with straight away. Others are not very critical, and can be dealt with in due time. Security teams need to match their environment with the discovered vulnerabilities, assess the risk the vulnerability poses, and prioritise mitigation of the vulnerability.
This, in itself, is a daunting task. Add to it, that every day, around 300 new vulnerability alerts are reported globally. However, on average only about eight per cent of these ‘reported’ vulnerabilities turn out to be real. To know which threats to take seriously, it is necessary to exhaustively investigate them. This is highly skilled work that must be performed by experts in their field.
Companies most likely will not have the resources or the motivation to employ staff whose only purpose is to monitor and curate vulnerability information. Instead, organisations must find a trusted software vulnerability management resource to perform this work, providing vulnerability Intelligence - not just information.
Vulnerability intelligence means that reported vulnerabilities are actually verified, with additional intelligence, and delivered in a format security teams can use and act upon - which explains how to handle the issue. It also means that the intelligence has been tested, vetted and is relevant - so that the information delivered pertains only to vulnerabilities in products relevant to the specific environment. For instance, beyond verification of a vulnerability’s existence, vulnerability intelligence should detail what IT security teams need to know to mitigate the risk posed by the vulnerability.
Good vulnerability intelligence will confirm the existence of a vulnerability and rate the vulnerability’s criticality. This is significant because, as noted, not all vulnerabilities are created equally. And with limited time and resources available to patch the thousands of vulnerabilities that may impact an organisation, how can security teams know which are the most important?
The criticality of a vulnerability is based on the assessment of the vulnerability’s potential impact on a system, the attack vector, mitigating factors and if an exploit exists for the vulnerability and is being actively exploited prior to the release of a patch. The vulnerability ratings follow:
- Extremely critical (5 of 5): Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not usually require any interaction and exploits are in the wild. These vulnerabilities can exist in services like FTP, HTTP and SMTP or in certain client systems like email applications or browsers
- Highly critical (4 of 5): Normally used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not typically require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can exist in services like FTP, HTTP and SMTP or in client systems like email applications or browsers
- Moderately critical (3 of 5): This rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the internet. Usually used for remotely exploitable denial-of-service vulnerabilities against services like FTP, HTTP and SMTP, and for vulnerabilities that permit system compromises but require user interaction
- Less critical (2 of 5): Usually used for cross-site scripting and privilege escalation vulnerabilities. This rating is also used for vulnerabilities allowing exposure of sensitive data to local users
- Not critical (1 of 5): Typically used for very limited privilege escalation vulnerabilities and locally exploitable denial-of-service vulnerabilities. This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).
Equipped with reliable intelligence covering reported and verified vulnerabilities; which of those verified vulnerabilities apply to an organisation’s own hardware, software and systems; and of those that apply, which are more critical and which are less - security teams can then establish an effective remediation plan.
Intuitively, it is less costly to avoid successful attacks. Organisations, therefore, need to understand what IT assets exist within their environments that could be targeted. They need to have a comprehensive picture of the vulnerability landscape and a snapshot of which vulnerabilities apply to them. Organisations also need a precise and dependable assessment of the criticality of those vulnerabilities, so they can prioritise remediation. A thorough program founded upon vulnerability intelligence will help minimise the attack surface, reducing the risk that a successful exploit can occur.