SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Cybersecurity & software vulnerability management: The ounce of prevention that’s worth a pound of cure
Mon, 27th Jun 2016
FYI, this story is more than a year old

A recent cyber-attack on the BBC, the New York Times and MSN saw tens of thousands of computers potentially exposed to hacker threat because of malicious online advertisements that ran on these companies' websites. The hackers were able to embed malicious code into ads which connected with servers that were hosting the Angler exploit kit.

This particular exploit kit tries to find software vulnerabilities on a computer in order to deliver malware and if successful, the exploit has the potential to deliver ransomware. A successful exploit could deliver ransomware, a type of malware that encrypts a computer's files until the owner pays a ransom fee extracted by criminals to unlock the computer.

When a hacker is able to gain access into an organisation's systems, the results cost can be monumental. Over the past year, Australian government departments have endured a string of cyber-attacks. Particularly, the attack on the Bureau of Meteorology, which was just recently confirmed by The Federal Government, was said to be the biggest cyber-attack of 2015 and will cost hundreds of millions of dollars to fix.

In addition, last year'sVAGO report identified a large number of IT control deficiencies in state government agencies and departments. The report also found that the number of high-risk deficiencies had increased from 69 in 2013-2014 to 134 in 2014-2015.

We're all familiar with the old saying, “An ounce of prevention is worth a pound of cure” and never has this been more than in the case of cybercrime. An organisation's first line of defence to minimise threats should be to reduce the attack surface or to reduce the number of vulnerabilities residing within an organisation's environment. Taking this preventative measure will significantly lower the likelihood that a hacker can do any real harm.

This is one of the many reasons as to why the implementation of a Software Vulnerability Management solution is so important – it is a preventative measure. The majority of successful cyber-attacks use known software vulnerabilities to gain access or escalate privileges inside corporate IT infrastructures. Once hackers have successfully exploited a vulnerability, they are able to roll out the attack – moving systems around, collecting private information, and deploying malware.

What the majority of most people and companies fail to realise, is the extent of the problem caused by vulnerabilities. Recently, Flexera announced its Annual Vulnerability Review 2016, presenting global data on the prevalence of vulnerabilities and the availability of patches. In 2015, a total of 16,081 vulnerabilities were recorded in 2,484 products from 263 vendors. These findings illustrate the challenge faced by security and IT operations teams trying to protect their environment against security breaches.

However, there are clues in the data that provide insights into how to handle vulnerabilities.  Of those 16,081 vulnerabilities discovered, 13.3 percent were rated as ‘Highly Critical'[1], and only 0.5 percent as ‘Extremely Critical.  Moreover 84 percent of vulnerabilities in all products had patches available on the day of disclosure in 2015.  This means that by implementing a proper Software Vulnerability Management strategy, organisations can significantly reduce their attack surface, and the likelihood of a successful breach.

The first element of that strategy is Vulnerability Intelligence which refers to all the research data on vulnerabilities. This starts with investigation to determine whether the countless number of vulnerabilities identified globally from different sources, are legitimate.

Once its existence is verified, evaluation of its criticality is essential so that an enterprise can determine which ones pose the greater risk and require more immediate attention. Vulnerability Intelligence feeds into the three critical stages of the Software Vulnerability Management Lifecycle.

“Assess” is the first stage of the lifecycle in which the existence of the vulnerability is researched and verified. The next step involves filtering out the known vulnerabilities and honing in on those impacting the organisation. That entails comprehensive asset discovery and inventory to determine which systems are potentially threatened by the verified vulnerabilities.

Once the universe of known vulnerabilities are narrowed down what is impacting the enterprise, then Vulnerability Intelligence can be applied to determine which vulnerabilities are most critical and therefore require prioritised attention.

The second stage of the lifecycle involves mitigation where a handoff occurs between the corporate security team and the IT Operations team. The IT Operations team ordinarily handles patch management, and will use Application Readiness processes to identify and download the applicable patches (keep in mind that 84 percent of vulnerabilities have patches available on the day of disclosure). The patches then need to be tested and packaged up and distributed to the correct machines. This mitigation process must be well managed and automated to avoid system overloads and failures.

The last step of the Software Vulnerability Management lifecycle is verification, whereby the application of the patch or other mitigation technique is verified.  Once mitigation is complete, the attack vector for that vulnerability has been eliminated.

More often than not, organisations tend to focus on a reactive approach, only dealing with the attack once it has happened. The challenge with this approach is that it is exponentially more difficult to identify and respond to breaches when there are too many holes and cracks for hackers to exploit.

Organisations need to adopt a proactive approach to cyber-security through a Software Vulnerability Management process. By investing in the right people, processes and technology, organisations are able to effectively reduce the attack surface and minimise the likelihood that a vulnerability can be exploited.

Article by Steve Beards, VP Asia Pacific - Japan, Flexera Software