There is a reason I call these articles the Bread & Butter Series. The goal is to simplify things to make them actionable at some level and as simple as Bread & Butter. Over the past few years, there has been what seems like an explosion of best practices published with the good intent of giving us what I call in aviation terms “Stick & Rudder.”
Stick & Rudder skills are the bread and butter of pilots as they are the core functions that give the aircraft direction. Without good stick and rudder skills, a flight would be in a world of hurt. Vulnerability management from a cyber-security standpoint is our bread and butter that always needs a lot of Stick and Rudder, but alas we still can’t seem to get a handle around it regardless of how many frameworks are published or policies written.
We all know what it is, why we do it and spend a lot of effort performing it, but are we doing it correctly? Are we really laser beaming the threats, or are we just blasting a shotgun and hoping we hit the target? Let’s find out.
The Council on CyberSecurity has emphasized the “First five Quick Wins” that have an immediate impact on preventing potential incidents. It’s not a surprise that three out of the five quick wins have to deal with vulnerability management, and for this discussion we will focus on the two patch management controls. The list of the five quick wins are:
1. Application whitelisting (whitelisting found in CSC 2);
2. Use of standard, secure system configurations (found in CSC);
3. Patch application software within 48 hours (found in CSC 4);
4. Patch system software within 48 hours (found in CSC 4
5. Reduced number of users with administrative privileges (found in CSC3 and CSC 12)
Let’s start by looking at some research and identify prioritization. Reflect on yourself for a moment and think about what drives your prioritization. Is it based on a regulatory requirement? Is it based on systems that are deemed “critical”? What is that criticality based on? If you’re not really sure or don’t agree with the organizations reasoning, you may be flying blind or shot gunning it and the question needs some stick & rudder
Cruising the interwebs there are two references readily available that helps answer the question for us. The 2014 Verizon Breach Report and the Secunia 2014 Vulnerability Review are the primary references that I will highlight. Below you will see four figures pulled from the Verizon report highlighting the crimeware space and include:
1.) Top threat Action varieties, 2.) Top Vectors for Malware 3.) Discovery Timelines and 4.) At-Risk Data.
Upon review, you can quickly deduce that our threat actors are using web based attacks in order to push command and control malware with a goal of compromising credentials and bank information and they are not being found for days, weeks, or months.
Our adversaries greatly desire freedom of movement within our environment therefore we should be setting an internal goal to deny that freedom of movement. Let’s now turn to nuggets of goodness from the Secunia report; there are several statements made by Secunia that warrant attention, the first being:
“Importantly, even though Internet Explorer has a market share of 99% percent, Firefox and Chrome are actually installed on 63% and 60% of the scanned systems. Since these applications are used for the same purpose, it is fair to assume that users have multiple browsers installed but only use one of them, forgetting about the others. This practice may also directly affect the “unpatched” status of these browsers, because users are not likely to prioritize the security of a browser no longer in use.”
This highlights the application whitelisting and sustainability & supportability for installed applications. If it’s not a supported application it needs to go, if is it an organizational approved application then it certainly needs to be a part of the vulnerability drumbeat as any other approved application.
The lack of situation awareness of the application inventory directly correlates to a lack of vulnerability management effectiveness. Secondly, let’s let at some software portfolio commentary from the Secuina Report:
In 2013, 75.7% of the vulnerabilities affecting the Top 50 programs that make up the representative software portfolio affected third-party programs. This means that 24.3% of the remaining vulnerabilities in the Top 50 programs installed on the computers of users, stem from the Microsoft programs.
This high-level percentage plateau is significant because it highlights the difficulties faced by end users and administrators in keeping their systems secure. For instance, if end users and organizations only focus on patching their Microsoft programs and operating systems, then they are only protecting their computers and IT infrastructures from 24.3% – a quarter – of the total risk posed by vulnerabilities.
This is a significant statement, 75% of the attack surface is based on third party software, which is generally the most difficult to patch as well as likely to cause the most user impact. Let’s dive further into some data and try to flush out some specifics.
