Blog | Sep 16, 2013

The Life and Times of a Vulnerability

Choosing where to put your focus and your investments in your security program is challenging; with a range of technologies from older must-haves (antivirus, firewalls) to newer products like SIEM and anomaly detection, what’s the right balance?  And how do these technologies map to the threats you hear about when you read about the latest high-profile breach?  Should you be more worried about traditional cybercriminals, script kiddies launching automated attacks, or advanced attacks launched by hacktivisits or foreign governments?

A good place to start is where breaches start: with a vulnerability that creates an opportunity for someone to attack you.  Vulnerabilities have a life cycle during which they present different levels of risk and need to be handled with different approaches, so let’s look at the life of a vulnerability and how you should react to it.

How are we defining vulnerability for this purpose?  A vulnerability is simply a weakness which allows an attacker to reduce your systems’ information assurance.  That may be accomplished by breaching the confidentiality or integrity of data or reducing the availability of systems.  Some examples of vulnerabilities are:
• Misconfigured permissions that give users more access than they need
• A coding error that allows a user to inject code that access underlying databases
• A buffer overflow in which an application overwrites adjacent memory
• An unneeded service accessible via an open port

The first stage of the vulnerability lifecycle runs from its creation to its discovery.  During this period, exploitation of the vulnerability is usually low – no one knows it’s there.  This is also the best time to find and correct the vulnerability.  Running vulnerability scans can identify the problem, and log data may reveal the issue.

The next period – from discovery of the vulnerability until its correction – is where we typically see exploits and breaches.  The best case scenario is that you discover a vulnerability in your own systems or a software vendor discovered the issue in their own code, and act promptly to correct it.  However, most vulnerabilities are not found by this way, and if a vulnerability is found and publicized, it will quickly be leveraged by attackers.

More active defense is important here. Intrusion detection provides an important view into the traffic hitting your network so you can identify and block attacks.  Updates to firewalls protect you.  For web applications, a web application firewall with well-managed security policies gives you active blocking of attacks.  More advanced techniques such as behavioral analysis to detect anomalies can give you insight into more difficult situations such as ongoing malware activity, data exfiltration, and other actions of a sophisticated attacker.

The third phase – post-correction, once a patch or remedy has been identified – is simple, right?  Not necessarily.  First of all, patches must be applied to work, and typically there’s a lag between the release of patches and their application by users.  Having a good patch management program is extremely important.  Even after the vulnerability is patched, can you be sure that you haven’t been impacted?  Careful review of log data let you validate that your data and systems have not been affected by an attacker during the previous phase of the lifecycle.

The basic lesson of the vulnerability life cycle is that your security investments should be organized around the areas where you are vulnerable and the attacks that you are most likely to see.  Vulnerability scanning and careful monitoring of network traffic and logs from throughout your environment gives you the information you need to make smart choices about your security program.

Learn more by downloading Alert Logic’s white paper, Defense Through the Vulnerability Life Cycle (PDF).

To learn more about the latest in security, storage, infrastructure and the cloud, join TriCore, HP, and Alert Logic for a panel discussion and golf tournament on October 7th at Franklin Country Club in Franklin, MA.

Discover how to leverage the power of technology to improve the way you do business. Register now!