May 2011
Picking the Low-Hanging Fruit
Why fixing third-party application vulnerabilities is at
the core of sound information security—and how to
make sure patch management is optimizing your
security posture.
1
Overview
“Set it and forget it” might work for rotisserie ovens, your DVR and maybe even data backups. But it’s a bad strategy when it comes to patch manage-ment. Trouble is, too many security pros think they can switch on Windows Server Update Services (WSUS) and assume their patch management is taken care of.
If only it were that easy. But the truth is that non-Microsoft apps make up an ever-growing portion of your application landscape. And every one of them can contain vulnerabilities that remain unpatched and therefore can be exploited in a cyber-attack. Consider:
» 95 percent of organizations have social-networking apps installed.
» 66 percent of apps have known vulnerabilities.
» 78 percent of Web 2.0 apps support file transfer.
» 28 percent of apps propagate malware.1
The problem isn’t that patches aren’t available— though zero-day attacks are clearly a concern. The issue is that in many organizations, the ap-plications haven’t been identified, and the patches haven’t been applied. And that leaves the door wide open to cyber-criminals.
“Unpatched vulnerabilities remain a prime exploit vector. If you look at the malware toolkits available, the vast majority rely on exploits that are more than a year old,” says Paul Henry, security and forensics analyst for Lumension.
Why do hackers use old vulnerabilities
to exploit systems? Simply put, because
it works.
What’s needed is a more reasoned approach to patch management. One that understands the is-sues, recognizes the risks and applies a centralized, comprehensive patch-management solution as the core of a complete defense-in-depth strategy.
“Patching is the low-hanging fruit,” Henry says. “There is no better return on your network-security dollar than patching.”
The Apps Accumulate
Our increasingly connected, mobile workforce re-lies on software to get the job done. And increas-ingly, that software comprises third-party, non-Microsoft apps. Apps that lack a unified patch mechanism. A few relevant facts:
» Of the top 50 most common apps, 26 are from Microsoft and 24 are from third-party vendors.
» Non-Microsoft apps have four times more vulnerabilities.
» There was a 71 percent increase in
vulnerabilities in software typically found on endpoint PCs in 2009.
» In North America, Europe and Asia, the average PC contains at least three vulnerable apps at any given time.2
1. Palo Alto Networks Application Survey 2009, 2010 2. Secunia Yearly Report, 2010
2
The problem isn’t that patches aren’t available for these apps. It’s that the patches aren’t applied. For example, Secunia reports an average 4,364 com-mon vulnerabilities and exposures (CVE) per year. For about half these advisories, a patch becomes available on the day of disclosure. For the remain-ing half, a patch becomes available within 30 days.
But on average, large organizations take at least twice as long to patch client-side application vul-nerabilities as they do to patch operating system vulnerabilities.3 As a result, “90 percent of attacks
are exploiting vulnerabilities we already knew
about, by missing patches, deciding not to patch. … Ninety-nine percent are exploited configurations and unpatched machines that the simplest vulner-ability scan would have found,” says Gartner secu-rity expert John Pescatore.4
Apps are often the gateway to organizational da-tabases, which house personally identifiable infor-mation and intellectual property. Cyber-criminals know that if they can get to the app, they can get to data that has value. And security measures typi-cally focus on the periphery and the network, leav-ing apps and databases at risk.
3. SANS Institute Report, September 2009
4. Gartner Security and Risk Management Summit, June 2010
VULNERABILITY DISCLOSED PATCHED
1. Microsoft Internet Explorer RDS ActiveX 2006 2006 2. Office Web Components Active Script Execution 2002 2002 3. Microsoft Video Streaming (DirectShow) ActiveX Vulnerability 2007 2009 4. Real Player [ERPCt] Remote Code Execution 2007 2007 5. Adobe Acrobat and Adobe Reader CollectEmailInfo 2007 2008 6. Adobe Reader GetIcon JavaScript Method Buffer Overflow 2009 2009 7. Adobe Reader util.printf() JavaScript Func() Stack Overflow 2008 2008 9. Microsoft Access Snapshot Viewer ActiveX Control 2008 2008 8. Microsoft Internet Explorer Deleted Object Event Handling 2010 2010
10. Adobe Reader media.newPlayer 2009 2009
11. Microsoft Internet Explorer (IE) iepeers.dll 2010 2010
12. BaoFeng StormPlayer Buffer Overflow 2009 2009
13. JVM Buffer Overflow Vulnerabilities 2009 2009
14. Microsoft IE STYLE Object Invalid Pointer Reference 2009 2009 15. Java WebStart Arbitrary Command Line Injection 2010 2010
Source: M86 Security Labs
http://www.zdnet.com/blog/security/report-patched-vulnerabilities-remain-prime-expoitation-vector/8162?tag=n1.e539
The top 15 most-observed vulnerabilities involve software for which patches have long been available.
