Vulnerability , Malware and Risk

Vulnerability , Malware and Risk

• 1.
  Vulnerability, Malware andRisk Background Information Security is a crucial function within any organization. Availability, confidentiality and integrity of information are critically dependent on the health of every system connected to the organization. Various software packages on these systems have flaws in their code. These flaws exist despite the most stringent QA scrutiny, and potentially allow a malicious user unauthorized access to a system. These are referred to as vulnerabilities. A typical enterprise consists of a complex network of computers. This network of computers is prone to risk from any of the end point systems connected to the network. A system with vulnerabilities connecting to the network potentially puts the entire organization at risk since they can allow large- scale attacks. Almost all attacks exploit vulnerabilities in systems. An interesting question that arises is: How long does it take a vulnerable computer connected to the Internet to become infected with malicious software? The answer depends on the OS the computer is running. In any case, it is a matter of minutes to a few hours, with Unix systems typically holding out longer than Windows operating systems. (https://isc.sans.edu/survivaltime.html ) Many service providers offer services that scan the organization and provide a comprehensive report of vulnerabilities. Removing these vulnerabilities is then typically left to the end user. This can be particularly daunting if there are many end points in the organization. In this paper we discuss how to ensure the health of all systems that connect to the network by removing known vulnerabilities. Saner makes this process very simple, intuitive and fast. This keeps enterprises safe from many attacks. How most attackers gain access to a system Information security invariably depends on preventing attacks from exploiting end point systems. Every system in a network with any kind of vulnerability is a potential entry point for an attack. Unauthorized access to a system and controlling a system is exactly what an attacker accomplishes by exploiting end point vulnerabilities. Many complex applications run on end point computers. So far we have explained how vulnerable software applications can be exploited by attackers to gain access to a system or to cause unpredictable behavior in a system. Most malware is designed to target and attack these vulnerabilities. It stands to reason that systems with fewer vulnerabilities are more secure. Every day, an average of 30 new vulnerabilities are uncovered and published in the National Vulnerability Database (http://web.nvd.nist.gov/view/vuln/search). The time between the publication of a vulnerability and an attack using the vulnerability is a matter of days. (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf ). According to the Center for Strategic and International Studies, “75% of attacks use publicly known vulnerabilities in commercial
• 2.
  software that couldbe prevented by regular patching.” (http://csis.org/files/publication/130212_Lewis_RaisingBarCybersecurity.pdf ). For most of these vulnerabilities, the application vendor provides a “patch” which is an update to the software that removes the vulnerability. Most vulnerabilities are removed by keeping systems up to date with the latest software. Anti-Virus software and residual risk Anti-virus (AV) software has been fairly successful in containing attacks to a point. AV software uses signature-based detection for viruses and malware. It depends on the availability of the signatures or patterns that identify the virus or malware as malicious code. While the dictionary of signatures is growing exponentially, attackers have devised clever ways of disguising their attacks to escape detection. Polymorphic codes that mutate when they execute in a host can potentially avoid detection. This can render AV software ineffective in detecting and blocking all malware attacks. More importantly, AV software is designed to detect and act on an on-going attack and cure it after the fact. The AV software answer is to remove the offending piece of code after the attack. However, it is not designed to do effective prevention, thus leaving unmitigated risks in the systems. Patch – remove the vulnerabilities before they can be exploited A software patch is a piece of code designed to correct a known problem in a software application or product. In response to uncovered vulnerabilities, software vendors correct the offending code and release an update in the form of a patch. When the software is updated the vulnerability is typically removed. Patching applications as soon as the patch is made available is important, especially when a software vendor releases critical patches. The availability of a patch can provide the information that attackers use to write an exploit. This can reduce the time to attack after a vulnerability is uncovered and a patch is available. The safest way to mitigate the risk of an attack is to patch the system immediately. Challenges of software patching Patching and keeping applications up to date is unquestionably important. However, the fact is that a significant percentage of computers are running unpatched operating systems and applications. Most successful attacks target unpatched systems in the network. Why then are so many systems still unpatched? Individuals may not be equipped with the knowledge or skills to accomplish effective patching. Also, the patching process in an enterprise can be quite complex. In “Guide to Enterprise Patch Management Technologies”, (http://csis.org/files/publication/130212_Lewis_RaisingBarCybersecurity.pdf ), the report lists a few of these challenges. Here is a summary of important points to note: - SW Inventory Management – Having an up to date inventory, with complete information about the installed version of all software in each system connected to the enterprise is important, but it is a very challenging task.
