A vulnerability is a flaw in application or operating system software that causes the executable for that software to behave in an unexpected manner. Failing to take all the possible conditions into consideration for a given input, failing to adhere to best or secure programming principles are among the most common causes for vulnerabilities. Attackers exploit vulnerabilities that slip past quality assurance, independent analysis by white hats, and other testing to gain administrative control over personal computers, servers, and even network equipment. By exploiting vulnerabilities, criminals are able to install malware, upload phishing content to servers or alter network configurations.
Vulnerabilities are everyone’s worry. In a past article, I’ve explained how individual users can and should keep all your software patch-current. Recently, I had a chat with Emmanuel Carabott, at GFI (a provider of content and network security, and messaging solutions for SMBs) to ask his opinion about vulnerabilities and how to manage them across small and medium businesses.
“There are different kinds of vulnerabilities but they are mainly bunched into two categories, zero-day and known”, explains Emmanuel. “Zero-day vulnerabilities, as the name suggests, are new vulnerabilities that have been just discovered and are exploited before the community or vendor know about it. As such, a zero-day vulnerability will have a period of high exploitability until the vendor can analyze the issue so as to offer a patch or at least a workaround. On the other hand, known vulnerabilities are vulnerabilities that the vendor is aware of and would have workarounds or patches that are available to address it.”
Known vulnerabilities should not be an issue in an ideal world. The vulnerability is made known to the vendor or software developer, a patch that fixes those vulnerabilities is made available and distributed, users install the patch, and the exploit is contained. Unfortunately, we do not live in an ideal world. Annually, the Microsoft Security Intelligence Report and Cisco Annual Security Report reveal that outbreaks continue to exploit vulnerabilities long after vendors or developers release patches.
I find this inexcusable, but Emmanuel suggests it's possible to fix. “In case of known vulnerabilities, an effective patch management strategy is all one needs. Monitor vendors of your applications and make sure you are aware whenever they release new patches. Once a patch is released, ensure proper testing of the patch on a test mirror of the environments in which the patch is to be deployed, and if no issues are found make sure it is promptly deployed to the live environment. Things do go wrong with testing as well so make sure you have a disaster recovery plan should the patch cause unintended behavior once deployed.”
Emmanuel explains that Zero-day threats are multi-dimensional. “If you’re hit with an attack using a zero-day vulnerability, there is a great chance that your security will fail at a certain level and the only thing a strong security mechanism can do is limit the damage or subsequent access due to the intrusion”. He adds, “If the attack using Zero-day vulnerabilities happened to someone else and news just broke out, the administrator is faced with a difficult choice; should he disable the vulnerable application or take the risk until the vendor has had time to fix it; something that could take months?”
The fact that an attack is Zero-day doesn’t make it an entirely indefensible event. Emmanuel continues, “For Zero-day vulnerabilities, patch management is still your best bet. While patch management will not protect you from a Zero-day vulnerability directly – as no patch will be available yet - it can help limit the number and kinds of control or access an attacker gains once he’s exploited a new vulnerability. It may even limit the attacker from actually being able to use the attack at a higher level.”
Emmanuel adds, “Make sure you have mechanisms in place that can allow you to take quick corrective action should you become aware of a Zero-day vulnerability.” Many of these, we agreed, are containment actions. Block inbound connections to exploited servers or outbound traffic so that your sensitive data are not exfiltrated. Prepare a plan to initiate recovery and restore systems to a known, correct state and configuration.
Where Does Vulnerability Scanning Fit?
Vulnerability scanners automate the kinds of auditing processes that are needed to assure that personal computers, servers and network equipment are kept patch-current and configured against exploitation through known vulnerabilities and lax configurations. Emmanuel explains, “A vulnerability scanner can help safeguard your environment against Zero-day vulnerabilities by ensuring your systems have the smallest possible surface area available to an attacker. A vulnerability scanner will point out things to the administrator, such as which ports are open, what services are running and what users and groups are in use on each machine, as well as which configurations for servers might be putting the server at risk”.
A quality vulnerability scanner provides a detailed report of vulnerabilities for a network administrator so that he can distinguish which of vulnerabilities pose real threats to the organization from the ones that are benign (mitigated by other defenses or countermeasures). He can then decide which of the real threats can be mitigated at a cost that’s acceptable to the organization. This is standard risk assessment/cost benefit analysis. Typically, a large proportion of the reported vulnerabilities ought to – and can be – mitigated by applying secure configurations to all network devices. Emmanuel adds, “Configure each device in such a way as to run only the necessary services and nothing else. Each service, each port and each user left open is like an unlocked and unobserved door or window in a house. They create opportunities for attackers to gain entry. Security is about having only the necessary amount of windows.”
Security is Also About Containment
Even when you apply best practices for vulnerability scanning and patch management, there’s no guarantee that you’ll have locked every door and window, but you will have locked enough to limit how far an attacker can penetrate. Emmanual points out that, “you might not stop an attacker from breaking through one of those windows but you may confine him to the room he’s broken into while with no action at all he would be free to roam through the entire house. This is precisely why being proactive in these cases is very important”
As is the case for so many security issues, no single measure - even patch management - makes you safe from attack. Rigorous patch management, however, limits risk against vulnerability exploit attacks. SMBs should be able to reduce risk at an acceptable cost and effort if they coordinate or centrally patch-manage and if they routinely scan to make certain patch management is performing as intended.