With the current wave of cybersecurity attacks, businesses everywhere are scrambling to protect their digital assets and prevent high-impact security breaches. One of the most crucial steps a company can take is to take a look at their system’s vulnerabilities.
We recently sat down with LANDESK’s Chief Security Officer, Phil Richards, to gain deeper insights into how neglecting your system’s vulnerabilities can lead to ransomware and other cybersecurity attacks.
Q: What is a vulnerability and how do you find it?
A: A vulnerability is a system’s inability to withstand a specific attack. A vulnerability can result from configuration, like having a weak password, or from physical issues, like having an unlocked computer in a public place. It can also be a software weakness, such as an application that has not been patched.
Defects in software that require patching are tracked in the Computer Vulnerabilities and Exposures Database (CVE database for short) kept by Mitre.org. The database contains more than 77,000 vulnerabilities and dates back to 1999.
Q: You mentioned that some catalogued vulnerabilities date back to 1999. Is it important to patch defects that old?
A: It is critical to patch older defects. Verizon publishes a report every year called the Data Breach Investigations Report. The 2016 version of that report states that the top ten vulnerabilities are responsible for 85 percent of all successful breaches, and that eight of those ten vulnerabilities are 13 years or older.
The key finding from this report is that older vulnerabilities are still heavily targeted, and that your vulnerability assessment and management processes should emphasize consistency and thorough coverage more than rapid patching.
Q: If a vulnerability is a system’s inability to withstand an attack, what is vulnerability assessment?
A: Vulnerability assessment is the process that determines whether or not a system exhibits any known vulnerabilities. You can do vulnerability assessment in many different ways, but the easiest way to assess vulnerabilities across many systems is to use a vulnerability scanner, or an accurate software inventory system.
A vulnerability scanner will probe computer systems and devices on the network to assess if they are vulnerable to specific exploits. Vulnerability scanners can be very beneficial, but they can also cause network and system issues if not configured or used properly, so be careful.
An accurate software inventory system can be used to assess vulnerabilities without performing any network probes of the systems directly, so they don’t pose the direct danger to the environment that vulnerability scanners do. That said, vulnerability scanners are probing your systems, so their findings may be more accurate than the inventory of installed software. Both of these tools will provide a list of steps to take to address the vulnerabilities.
Q: Is that list of steps part of the vulnerability management process?
A: Yes. Vulnerability management is the process of identifying, classifying, and addressing vulnerabilities. It is an iterative process. You are never completely clear of all vulnerabilities because new ones are discovered every day.
Additionally, software becomes de-supported by the vendor as it gets older. This process is another part of vulnerability management, called obsolescence management. It is just as important to stop using obsolete software as it is to patch.
Q: What happens if we don’t fix the vulnerabilities? How do the bad guys exploit vulnerabilities on corporate computer systems?
A: One of the best examples of how vulnerabilities are exploited is by looking at the behavior of Exploit kits. Exploit kits are the second most common way for malicious actors to gain a foothold within an organization, just behind phishing.
Exploit kits are sold on the CyberCrime black market as a service to individuals or organizations who use them in campaigns to gain control of unsuspecting consumers.
The way the attack starts is when an employee in your organization goes to a website that the bad guys have already compromised. The compromised site will perform a network scan of your computer’s IP address, looking for vulnerabilities on your computer. Essentially, an exploit kit starts as a vulnerability scanner.
Typically, these vulnerabilities are missing patches in products that plug into the browser, such as Adobe Acrobat Reader, IE, Java Runtime Environment or Microsoft Silverlight, or the browser itself. The exploit kit, if it finds vulnerabilities, will send your computer a string of characters to exploit for the specific vulnerability found on your computer. The exploit will dump executable code onto the computer, all through the compromised website that you are visiting.
Differing from phishing malware, the user is not notified in any way that the attack is underway, because it leverages exploits on the user’s computer. The first and best defence against these attacks is to make sure all your systems are fully patched, especially patching the software that is most often targeted by EK’s (IE, JRE, Silverlight and Adobe Acrobat Reader).