As software vulnerabilities are the root cause of many security issues (because vulnerable software is an open door for hackers attempting to access an IT infrastructure), understanding how to deal with them is a critical component for protecting any organisation from security breaches. IT teams must know when a vulnerability is threatening the infrastructure, where it will have the most critical impact, what the right mitigation strategy is and how to deploy it.
For as long as Secunia Research at Flexera Software has been monitoring the vulnerability landscape, the trend has been increasing. The total number of vulnerabilities increased by 55 per cent from 2009 to 2014 and we are expecting the trend to continue. This presents IT teams with the huge challenge of how to retain control over increasingly complex infrastructures and user device autonomy.
The frequency of vulnerabilities underscores the importance of regularly monitoring and patching all applications. This is a daunting task, and one that cannot be dealt with without automation. In addition, technically it is never possible to patch or apply work-arounds to all vulnerable programs on all devices immediately – which is why prioritisation of remediation efforts is a key element in securing data.
Software Vulnerability Management can prevent hacks before they happen
In 2014, of the 15,435 vulnerabilities recorded, a full 83 per cent had a security patch available on the day of disclosure. This means that it is in the hands of IT teams to patch the vulnerability immediately, before hackers start to exploit them. Operations and security teams therefore will need Software Vulnerability Management automation in place to deliver insight into their environments to discover and inventory their software and hardware assets, receive vulnerability intelligence whenever vulnerabilities are discovered in those products, and apply the security patch published from the vendor.
Here’s what security and IT operations teams need to understand about Software Vulnerability Management:
1. Bundling jeopardises security: IT pros need to get better visibility
Vendors are increasingly bundling their products with additional software, such as open source applications and libraries, complicating the customers’ chance of knowing which products are in fact present on their systems. The security consequences of bundling caught the IT community completely unprepared back in 2014 when the Heartbleed vulnerability, and subsequent security releases in the open source library OpenSSL, made the IT community realise how shared code complicates security tenfold. IT professionals, therefore, need to investigate and map the third-party applications bundled with the products they use in their environment, and ensure that they stay apprised of any vulnerabilities that affect them.
2. IoT – Everything connected to the Internet can and will be hacked!
Software vendors and Internet of Things (IoT) manufacturers need to increase focus on security when they develop their Internet-connected products. The glorious new world of IoT brings with it endless opportunities – and, from a security standpoint, quite a few challenges. From a security perspective there is one overriding rule of thumb to get across to vendors and consumers alike in 2016: No Internet-connected device is 100 per cent secure. If it’s connected to the Internet, it can be hacked.
Application producers will need to undertake careful code testing, continuous maintenance, careful mapping of bundled software and have the resources needed to react promptly and effectively as soon as a vulnerability in the product is reported. Users of those applications and devices will need to ensure that patches to vulnerable applications they’re running are promptly applied.
3. APT attacks targeting and used by governments will increase in 2016
Flexera Software sees an increase in reports of Advanced Persistent Threats (APTs), and it is safe to assume that these are only the tip of the iceberg. APTs are designed and executed by professionals who customise exploit kits for attacks. An important tool in APT attacks is vulnerabilities - including zero-day vulnerabilities.
Organisations generally can expect to be targeted by increasingly sophisticated APTs and therefore more resources will need to be invested in discovering unknown vulnerabilities. Governmental organisations and corporations critical to a country’s infrastructure will continue to be high-profile targets to criminal organisations and nation states wishing to cause damage to other nation states and their critical infrastructure in 2016.
Usually, the APT attack is comprised of a collection of tactics and tools, with publicly known vulnerabilities in applications being used by hackers to carry out their attacks, either as the entry point or as enablers of privilege escalation. One of the primary defences for any company is a multi-layered approach to security, starting with vulnerability management and patch management for complete visibility of one’s applications, intelligence about the vulnerabilities affecting it, and the right tools to deploy patches and work-arounds.
Vincent Smyth, GM & Senior VP EMEA, Flexera Software