3
Security advisories corroborate this view. “Web ap-plications now reign supreme in both the number of breaches and the amount of data compromised through this vector,” says the Verizon 2010 Data Breach Investigations Report.
In January 2011, 60 percent of known
vulnerabilities were converted by
cy-ber-criminals into attacks, according to
Dark Reading.
Security professionals are increasingly aware of these realities. “What concerns them most about reducing the endpoint risk are preventing applica-tions from being installed or executing on their end-points, discovering what applications are residing on the network and ensuring that vulnerable appli-cations are patched,” according to a survey of se-curity pros by Ponemon Institute, an independent research organization.
“On average, 15 new vulnerabilities are discovered every day, and that’s a very conservative number,” Henry points out. “Software vulnerabilities are a fact of life, and they’re growing daily. Understand-ing these risks is crucial in definUnderstand-ing your ability to address them effectively.”
Surgical Strikes
While third-party apps proliferate, attackers are getting better at exploiting them. Some more wor-risome statistics:
» 98 percent of organizations experienced at least one malware or virus intrusion in 2010.
» 62 percent experienced at least 50 malware attempts per month.
» 43 percent said they had seen a major increase in malware attacks5
“As the number of vulnerabilities increases, we’re see-ing the bad guys increassee-ingly besee-ing able to take them and convert them into reliable exploits,” Henry notes.
Security pros agree. The three most challenging is-sues they face are zero-day attacks, SQL injections and the exploitation of software vulnerabilities more than three months old, according to the Ponemon survey. As a result of these threats, more than one-third of respondents said their networks are not more secure today than they were a year ago.
They also said the risks are shifting. Today, they’re not primarily concerned about their data centers, operating systems or network infrastructures. In-stead, they’re most worried about mobile employ-ees working from remote locations, downloading unfamiliar third-party apps, and increasing the threat of destructive, hard-to-detect malware at-tacks. It’s no surprise, then, that 61 percent predict the top security risk over the next 12 months will be the mushrooming volume of malware incidents.
4
What’s troubling, though, is that the vast majority of organizations are using a broad range of security tools. For example, 98 percent have AV in place. Sixty percent have endpoint firewalls. And 57 per-cent use intrusion detection. Yet they’re still fall-ing victim to attacks—in large part because they haven’t patched their vulnerable applications.
Defense-in-Depth
In the face of increasing vulnerabilities and more so-phisticated and persistent threats, smart organiza-tions are moving toward a holistic, “defense-in-depth” approach to security. Defense-in-depth leverages layers of configuration management, application con-trol, device control and AV. But at the very core lies patch management—your first line of defense.
Patch management isn’t about simply switching on WSUS. WSUS is a fine tool for patching Windows, and Microsoft is very good about communicating vulnerabilities in its operating system.
WSUS is useless in patching third-party
and Web apps though. And those apps
need to become a sharper focus of
se-curity efforts.
Aberdeen Group recommends a four-step ap-proach to patch management:
» Assess—First, identify all assets, including platforms, operating systems, applications and network services. Then, monitor external
sources for vulnerabilities, threats and remediation information. Finally, scan all assets on a regular basis for vulnerabilities, patches and configurations.
» Prioritize—Maintain an inventory of assets and a database of remediation information. Prioritize the order of remediation in terms of risk, compliance, audit and business value.
» Remediate—Start by modeling, staging and testing remediation before deployment. Next, deploy either manual or automated remediation. Last, train administrators and users on
vulnerability-management best practices.
» Repeat—Scan to verify the success of your last remediation. Report on it for audit and compliance. And continue to assess, prioritize and remediate on an ongoing basis.
Achieving such effective patch management calls for a centralized, comprehensive solution. Yet many or-ganizations have relied on a fragmented approach. They’ve deployed tools that don’t centralize or con-solidate the management of heterogeneous environ-ments. As a result, they lack visibility into their secu-rity posture. They miss devices and blind spots, and they suffer from inconsistent reporting. They also wind up with high management overhead and costs.