• 3.
  - Resource Overload– Software vendors release patches either bundled with many issues resolved at once, or if the issue is critical and likely to have a major impact they may release a “one off” patch. In either case, if not well managed, network bandwidth can be choked with many systems downloading required patches. - Installation Side Effects - Applied patches may alter some security configurations. Organizations should be able to identify these and remedy them for effective vulnerability management. - Effectiveness of Patching – Patches often require the patched software be restarted or the entire system be restarted. The patch won’t take effect until this step is completed. Knowing the applied patch is in effect is crucial and needs to be ascertained. There are also a few other points that can complicate the patching process in an enterprise: - Risk Assessment and Prioritization – Not all vulnerabilities pose the same level of risk. Given that the patching process in an enterprise can be elaborate, patches should be prioritized based on the risk they pose to an organization. - Patch Identification - Once risks are identified and prioritized, the task of identifying appropriate patches to apply can be tedious and time consuming. How Saner Accomplishes Vulnerability Mitigation SecPod has the philosophy that a stitch in time saves nine. While Malware detection and cure products are still an important tool in an enterprise, they can only do a partial job. Saner identifies and removes vulnerabilities before they are exploited by attackers. Using continuously updated vulnerability data helps us ensure that all known vulnerabilities are detected and a patch is available to specifically address the vulnerability. How Saner addresses common challenges Saner runs an agent on each end point system. This helps track all applications running on any end point system. With this architecture, Saner does not need to have a central repository of all systems and the software running on them. Saner takes care of applying patches to any known vulnerable software on the system. This overcomes the Inventory Management problem alluded to earlier. When a patch is required, every end point system will need to download the patch from either the Internet or the intranet. Connecting to the Internet to download patches can mean choking the enterprise network bandwidth. Saner overcomes this by supporting in-house enterprise deployment. The server downloads the required patch once and then end user systems get the required patch from the in-house server. This avoids multiple redundant downloads that can congest the organization’s Internet connection. Individual systems still use the intranet bandwidth to download patches; however, the intranet bandwidth generally supports this amount of network traffic. Another potential problem faced by organizations is the alteration in configuration values introduced by new patches. Saner handles this by checking for mis-configurations. An example would be if an application is set to start automatically by default, but the enterprise policy is to prevent auto start.
• 4.
  Saner ensures thatif any alteration violates the organization policy it is detected and fixed. Such checks are made after a remediation is done to ensure that no mis-configurations exist in the system. After applying a patch, some applications require either a restart of the application or the OS. If the system is not restarted the patch is not effectively applied. Saner performs a scan immediately after the remediation (patching) is done. If the patch is not properly applied it shows up in the console as a vulnerability. In an organization, it may not always be practical to remediate all vulnerabilities. Saner identifies the criticality of vulnerabilities and provides information on the risk they pose. The IT manager can assess the posed threat by examining the severity of the vulnerabilities. Someone armed with the information available in the Saner dashboard can make informed decisions about applying the patch. Identifying the appropriate patch to apply is automated in Saner. This ensures no extra time is required to identify the correct patch to apply; choosing which patch to apply is a matter of a few mouse clicks. Conclusion Anti-virus software products provide a means of identifying threats in an enterprise, but they are not 100% effective on their own. Often they are unable to detect malware before damage is done. In that case, Anti-virus software cannot help contain the virus or minimize the damage. To a large extent Anti- virus software is a reactive approach. At SecPod we believe that prevention is better than cure. Our conviction is that if vulnerabilities are removed from the system – we will be able to prevent an attack from exploiting a system. This goes a long way toward providing Confidentiality, Integrity and Availability of information in an organization. We do not claim that Saner is a replacement for Anti-virus software. Robust security necessitates many layers of defense. Saner is the first line of defense by preventing the exploitation of vulnerabilities and is a necessary component for an organization’s security. Anti-virus software acts as a second line of defense for the purpose it was designed for. Many exploits can be prevented by using Saner. Saner in combination with enterprise Anti-virus software is a much more effective solution to prevent damage from attacks, compared to using an Anti- virus software alone.