Vulnerability Management Programs and New Age Hackers

May 6, 2014 | Patrick Bedwell
X

Get the latest security news in your inbox.

Subscribe via Email

No thanks. Close this now.

From Drawception.com

Back in the day, hackers really didn't think to gain by their activities – they broke into systems or web sites for fun and to show off their capabilities.  While this situation was pesky, it turned out that things can always be worse.  Now, with the emergence over the last several years of attackers with an agenda to make money by hacking, the IT security challenge has intensified. State-sponsored attacks and the participation by organized crime have necessitated the adoption of vulnerability management programs by organizations of all sizes, not just high-profile targets like government agencies or Fortune 500 companies.   Interestingly, according to Business Insider, “Chinese hackers may get all the notoriety, but their cyber-security exploits against American targets are chickenfeed compared with the damage done by organized crime.”  Read more

One reason for organized crime’s preference for cyber attacks over physical activities is “you don’t get shot, and you don’t get caught.”

New age hackers care about ROI – Criminals have limited resources to devote to their nefarious activities, whether physical or online, and they want to maximize their ROI.  They want to achieve the greatest impact with the least effort. To win against new age hackers, you're going to need to think about your ROI and where to focus your scarce resources for maximal benefit.   You need to be smarter about how you fight attackers, and not bring a knife to a gun fight.

Even if you work for a small/medium business, you are going to need to establish or refine your vulnerability management program to address these intensified threats.  There are only two real reasons for you to scan for vulnerabilities: to prevent nasty security incidents and to pass audits.   It’s easy to fall into the trap of conducting vulnerability scans, or having third parties do so, then developing an impossibly long and ever-changing list of stuff to fix.   Applying every patch and security update right away to every device on your network is usually not feasible for several reasons:

  •           There are just too many patches, security updates, and systems to keep up with
  •           Thorough testing is required to patch business-critical systems and applications
  •           Another group in your company may actually make the changes, and strict change control policies/update windows may be involved
  •           Some patches have side effects, such as breaking functionality or requiring upgrades to other software

While you’ll still need to do your scans and pass your audits, it’s probably smarter to think like the attacker and use an ROI-based approach to determine where to invest your time and effort.  For example, a trap many IT pros fall into is to consider only the severity of vulnerability in their prioritization efforts.  Common Vulnerability Scoring System (CVSS) is an open source standard used by many in the industry to give you an idea of the severity of a vulnerability.  A CVSS score of 7.0 – 10.0 is considered critical, with 4.0-6.9 being major and 0-3.9 being minor.

While these numbers may be important, there’s a critical point to make: for a vulnerability to be a threat, it's got to be exploitable in your network. For an attack to succeed, it requires an exploitable asset that an attacker can reach.  And remember, attackers are opportunistic–they are looking for any system to use as a stepping off point into your network. They often target older systems with little business value in the hopes of avoiding having to work hard.   

The mistake too many organizations make is focusing solely on the high visibility vulnerabilities, and never get around to deploying the months- or years-old patches. Yet more often than not, it's the older vulnerabilities that provide the highest ROI for the attackers. They can use their existing tools and knowledge to find and compromise vulnerable systems, without having to break a sweat. 

Security practitioners who think of vulnerability management as a program or process (or a 'life sentence' in some ways) rather than a checkbox tend to “get it.”  Vulnerabilities don’t stop being found, and the ensuing exploits against them are just a matter of course.   Only the most trivial of software is not likely to have vulnerabilities inadvertently introduced by people who write the code.  Vulnerabilities will continue to be found. 

For a successful vulnerability management program, you need to take an ROI-based view of vulnerabilities and attackers to quickly deal with incidents as you detect them on your network.  You need visibility into vulnerabilities on affected systems at your fingertips for incident response with a high ROI.

If you don't want to keep 'bringing a knife to a gun fight' and being outmatched by attackers, check out this whitepaper, where we talk about looking at vulnerability management with Unified Security Management™ (USM.)  We outline the steps you need to take to establish an effective vulnerability management process, including:

  • Asset Discovery and Inventory Management, because you can't secure what you don't know.  In addition, how to use both active network scanning and passive network monitoring as a "two-pronged" approach to have a clear and accurate idea of what's on your network in real-time.
  • Vulnerability Scanning, using passive vulnerability detection with asset discovery scans and known vulnerability information, as well as active scanning where you probe hosts using crafted network traffic to solicit a response and find vulnerabilities.
  • Prioritization of vulnerability remediation, based on your "short list of what really counts" from a business perspective. You need a centralized security console to manage information about users, services, and systems on your network during incident response.   

 

Vulnerability Management: Think Like an Attacker to Prioritize Risks

Attackers care about ROI - they want to accomplish their objective with the least investment of time and resources possible. Learn which systems are easy targets and what you can do find vulnerabilities easily. Register to download the white paper now.

Patrick Bedwell

About the Author: Patrick Bedwell

Patrick has been working in information security for over 17 years, creating and executing marketing strategies for both startups and public companies.

Read more posts from Patrick Bedwell ›

‹ BACK TO ALL BLOGS

Watch a Demo ›
Get Price Free Trial