NEW YORK -- When he unveiled his organization's Top 20 vulnerability list for 2005 in November, SANS Institute Research Director Allan Paller noted the growing attacks against application flaws, and made the controversial statement that security had been set back nearly six years in the last 18 months.
Despite the rising mountain of security holes in AV software, media players and IM programs, security professionals at this week's Infosecurity Conference & Exhibition say the state of IT vulnerability management is far from bleak.
During a panel discussion on vulnerability management Thursday, speakers noted that while the bad guys are finding new vulnerabilities to exploit, the good guys are getting better at quickly patching their most critical systems. They're also getting better at scanning for trouble when vulnerabilities are announced.
The best evidence, perhaps, was this summer's Zotob attack against the Plug and Play vulnerability in Windows. The attack hit many organizations and gained wide media attention. But when panelists and attendees were asked to raise their hands if Zotob had a major impact on their networks, no one did.
"Intelligence and early warning is key for something like that," said Larry Brock, CISO for Wilmington, Del.-based DuPont. "Once a vulnerability is announced, we really track it to see if any exploits are out."
Zotob exploited a flaw that Microsoft announced on "Patch Tuesday" Aug. 9. By that Thursday, Brock's department had done enough intelligence gathering to know there was a significant threat. "We declared an emergency that Thursday and patched through the weekend," Brock said.
"We scan during, after and prior [to a vulnerability announcement]," said George Llano, senior director of information security for New York-based Viacom Inc. "Patches are tested instantly. But we also have implemented a lot of user education on what's out there and what's coming. User education is a form of patching."
Despite the successes, security professionals acknowledged that many hurdles remain. For one thing, there's that increased focus of the digital underground on application vulnerabilities like those outlined in the SANS Top 20.
Gerhard Eschelbeck, CTO of Redwood Shores, Calif.-based Qualys Inc., also noticed a growing trend toward application-based attacks in his latest "Laws of Vulnerabilities" research, which he unveiled at last month's CSI 32nd annual Computer Security Conference.
Recapping his findings, Eschelbeck said this year's data on vulnerability "half-life" -- the length of time it takes users to patch half of their systems -- shows organizations are patching critical vulnerabilities in outward-facing systems within in average of 19 days, two days faster than last year and 11 days faster than in 2003. He said progress is being made on inward-facing systems as well, with the half-life of critical vulnerabilities there dropping to an average of 48 days, two weeks sooner than in 2004.
At the same time, he said, more than 60% of the most recent quarter's vulnerabilities were client-side, meaning they affected specific applications such as Internet Explorer and Adobe Acrobat or software plug-ins like Macromedia Flash. "There's a significant shift from server-side vulnerabilities to the client side," he said, adding that the digital underground is shifting in that direction because "there is still a lot of low-hanging fruit out there."
In the next year or so, he expects even more client-side vulnerabilities to surface. He also predicted that 4% of each year's vulnerabilities will have an infinite lifespan.
Brock pointed out another problem IT shops must watch out for: vulnerabilities that refuse to die even after patches have been deployed. "We certainly patch aggressively, but for some unexplained reason some vulnerabilities come up again," he said.
One theory is that the flaws reappear when a new machine is brought online. He said vulnerabilities have not resurfaced on machines that were patched.
The bottom line, Brock said, is to never assume a vulnerability is gone forever once its patch has been deployed. Since new machines are often brought into the network, he said IT professionals must remain vigilant.
Llano also cautioned that the vulnerability landscape isn't the same for every company, especially one like Viacom, which includes such entertainment networks as MTV and Nickelodeon.
"There are different extremes for us," he said. "Something we see on the MTV side isn't necessarily something we see on the Nickelodeon side. It's a more spontaneous vulnerability landscape."
The panelists said that in the end, the best IT shops can do is keep a careful eye out for new vulnerabilities, scan for exploits constantly and make sure the patches deployed first are those that will protect the most critical systems.
Eschelbeck noted that 90% of vulnerability exposure is caused by a mere 10% of critical vulnerabilities. Therefore, he said, "Eliminate 10% of the critical flaws and you wipe out 90% of your vulnerability exposure."