Instead, patch and configuration analysis and de-livery must extend across all platforms, operating systems and applications. Application and operat-ing-system patching have to be benchmarked and consistently enforced. Standard configurations should be assessed and enforced. And network
5
endpoints have to be managed, because unman-aged endpoints are unknown and unprotected.
“The old approaches clearly haven’t worked,” Hen-ry explains. “We have disparate products, and we
»
»
Top Perks of Patching
An effective patch-management solution delivers business benefits across a broad range of areas:
» Security—Patch management is at the core of a complete defense-in-depth approach to security. Patching known vulnerabilities is the most cost-effective, straightforward way to improve your security posture.
» Visibility—Discovery and agent deployment for both physical and virtual environments means you always know what’s connected to your network. Reporting delivers critical feedback regarding performance, endpoint events, return on investment and security overall.
» Performance—By eliminating blind spots in network maintenance and ensuring that offline machines receive crucial updates and patches during maintenance windows, you can improve system performance.
» Productivity—A centralized solution reduces setup and maintenance of users and user groups. It also eases administration through workflow-based navigation and an intuitive management console. And it ensures a more efficient, consistent and secure process for applying agent policies.
» Risk—Security breaches can expose your organization to civil lawsuits and monetary damages. It can also involve penalties related to service-level agreements and disrupted partner relationships. Effective patch management can go a long way toward mitigation such risks.
» Cost—Effective patch management reduces the time and effort IT staff need for installations, upgrades, uninstalls and patches across your environment. An extensible platform with a single infrastructure ultimately reduces your total cost of ownership. Most important, it reduces time and resources spent on remediating security breaches.
have processes that are expensive and require high management overhead. Without centralized management and reporting across your platforms, systems and applications, you can’t achieve cost-effective security.”
6
Solid Solution
What’s needed, then, is a centralized, comprehensive approach to application patching. To that end,
Lumension® Endpoint Management and Security Suite: Patch and Remediation provides automated vulner-ability assessment and patch management. The software enables you to automatically detect risks, deploy patches and protect your business information across a complex, highly distributed physical and virtual environment. These activities are seamlessly integrated into a single management console for complete visibility into your network.
Lumension® Patch and Remediation enables patching of Microsoft, third-party and custom apps, as well as
patching based on CVEs. It also offers a full range of additional features, including granular patch control, flexible management control, discovery of new and unauthorized clients, up-to-date data assessments, net-work visibility, software uninstall and built-in reporting.
The solution even delivers a lower total cost of ownership than WSUS, according to Tolly Enterprises, an independent test lab. Tolly found that Lumension can provide at least 60 percent savings compared with WSUS over one year and over five years. On average, it can save an enterprise with 500 workstations nearly
An effective defense-in-depth approach places patch and configuration management at the center and then surrounds it with layers of ap-plication control, device control and AV software.
Traditional Endpoint
Security Emerging EndpointSecurity Stack
Defense-N-Depth
Blacklisting
As The Core
Consumerization of IT Malware As a Service 3rd Party Application Risk Zero Day AntiVirus Device ControlApplication Control
Ap
plication Control Device Control
Patch & Configuration
7
$75,000 over one year and nearly $400,000 over five years. That cost advantage comes from the solution’s “diverse application support, powerful operations tools, … software removal and extensive reporting capa-bilities,” Tolly reports.
Lumension® Patch and Remediation is a key enabler of a comprehensive defense-in-depth strategy in
which patch and configuration management are at the core, surrounded by effective layers of application control, device control and antivirus measures.
Ultimately, effective patch management promises to strengthen your security posture, boost your system performance, improve IT and user productivity, and reduce your IT risk—all in a cost-efficient manner.
“Patch management is not the Holy Grail. But it is an absolute core component of defenin-depth for se-curing any environment,” Henry concludes. “The best way to mitigate the risk of a vulnerability is to patch it. End of story.”
8
About Lumension Security, Inc.
Lumension Security, Inc., a global leader in operational end-point management and security, develops, integrates and mar-kets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 cus-tomers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, and Compliance and Risk Management offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scotts-dale, Arizona, Lumension has operations worldwide, including Florida, Texas, Luxembourg, the United Kingdom, Germany, Ire-land, Spain, France, Australia, and Singapore. Lumension: IT Secured. Success Optimized.™ More information can be found at
www.lumension.com.
Lumension, Lumension Patch and Remediation, Lumension Vulnerability Management Solution, “IT Secured. Success Optimized.”, and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners.
Global Headquarters
8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA
phone: +1.888.725.7828 fax: +1.480.970.6323
