Protecting Against An Avalanche of Vulnerabilities

By Jeff Vance

(Back to article)

Keeping up with system vulnerabilities is no easy task. Gone are the days when IT can rely on "Patch Tuesday" and perimeter security solutions. Sure, there are still plenty of operating system flaws to contend with, which patching corrects, but third-party applications now pose even more problems.

According to a study by the security firm Qualys, desktop applications like iTunes, Firefox, PowerPoint and, surprisingly, antivirus programs account for more than 60% of critical vulnerabilities. And attackers are focusing on new network targets as well.

VoIP servers and phones, IM servers, and even printers and faxes are now consider weak points that may provide access to an otherwise hardened network. Added to that, user-introduced errors and network misconfigurations can undermine even the best security plans.

Faced with these issues, as well as industry regulations like HIPAA (Health Insurance Portability and Accountability Act), Mercy Hospital in Miami, Fla. had to change the way it went about securing its network. But before new security measures could be introduced, Mercy had to get a better understanding of its network.

According to Moses Hernandez, a network engineer for Mercy, in the past the task of studying the network was done infrequently. “We used scanning to get a feel for the network and know what was on it,” Hernandez said. “We simply needed to get an idea of what was out there.”

Soft on the Inside

However, after scanning for inventory and topology, Mercy realized it had to keep scanning on an ongoing basis. Networks can change dramatically over time, and new vulnerabilities are discovered in operating systems and applications on an almost daily basis. “Vulnerability assessments have become so important that we scan every week or even every day,” Hernandez said.

In other words, simply hardening your network against outside intruders is no longer an effective strategy. Increasingly, with guest access and partner applications and distributed networks, it’s more and more difficult to define what “inside-the-network” even means.

According to Ross Brown, CEO of vulnerability management vendor eEye Digital Security, in the past the term “vulnerability” had a specific meaning, referring to flaws in systems or software. These could be fixed via patches. Today, the term “vulnerability” has a broader meaning, encompassing not just software flaws but also user-introduced vulnerabilities, network misconfigurations, and even interoperability problems. The new generation of vulnerability management tools even discovers instances where users are putting the organization at risk by not following corporate policies.

A recent survey by Computer Security Institute (CSI) and the FBI found that nearly 52% of participants were hit by security breaches, many from outside of the organization. However, 68% said that a significant portion of those breaches came from within the network.Any security expert will tell you that internal attacks are the most troubling sort. They are harder to defend against, and insiders know what to go after. The average loss that companies in the CSI/FBI survey experienced due to financial fraud or theft of proprietary data was over $160,000. However, The CSI/FBI survey numbers fall on the conservative side, since they rely on voluntary reporting.

Other surveys point to much higher losses due to insider exploits.

According to the U.S. Commerce Department, intellectual property theft alone costs U.S. businesses approximately $250 billion each year. IBM reports that cybercrime is now more of a problem for U.S. businesses than traditional physical crimes, while also saying that more than 70% of businesses they’ve studied believe that insider attacks are a more significant threat than those from hackers.

Insiders have a better sense of which systems are vulnerable, and they can often intentionally introduce misconfigurations that they can then later exploit. This again points to the necessity for aggressive vulnerability monitoring. However, aggressive monitoring creates its own headaches.

“A common enterprise report may find 30,000 vulnerabilities,” said Alan Paller, director of research for the SANS Institute. “In fact, a number that high is by no means uncommon.”

Understanding the too-much information curse, most vulnerability management vendors classify vulnerabilities by risk. “Vulnerabilities that have known exploits in the wild are rated much higher than those for which no known attack exists.”

Managing Risk

The key is to focus on the most significant risks , and vendors like CoreSecurity, eEye, and nCircle, Qualys understand this. After all, the slew of false positives and alarms set of by minor problems bedeviled the intrusion detection space for years, and those in the vulnerability management space learned from those mistakes.

The space has also learned that point products often have short life spans so they’ve rolled vulnerability assessment in with other value-added security services. “Traditional vulnerability assessment simply tells you where you are vulnerable,” said Ross Brown of eEye. “Vulnerability management, on the other hand, not only tells you where you are vulnerable, but also what to do about it.”

After surveying the market, Mercy Hospital in Miami chose eEye’s vulnerability management suite partly because of its remediation abilities. Since eEye ties into BigFix’s patch and configuration management platform, Mercy can streamline its remediation process.

Mercy was also drawn to eEye’s extensive vulnerability database and their research team, which has uncovered such serious flaws as the Microsoft DCOM RPC Memory Leak and the remote code execution flaw in McAfee’s ePolicy Orchestrator.

A final consideration for Mercy was the importance of protecting legacy applications. “As much as you’d like to be running a homogenous network with one operating system and current applications, what happens in a hospital is that you have many homegrown applications that fill niche needs. Hospitals are almost forced to run very obscure applications,” Hernandez said.

As a result, the final piece of the vulnerability puzzle is linking with related security offering that protect against no-signature and zero-day attacks, as well as providing protection for legacy products for which no patches exist. After all, what good is a system that points out a flaw but then tells you that there is nothing you can do about it?