Software Vulnerability Management: The ounce of prevention worth a pound of cure

Recently it was widely reported that tens of thousands of computers could have been exposed to hacker threat due to malicious online advertisements that ran on major media companies’ websites including the BBC, the New York Times, and MSN. In this attack, cybercriminals embedded malicious code into ads which, according to reports, connected with servers hosting the Angler exploit kit. The kit tries to find software vulnerabilities on a computer in order to deliver malware. A successful exploit could deliver ransomware, a type of malware that encrypts a computer's files until the owner pays a ransom fee extracted by criminals to unlock the computer.

The cost is monumental for organisations when a hacker is successful in gaining entry. Indeed, in the UK the average cost of cybercrime per organisation was $5.9m (£4.1m). The average time to resolve a cyberattack was 31 days, with an average cost to participating organisations of $639,462 (£447,623) over the 31 day remediation period. And the reputational damage and loss of trust that results from these break-ins cuts far deeper than the cost of repairing the damage.

An ounce of prevention worth a pound of cure

There’s an old adage that says, 'an ounce of prevention is worth a pound of cure'. Never has this been truer than in the case of cybercrime. An organisation’s first line of defence to minimise cybercriminal threats should be to reduce the attack surface – and by that I mean to reduce the number of vulnerabilities residing within an organisation’s environment. Taking this preventative measure will significantly lower the likelihood that a hacker can do any real harm.

This is why Software Vulnerability Management is so important – it is preventative. The majority of successful cyberattacks use known software vulnerabilities to gain access or escalate privileges inside corporate IT infrastructures. Once hackers have successfully exploited a vulnerability, they have a base to roll out their attack, moving around systems, collecting information, and deploying malware to steal or destroy business-critical information or cause disruption.

The problem created by vulnerabilities is more broad-based than most people – and companies – realise. We recently published our Annual Vulnerability Review 2016, presenting global data on the prevalence of vulnerabilities and the availability of patches. In 2015, a total of 16,081 vulnerabilities were recorded in 2,484 products from 263 vendors. These findings illustrate the challenge faced by security and IT operations teams trying to protect their environment against security breaches.

However, there are clues in the data that provide insights into how to handle vulnerabilities. Of those 16,081 vulnerabilities discovered, 13.3 per cent were rated as ‘Highly Critical’ , and only 0.5 per cent as ‘Extremely Critical'. Moreover, 84 per cent of vulnerabilities in all products had patches available on the day of disclosure in 2015. This means that by implementing a proper Software Vulnerability Management strategy, organisations can significantly reduce their attack surface, and the likelihood of a successful breach.

The Software Vulnerability Management lifecycle

The first element of that strategy is Vulnerability Intelligence. Vulnerability Intelligence refers to all research data on vulnerabilities, including but not limited to, historical data, attack vector, impact, criticality ratings and fixes. Vulnerability Intelligence can be integrated with an organisation’s security strategy to support risk assessment. And it can be used by Software Vulnerability Management technology to feed and enhance their tools.

How is Vulnerability Intelligence derived? It starts with investigation to determine whether the myriad vulnerabilities identified globally from countless sources, actually exist. Once a vulnerability’s existence is verified, evaluation of its criticality is essential so that an enterprise can determine which ones pose the greater risk and require more immediate attention.

Vulnerability Intelligence feeds into the three critical stages of the Software Vulnerability Management Lifecycle.

The lifecycle starts with the 'Assess' stage in which the existence of the vulnerability is researched and verified. Next the organisation needs to filter out the known vulnerabilities and concentrate only on those impacting the organisation. That entails comprehensive asset discovery and inventory to determine which systems are potentially threatened by the verified vulnerabilities. Once the universe of known vulnerabilities are winnowed down to only the subset impacting the enterprise, then Vulnerability Intelligence can be applied to determine which vulnerabilities are most critical and therefore require prioritised attention.

The second stage of the Software Vulnerability Management lifecycle involves mitigation. This is often where a handoff occurs between the corporate security team and the IT Operations team (though I do not recommend a siloed approach between security and IT Operations).

The IT Operations team ordinarily handles patch management, and will use their Application Readiness processes to identify and download the applicable patches (remember that 84 per cent of vulnerabilities have patches available on the day of disclosure). The patches then need to be tested (i.e. for dependencies) and packaged up and distributed to the correct machines. This mitigation process must be well managed and automated to avoid system overloads and failures.

The last step of the Software Vulnerability Management lifecycle is verification, whereby the application of the patch or other mitigation technique is verified. Once mitigation is complete, the attack vector for that vulnerability has been eliminated.

Organisations must use a combination of proactive and reactive techniques when it comes to fighting cybercrime. They must be proactive to make sure it is as difficult as possible for a hacker to break into systems. They must also be reactive – prepared to detect and respond to incidents when they happen.

Many organisations put their focus on the reactive approaches only dealing with the attack once it has occurred. The challenge with this approach is that it is exponentially more difficult to identify and respond to breaches when there are too many holes and cracks for hackers to exploit. And the consequences of this limited approach are reported out daily in the news headlines.

A proactive approach via Software Vulnerability Management means investment in the people, processes and technology to effectively reduce the attack surface and minimise the likelihood that a software vulnerability can be exploited by hackers. You don’t read about it too much in the headlines – but isn’t that the point?

Jim Ryan, President & CEO, Flexera Software