If you were to ask IT security professionals, “how do you prioritize your vulnerability management?”, nine times out of ten, the answer is likely to be “we focus on the most important first”. As you dig deeper into that seemingly reasonable answer, you will uncover the historic legacy that is vulnerability management in most organizations. A legacy that is built on certain myths – myths that have been bandied about so often and by so many that they’ve taken the form of well accepted truths. Let’s take a look at the myths that influence how you prioritize your vulnerability management.
Myth #1: Hackers get in through perimeters, so I should focus on patching them.
Wrong. Perimeters are just a small piece of the puzzle. Any application, device or system connected to the internet is a potential entry point for cyber-criminals to deliver malware. So while you focus your energies and efforts on patching perimeters, you leave all other possible entry points unsecured, making any internet connected device, application and upgrade a potential threat vector.
An analogy I often use is of how kingdoms were defended in the middle ages with impregnable fortresses. If kings wanted to attack other kingdoms, they didn’t only use brute force to scale the fortress. A single soldier could be sent to find vulnerabilities in the defense and ways to get in. The advantage then was that the soldiers defending the fortress could often spot the enemy approaching and defend their fortress. It’s different with modern day fortresses aka organizations. Cyber-criminals can simply download a copy of any software and work on it secretly. And when they find a vulnerability in software, they can gain access to not just one organization but all organizations that use that particular software. Yes, they still need to gain access and run the risk of detection, but they manage to stay under the radar for the initial part while working on finding the vulnerability.
Myth #2: Focusing on patching Microsoft applications is enough
Not true. Our research (1) indicates that over a five year period, non-Microsoft applications were responsible for the majority of vulnerabilities. So, patching only Microsoft platforms and applications, while ignoring the threat of vulnerabilities in hundreds of other platforms and applications, is a reckless strategy. Reckless because, since the majority of non-Microsoft vulnerabilities have patches, there is no excuse not to patch them as well. In fact, in 2014, 83.1% of all vulnerabilities had patches available on the day of disclosure. What this means is that it is possible to remediate the majority of vulnerabilities on the day they become publically known.
It is of course important to not lose sight of the remaining 17% of vulnerabilities – the ones that do not have a patch available, as these are easy targets for cyber-criminals. Focusing on Microsoft platforms and applications without having the added vulnerability intelligence to counter the threat from non-Microsoft vulnerabilities and vulnerabilities without patches is unwise.
Myth #3: Focusing on applications with maximum vulnerabilities is a good tactic.
While this tactic is certainly popular, it unfortunately doesn’t deliver the results you want. Many organizations decide to focus on a certain range of software products and applications because they hear about them having several vulnerabilities. The fact is that cyber-criminals are more likely to focus on an existing vulnerability that can be easily exploited. It does not matter if this is in a piece of software that had 100 other vulnerabilities or zero vulnerabilities in the past. It is highly likely that they will exploit a vulnerability in a seemingly safe program i.e. one that does not have any other vulnerabilities, if it is easy to exploit. This means that while you focus on remediating vulnerabilities in certain applications or products, your organization can be attacked through another source.
Myth #4: Create a baseline and work your way up.
The general perception is that it’s good to create a baseline and strategically work your way up from there. Not true. Because, more often than not, the baseline means that someone responsible for IT infrastructure in an organization does one or several scans in one or several parts of the IT organization and runs several procedures at pre-defined intervals. The problem is that the scanner may cover only certain platforms and not every application or product version you have installed on those platforms. This means that the scanner will not find all vulnerabilities and, even worse, it will be outdated an hour later.
So starting from that baseline and then working for months to get rid of all identified vulnerabilities doesn’t make sense. Because firstly, you can be certain that you’ve already missed several vulnerabilities when you started. And secondly, several more vulnerabilities get added while you are busy working on your baseline.
Myth #5: I should focus on business critical apps.
Fact: A security breach can begin with a small non-business critical application. As I shared earlier in the post, cyber-criminals will focus on applications that are easiest to exploit and have maximum impact. For example, something as innocuous as a PDF reader or a browser could be used to deliver malware to computers. According to the Secunia Vulnerability Review 2015, there has been a 42% increase in the number of vulnerabilities discovered in the most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari.
In another example, in one of the major breaches last year, point of sales card-swipe machines were infected (2) after compromising the network of the company that operated the machines. The breach went undetected for 18 months, compromising the data of over 850,000 credit/debit card users. Focusing on business critical apps to the exclusion of everything else can mean giving cyber-criminals the opportunity to discover and exploit vulnerabilities in other in non-business critical applications.
Separating facts from myths
If you’re guilty of believing these five myths, you’re not alone. These myths are embedded in the IT security strategy of most organizations and have been around for a long time. But following these blindly means putting your organization’s security at risk. It’s time to re-examine these myths and separate them from facts. And the fact is that when it comes to vulnerabilities, you should be covering everything in your infrastructure network – your applications, devices, software platforms, servers, mobile platforms – all the time.
Once you’ve done that, your vulnerability intelligence should tell you which programs are unsecured, where the vulnerabilities are, how critical they are, how they can impact your systems and how to remediate them. Most vulnerabilities are not critical (3). According to Secunia Research, on an average only 15-20% of vulnerabilities discovered every month are highly critical. Only when you have this kind of information can you know what to focus on and how to prioritize your vulnerability management.
- Secunia Vulnerability Review 2015
- Network World: Worst security breaches of the year 2015
- Secunia criticality definition