Below you will see a summary chart reflecting the top ten (10) most vulnerable applications based on the data contain in the Secunia Vulnerability report. Within the report, Secunia lists the top fifty (50) installed applications based on their data which I view as very comprehensive due to their footprint of installed Secunia tools. I simply created a table of applications that had the highest quantity of vulnerabilities for the 2013 year:
As you can see, 70% of the top ten vulnerable applications are third party non-Microsoft applications which are closely in-line with what Secunia report for their Top 50. However, you should also notice that virtually ALL of the top 10 vulnerable applications more than likely reside on a user workstation.
A third reference that was published as of the writing of this article by SC Magazine reports on the findings of the IBM Security Services 2014 Cyber Security Intelligence Index, with a headline stating “Human error” contributes to nearly all cyber incidents, study finds”. You can conclude, which is not a surprise, is that our users are the weakest link in the chain.
So where does that leave us?
a.) We know that threat actors are using web based attacks in order to push command and control malware with a goal of compromising credentials and bank information and they are not being found for days, weeks, or months.
b.) Our adversaries greatly desire freedom of movement within our environment therefore we should be setting an internal goal to deny that freedom of movement.
c.) The top vulnerable applications are third party applications
d.) The top vulnerable applications appear to be applications that would reside on a workstation
e.) The user base that is operating those workstations, are likely utilizing that vulnerable third party software, surfing the web and are being victimized by the web download and drive by attacks and having their credentials compromised.
Hopefully by this point in your reading you are coming to the conclusion that when you have to prioritize your vulnerability remediation efforts, you should not do it based on “criticality” of the system. This is usually based on availability needs but you should conduct vulnerability management based on exposure.
How many times have you based your priorities on the criticality of a system that is likely buried under layers of defense in depth and therefore has a low exposure factor while allowing assets that have a high exposure factor be left untouched? Based on peer reviewed breach information accounts for an overwhelming majority of business liability (AKA Digital Harm).
So how can you fix this? The Counsel of CyberSecurity tells you what you need to do by simply making their first five quick wins to heart, but with a caveat. In a current publication the Counsel is calling for a 48 hour turnaround time for patch management. Most organizations that I have dealt with are on a 30 day cycle due to test anxiety.
When that occurs, a potential alternative option is to guide them into doing it in spirals based on exposure. Unless you’re in the e-commerce business, the higher the exposure level generally has, the less availability needs but each organization is certainly different. This also gives the organization incentive to hit a 48 hour milestone.
Once they start working their process kinks out with one 48 hour spiral, they generally start working out the kinks of a repeatable process and start trying it in other areas. An Example may look like:
1. First 48 Hours- Public Facing/ DMZ
2. Second 48 Hours- User Workstations
3. Third 48 Hours- Third Party Gateways
4. Fourth 48 Hours- General Purpose IT i.e. ERP, Email etc.
5. Platform IT, Test Sensitive Systems no greater than 30 Days
The bottom line is, before you go out and buy that next bling tool that does your taxes, makes your coffee and mows the lawn while concurrently detecting and defending against malware and all APT’s ever created or that will be created in the future, you better be doing the top five quick wins, and you better be doing them well.
Makes you wonder if the “bling” tool is even necessary…
About the Author: Adam Meyer is currently the Chief Information Security Officer for one of the largest public transportation systems in the United States. Before serving in his current position Adam served as the Director of Information Assurance/Cyber Security for the Naval Air Warfare Center, Naval Air Systems Command. Prior to focusing on the Cyber Security discipline, Adam has served in positions supporting Network Engineering & Operations, Enterprise Architecture & Configuration Management, Emergency Power and Systems Engineering for organizations such as White House Communications, Army Pentagon, Joint Interoperability Test Command (JITC) and the Intelligence Community. Adam also provides specialized training and consulting services as the President of CyberWise Advantage Inc. in the areas of Business Resiliency, Data Governance, Risk Management and Systems Security Engineering with an additional focus on Cyber Security issues for small and medium sized business.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Overcoming Internal Barriers to Adopting Cyber Security
- Demonstrating Enterprise Commitment to Best Practice
- Threat Mitigation and the 20 Critical Security Controls with Tony Sager
- The Role of Security in Creating a Standard of Due Care
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].