A fundamental component of most, if not all, IT security
programs is the timely patching of vulnerabilities in critical
systems.
Yet security experts are taking a new look at the strategy as
data on breaches continues to show that very few attacks compromise
systems using a vulnerability that could have been patched. In
2010, for example, only five vulnerabilities were exploited by
attackers in the 381 breaches investigated by Verizon, according to
the company's Data Breach Investigations Report (DBIR). Instead,
most attackers exploited misconfigurations or gained credentials
for otherwise secure systems.
The data suggests the focus of corporate IT on patching could
cause managers to miss other important strategies to minimize risk,
says Wade Baker, director of risk intelligence for Verizon.
"In general, the security industry is far more
vulnerability-minded than we are threat-minded or focused on
impact," he says. "Threat, vulnerability, and impact are the
components of risk, but most of our time is spent on
vulnerabilities."
The data from Verizon's report underscores that patching, while
a necessary component of any vulnerability management program, is
not sufficient. It's a meme that other security professionals have
echoed, as well: Josh Corman, Akamai's director of security
intelligence, has cited the research as a reason for companies to
consider other strategies to reduce their vulnerabilities to attack
and the impact of breaches.
The security experts are, however, not telling businesses to
toss out their vulnerability management strategies and patch
processes. Companies should just make sure they are balancing their
priorities, Baker says. For example, if a company patches its
systems once per quarter, then pushing for faster patches is less
important that ensuring that patches are applied to all
systems.
"Making that faster is probably not going to reduce the risk as
much for you as making sure that the patch is deployed everywhere,"
Baker says. "The problem is not speed of patch deployment -- it's
missing the patch deployment."
Companies should also pay more attention to detecting poorly
configured information systems and educating developers on methods
for more secure programming, says Marc Maiffret, Chief Technology
Officer for eEye, a vulnerability management firm. In a survey of
the vulnerabilities that Microsoft patched in 2010, the company
found that two simple changes -- blocking WebDAV connections and
disabling Office file converters -- could have prevented the
exploitation of 12 percent of all the software maker's
vulnerabilities, including those used in major attacks.
"Simple best practice configurations around your operating
system software and network architecture could have mitigated or
helped mitigate the threat of Stuxnet, Aurora, and other major
attacks," Maiffret says.
Maiffret takes issue with Verizon's data on patchable
vulnerabilities, however. SQL injection flaws are not counted as
patchable vulnerabilities, but could be discovered by a good
vulnerability scanner and fixed, just not with a third-party patch
in most cases, he argues.
Verizon's Baker accepts such critiques of the data, but responds
that the data does show a valid trend: Attackers are avoiding the
exploitation of vulnerabilities in favor of exploiting poor design
flaws, abusing stolen credentials, or preying on trusting users. In
addition to searching out poor configurations, IT security managers
need to educate their users, reduce the attack surface area of
their networks, and improve developers' secure-coding skills.
"Secure code development is equal [to], if not more important
than, patching," Baker says. "Patching is just failed secure
development."
Source: DarkReading