Security Vulnerabilities
What are vulnerabilities, and how are they exploited?
A vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.
Flaws
A flaw is unintended functionality. This may either be a result of poor design or through mistakes made during implementation. Flaws may go undetected for a significant period of time. The majority of common attacks we see today exploit these types of vulnerabilities.
Vulnerabilities are actively pursued and exploited by the full range of attackers. Consequently, a market has grown in software flaws, with ‘zero-day’ vulnerabilities (that is recently discovered vulnerabilities that are not yet publicly known) fetching hundreds of thousands of pounds
Zero-day vulnerabilities
Zero-days are frequently used in bespoke attacks by the more capable and resourced attackers. Once the zero-days become publicly known, reusable attacks are developed and they quickly become a commodity capability. This poses a risk to any computer or system that has not had the relevant patch applied, or updated its antivirus software.
Features
A feature is intended functionality which can be misused by an attacker to breach a system. Features may improve the user’s experience, help diagnose problems or improve management, but they can also be exploited by an attacker.
Examples of features include Microsoft’s macros into their Office suite and JavaScript, which are widely exploited by cybercriminals to spread malware.
User error
Users can be a significant source of vulnerabilities. They make mistakes, such as choosing a common or easily guessed password, or leave their laptop or mobile phone unattended. Even the most cyber aware users can be fooled into giving away their password, installing malware, or divulging information that may be useful to an attacker. These details would allow an attacker to target and time an attack appropriately.
How to address Vulnerabilities
Administrators must take a proactive approach to resolving vulnerabilities. If recent history of cyberattacks has taught us anything, it’s that you can’t protect yourself after the attack has started.
The best practices of vulnerability remediation outlined below are crucial to helping administrators assess their current risk, take steps to prepare their vulnerability defense with minimal interruption to current processes and lay the groundwork to proactively address future vulnerabilities (with their current IT staff) before they are exploited.
STEP 1
Identification/Discovery of Systems
This initial step gives you, as security administrators, a clear view of the network through the use of an assessment tool or network mapping software that can scan all networks (and subnetworks) to determine used TCP/IP addresses and the associated devices connected to them. Once all devices are identified, you can determine which systems are most critical to protect and then put them in order of priority.
STEP 2
Vulnerability Assessment
Vulnerability assessment tools or scanners are used to identify vulnerabilities within the network. The vulnerabilities identified by most of these tools extend beyond software defects (which are fixed by patching) to include other easily exploitable vulnerabilities, such as unsecured accounts, misconfigurations and even back doors.
STEP 3
Vulnerability review
The key objective of this step is to clearly understand where your network is at risk and to prioritize the most critical vulnerabilities and systems in preparation for remediation. Some limited review capabilities are available within the scanners or the scanning report. A more effective approach is to leverage vulnerability remediation and review tools that allow administrators to combine data from multiple scanners and provide several ways to organize and review the data.
STEP 4
Vulnerability remediation
Once the vulnerabilities have been reviewed and put in order of priority, you must determine how to approach the remediation. There are three typical options available to security administrators:
- Manual remediation: This option is effective only if you are managing a small network and have determined that relatively few vulnerabilities (fewer than 10) need to be remediated. Through this option, you simply follow the steps outlined by the commercial scanner to manually address the vulnerabilities.
- Patch deployment tools: Using patch deployment tools provides a way for administrators to resolve some vulnerabilities through deployment of patches or hot fixes.
- Automated remediation tools: Using automated remediation tools is the most effective for companies or smaller organizations that want to resolve more vulnerabilities than can be managed manually. Vulnerability remediation technology not only deploys patches and hot fixes; it can also can address the other vulnerabilities identified by commercial scanners.
The Common Vulnerabilities and Exposures Web site is also a good resource for finding information about these tools.
After any of the above options are completed, a differential scan of the devices that were repaired should be run to verify the effectiveness of the remediation efforts.
STEP 5
Ongoing vulnerability management
The need for ongoing management of network vulnerabilities is often overlooked at the onset of a vulnerability remediation project. Yet with new vulnerabilities being identified every day and users reintroducing vulnerabilities into their environments, the remediation strategy needs to be repeated regularly.