LONDON, 1 August 2014 – “A stitch in time saves nine”, is an old English proverb with its first written reference by writer, Thomas Fuller in the early 18th Century although its origin is likely to be much earlier. It means that it is better to act or deal with problems immediately, because if you wait and deal with them later, things are likely to get worse and the problems will take longer to deal with. Three hundred years later, and the proverb still rings true, especially in the digital age, and applied to Vulnerability Assessment and Patch Management. Infosec Partners outlines 9 points that your organisation may still need to consider.
1. Patch Management is a Security Fundamental.
Applications are developed by vendors, often using similar code libraries and components such as Open SSL which was identified and disclosed in March/April this year as having a significant vulnerability, leading to the Heartbleed furore you may have heard of. Despite what may be very rigorous quality assurance practices carried out by vendors, according to the Secunia Vulnerability Review 2014, the number of vulnerabilities found in software over the last 5 years shows a 45% increase.
|Read the full 2014 Secunia Vulnerability Review|
This is even more worrying when (as discussed in a recent roundtable at The Guardian, and also identified in the Secunia review) organisations from small business to large enterprise are still frequently found to be dropping the ball when it comes to fundamental security practices like Patch Management.
2. Over Thirteen Thousand vulnerabilities were found in 2013
13073 vulnerabilities were discovered in 2289 products from 539 vendors in 2013.
3. Nearly 1 of every 5 vulnerabilities are Highly or Extremely Critical
Secunia categorises a vulnerability against 5 severity levels:
Level 5. Extremely Critical
Level 4. Highly Critical
Level 3. Moderately Critical
Level 2. Less Critical
Level 1. Not Critical
17% of the vulnerabilities discovered in all products in 2013 were rated as either ‘Highly or Extremely Critical’.
4. 3 of every 4 attacks are via Remote Network
The primary attack vector available for hackers for all products was Remote Network, meaning 73.5% of vulnerabilities could be triggered remotely.
5. Zero-day attacks often rely on software vulnerabilities
Earlier this year, a zero-day (never seen before) vulnerability in Adobe Flash was discovered, which meant that someone could be infected just by viewing a flash file in their browser. Hackers used watering hole attacks, a method where exploits are placed in websites of high traffic or frequented by specific targeted visitors. In this case, the exploits were designed to check the OS version, and relied on either a flaw in Microsoft Office which was fixed at the start of this year, or a flaw in Java 6 which was discontinued 3 years ago. If the computers of victims had simply been patched for MS Office and Java, they would have been safe from this particular zero-day, even prior to Adobe releasing a patch for it.
6. Zero day vulnerabilities are in found in the most popular products
The products used by the highest number of people are the ones zero-day vulnerabilities are primarily found in.
7. The Power to Patch is in your hands
4 of every 5 vulnerabilities had patches available on the day of disclosure. This reiterates that the power to patch endpoints is in the hands of all end-users and organizations.
8. Too worried to patch?
Often CIOs and IT executives are too worried to change or patch a working system, in case something breaks. Perhaps this is due to the lack of documentation for a custom developed legacy system; perhaps there is a lack of available resources that can find their way around the code; or sometimes perhaps due to a certain level of skepticism that the patches might make things work before they make them better.
Implementing Vulnerability Intelligence and Patch Management solutions like Secunia’s Vulnerability Intelligence Manager (VIM) and Corporate Software Inspector (CSI), which integrate seamlessly with Microsoft Security Centre and other 3rd party patch deployment systems can certainly help. Identifying vulnerabilities, then prioritising and scheduling patching, is certainly healthier than simply burying your head in the sand and waiting for a potential attack.
9. In need of expert advice?
Whether you need to secure legacy systems, or need to carry out vulnerability assessments for regulatory compliance, Infosec Partners can help make sure your security fundamentals are optimized.
As a trusted adviser to significant organizations, Infosec Partners has a track record of guiding executive teams with their overall security strategy, either acting as – or assisting incumbent – Chief Information Security Officers. With a ready to mobilize team of technical experts to integrate, configure and deploy Vulnerability Information and Patch Management solutions, there is no longer any excuse not to patch in time, and have peace of mind.