This year's hard-hitting Sasser worm arrived 18 days after Microsoft announced the vulnerability the malicious code exploited. That was slow. According to Cupertino, Calif.-based security provider Symantec Corp., an exploit now appears on average less than six days after a vulnerability is announced.
Yet while the window is nearing toward zero-day exploits, and many large organizations are aggressively tackling network vulnerabilities, small to medium-sized businesses (SMBs) have been slower to follow, compromising their small and large partners' networks, according to security experts.
"The gist of this is, it's not your own health that you have to worry about anymore, it's the health of your partners," said Jim Slaby, a senior analyst at the Yankee Group, a Boston-based research firm. Unlike their larger brethren, however, a lot of SMBs "are even more resource-constrained: fewer IT people; fewer security people," Slaby added. Both little and big companies face a security reality where new attacks constantly emerge, and "the traditional defenses they've relied upon aren't as effective anymore, he said."
Managing vulnerabilities: Two options
As a result of such constraints, Slaby said many SMBs opt to outsource their vulnerability management to a managed security services provider. Alternately, organizations can run their own vulnerability scanners. When paired with management and reporting tools, these scanners give organizations a report on what needs fixing, though fine-tuning is first necessary.
For best practices, Yankee recommends organizations integrate vulnerability discovery with both remediation and patch and configuration management, fixing high-value assets (and know what they are) first. The firm also recommends "a sense of managed urgency." That means scans of critical assets every five to 10 days, and patching critical vulnerabilities within 21 days of their announcement.
SMBs have numerous vendor options. Leading private vulnerability management vendors, according to Yankee, include Qualys Inc., TruSecure Corp. (soon to known as CyberTrust), Foundstone Inc. (recently acquired by McAfee) and nCircle Inc. Symantec, Internet Security Systems Inc. and Computer Associates International Inc. also offer the technology, as well as several upstarts, including Skybox Security, Tenable Network Security, Ecora, White Hat Technologies, BigFix Inc., Scan Alert Inc. and Black Dragon Software. St. Bernard Software Inc. also plans next week to announce a new systems vulnerability management tool specifically for the SMB market.
The most popular open source software is Nessus, which Deraison said 75,000 organizations use. Given it's free, it may be an attractive option for budget-strapped SMBs. Functionally speaking, Nessus users aren't getting a watered-down scanning engine; they just don't get support, or a complete vulnerability management package, though commercial add-ons are available.
Some experience required
Despite the plethora of options, do SMBs have the requisite in-house security knowledge to handle open source scanners? For Nessus, "you need some basic Unix knowledge to deploy it," Deraison said. A related, Windows-only tool called NeWT (Nessus Windows Technology) -- the basic version is free -- is easier to use and quick to deploy.
Deraison cautioned that for any scanner "you need a certain level of sys admin experience, both Unix and NT, to understand the results. But you definitely don't need to be an expert."
Meanwhile, all scanners suffer from some side effects. "You scan your network looking for the MSRPC vulnerability, and you crash your printers on the way, [creating an] unwanted denial of service," Deraison explained. "Or HP/UX comes up as being vulnerable whereas it's not; thus, you've got a false-positive. Or your faithful Windows NT box does not show up as being vulnerable while it is [a] false-negative."
Adds the Yankee Group's Slaby: "I guess publicly available tools are better than no tools, but clearly there are advantages that you get from someone in the business of doing it for a profit. In other words, sometimes you get what you pay for in open source. But clearly if you don't have the budget for proprietary tools, then you're certainly better off going that path than doing nothing at all."
Mathew Schwartz is a Paris-based freelance technology writer who contributes regularly to SearchSecurity's Security Wire Daily and Security Wire Perspectives. He can be reached at firstname.lastname@example.org