Free Newsletter
Register for our Free Newsletters
Access Control
Deutsche Zone (German Zone)
Education, Training and Professional Services
Government Programmes
Guarding, Equipment and Enforcement
Industrial Computing Security
IT Security
Physical Security
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor
ProSecurityZone Sponsor

Sifting through unknown vulnerabilities

InfoSecurity Europe : 09 March, 2009  (Special Report)
Chris Schwartzbauer of Shavlik Technologies provides some background into intelligent discovery of hidden vulnerabilities
See our events guide listing for more details

Too many companies, today quite savvy about security and compliance requirements, continue to struggle to get to grips with the basics - understanding what is on their network, how it is configured, its purpose and what is running on it. Often the decision makers, the CIO, Security and Risk Managers, assume the basics are resolved because a significant investment has been made in sophisticated security strategy and technologies. They have not, however, recognised that it is the mundane processes, the policy and configuration management where the vulnerability gaps are left wide open. This leaves them working in the dark, unable to track and therefore effectively enforce IT security policy. Ongoing investments in security compliance for PCI, or to adopt ISO 27002 standards and others are also compromised as this weak link in security strategy persists.

You can't secure what you don't know about and unfortunately the unknowns are many:

* Companies are often unaware of all of the servers live on their network
* Laptops are offline when vulnerability scans occur/its agent software is not activated
* Data governance is poor - easily copied and moved around the organisations by employees
* Virtualisation has proliferated the number of machines that must be protected, while too many can create virtual machines
* Unknown network connections & account privileges persist
* Unknown applications - whether malicious or loaded inadvertently by employees, for the latter patches are never applied
* Oversights in configuration settings

The resolution lies in addressing the problem from the ground up. Attention must be paid to equipping the administrator with the ability to discover and evaluate all of the systems on and connecting to the network. They need access to usable information to ensure they comprehend the entirety of the problem, can set priorities, and instil confidence by communicating progress. The vulnerability gaps, once discovered, will usually require the most basic of security controls - configuration according to current access policy or removal of unauthorised software. The complexity lies in finding the gaps so that they can be filled.

For their part security administrators tell us that they are recognising the need to develop a meaningful overview of their network assets, largely a response to the increasing pressure to report more on their security status from the executives newly motivated to demonstrate responsibility to customers and board members alike. They are challenged however, by the complexity of their heterogeneous networks, an overwhelming amount of log data that is too time consuming to interpret, and a reticence to automate where manual processes are no longer adequate. The latter point is illustrated in a recent international study released by industry analysts Aberdeen Group which suggested only 51% of companies have automated basic vulnerability management operations such as patch and configuration management despite widespread acceptance that many security vulnerabilities can be avoided by fixing this issue.

The struggle to glean good, complete information about the security status of their information systems is most obvious when it comes to audit time. In a 2008 survey Shavlik conducted of over 400 delegates attending trade shows in the US and Europe, they identified over 120 different solutions for managing the audit process, with many trying to develop their own management programs or pull together information from `a lot of systems.' A significant proportion, nearly 40%, indicated that they were dissatisfied with this situation. Other feedback shared by our customers suggests that they want interoperability or even integration across the disparate solutions they have deployed for vulnerability management-application control, configuration management, and Virtualisation control, patch management, even anti-virus and spam control- so that they can develop that comprehensive view of what it is happening.

Some vendors are responding: Many of us are committing to standards such as SCAP, which though an initiative of a US government agency, leverages internationally recognised open standards, such as the Common Vulnerabilities and Exposures (CVE) identifiers, the Open Vulnerability and Assessment Language (OVAL), and Common Vulnerability Scoring System (CVSS). Commercial application promises to deliver the improved interoperability across functions that are being demanded. The opportunity is there for companies and organisations is to establish an integrated approach for their security operations.

It used to be that hackers wanted to make a big impact- create and distribute malicious programs that could proliferate quickly and cause great disruption. Now most attacks are designed to go undetected to give the program the time to invade a piece of software, search out, and steal valuable data that can be sold on a black market. They are also more focused on endpoint machines and PCs, given the comprehensive investment in firewalls and historic focus on defending the network itself. Such an attack can last for months, and avoid detection until a customer realises that a breach has occurred. This phenomenon is catching public attention with publicised data losses alerting everyone of their vulnerability—while executives are increasingly asking their CIOs if their company could make the next news headline.

It's time to recognise that organisations must work with a solid understanding of whether a given box is relevant and configured for its task, whether users downloaded anything, whether it's all patched—there can be hundreds of checks that administrators will want to and should verify. This will rely on the will to plan, organise and take advantage of their security management information, starting with a query of the potential unknowns. Before systems can be patched and configured according to policy, administrators must proactively scan for what systems exist, and ensure laptops are detected whenever they connect to the network. They must understand what software exists on them, and whether the approved configuration is appropriate. The remediation that follows can be systematic and sustainable, and communicable through a rich resource of reporting information that can be tailored for whoever may be looking for reassurance. Until these basics are effectively managed, there will always be a risk to company security and any effort at compliance with security policy or external regulation.

Shavlik Technologies is exhibiting at Infosecurity Europe 2009, the No. 1 industry event in Europe held on 28th - 30th April in its new venue Earl's Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise.

Bookmark and Share
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
   © 2012
Netgains Logo