An often quoted business rule is the Pareto principle, where, in most situations, approximately 80% of the profit...
comes from 20% of the effort exerted. This rule can also apply to some aspects of information security.
A new report by Digital Shadows, "In the business of exploitation," found that three pieces of software -- Adobe Flash Player, Oracle's Java and Internet Explorer -- account for 62 of the 76 vulnerabilities found targeted by exploit kits. That's almost 82%. The information security community is starting to learn that using data can be an effective way to secure enterprises and prioritize basic information security hygiene. The Digital Shadows report shows the value of using available data to identify vulnerable software.
This tip will look at the findings from Digital Shadows and potential enterprise responses for managing these vulnerabilities.
Findings from the Digital Shadows report
Using data to drive decisions at the information security level is crucial. Enterprises should be using information from research and publications like Verizon's "Data Breach Investigations Report" and the report from Digital Shadows.
Digital Shadows included 22 exploit kits in its analysis and focused on the five most prominent kits, correlating the vulnerabilities exploited by each kit to determine the most common vulnerabilities. It is unclear, though, if the data from the report is a representative sample of all systems, mobile systems or enterprise systems.
Even with these limitations, the findings still give insight into how to prioritize your information security program. You may want to do an analysis similar to Digital Shadows', using the incident data gathered in your enterprise to determine where it is getting attacked the most and to prioritize attention on those areas.
How to manage these vulnerabilities
The most obvious first step for enterprises is to uninstall the vulnerable software to reduce the chances of it being exploited during an attack. Any enterprise still using the insecure software has to have a reason for doing so. If users require a certain functionality, such as the ability to read PDFs, there may be alternative PDF readers with less baggage and risk that could be used. An alternative piece of software should be critically evaluated to determine if it can be securely used and managed to minimize the chance of future problems.
The next step is that enterprises should ensure they have vulnerability and patch management systems in place. Without them, it will be difficult to layer on new controls or change how findings are prioritized. A vulnerability scanner or patch management system could perform an authenticated scan of an endpoint, including virtual and mobile systems, to identify systems running the vulnerable software. Some of the software can even be identified by monitoring your network traffic for the software versions.
Once a system has been identified as needing a patch, the patch should be tested and pushed to the target system, and the insecure version of the software should be removed. If a patch or upgrade comes out for Adobe Flash Player, Oracle's Java or Internet Explorer, it should be prioritized to be patched sooner than other software, regardless of the rated risk from an exploit due to how targeted the software is for exploitation (sometimes it may be included in the risk rating).
If an enterprise must use an insecure version of the software, the first step should be to pressure the software vendor to fix it. The enterprise might want to explore running vulnerable software in a sandbox or virtualized environment, even with the potential additional complexity. This could help limit the access an attacker might get to the sandbox/virtual environment if an exploit is successful, which would require the attacker to take an additional step to completely compromise the target. Enterprises may also want to ensure their attack surface is minimized by using otherwise securely configured systems.
Individuals may want to use something like Qualys BrowserCheck, to see what insecure plug-ins are installed on their system, or Flexera Software Personal Software Inspector, to identify and automate updates to ensure systems are patched. Individuals may not have the resources that an enterprise does to devote to patch management, but probably also have fewer legacy applications requiring them to use insecure software. Some web browsers even warn the user when insecure plug-ins are detected, and prompt the user to install an update.
Software and hardware vendors should pay close attention to the significant impact of vulnerable software on the individuals that use it. Vendors can't change the decisions of the past, but can ensure they have at least the minimum adequate software security in place to protect their customers. They can also include secure auto updating functionality in their software to ensure patches are deployed to endpoints on a consistent basis.
Unfortunately, in information security, we can't choose to only block 80% of the attacks or gain 80% of the benefit from 20% of the effort. We can, however, use our limited resources more effectively and better protect enterprises. By ensuring that your enterprise is focusing on the highest risk findings across its systems, meaningful protections can be implemented at scale to more effectively manage the risk that comes from insecure internet of things devices or insecure endpoints. Understanding your enterprise and the data available will help you to make decisions that will drive future information security programs.
Learn how your company can benefit from using vulnerability management tools
Compare the security risks of updates against waiting to patch vulnerabilities
Find out how to prevent ZCryptor ransomware from self-replicating