The basic premise of an internet-based attack is that an attacker uses an exploit to take advantage of a specific vulnerability in something we use. The attack may take the form of a social engineering attack against the vulnerabilities in user awareness, training and abilities. It may also take the form of a technical attack against a vulnerability in a technical system or software. But what do we DO with that information? How do we manage the inordinate number of vulnerabilities, which is continually growing?
Let’s start in a simple manner. 2018 is likely to be a record year for the identification and definition of new vulnerabilities. Using statistics from cvedetails.com, we are on pace to publish over 17,300 vulnerabilities in 2018. That’s more than any other year, ever.
So, what do you do with over 17,300 vulnerabilities?
“Cry” is not the answer.
The answer has three basic parts – obviously simplified here:
- Prioritize the systems you use by their importance and sensitivity.
- Prioritize those systems by how vulnerable they are.
- Patch, based on criticality and vulnerabilities.
The first step does not depend on any vulnerability data. You must perform your own analysis, like a Business Impact Analysis, to identify your critical systems. Part of this process is, “what supports your most critical systems and data?” But, considering that any entry point into your environment potentially opens up a path for lateral movement to your cool data, at least consider not completely limiting yourself to only critical systems.
Next, look at the products you are actually using in your environment. Consider where those 17,000 vulnerabilities are – which products typically, year to year, have the higher number of vulnerabilities? Would it be surprising to you to know that, over the past four years, the first Microsoft product to make the “top” list falls at number eight? Would it surprise you to realize that Apple has two products which rank higher (MacOS X at three and iOS at four) than any Microsoft product? If you make extensive use of Linux in your organizational environment, you should definitely care that Linux variants hold three spots in the top six.
Debian Linux, Ubuntu Linux, Firefox, Adobe Acrobat DC Adobe Acrobat Reader DC, MySQL, Enterprise Linux Desktop (and Server), and many other products are all on pace to set a record year. If you don’t use any of these, you have several fewer products, and a few thousand vulnerabilities less to worry about – find your next priority. Actually, the top 10 sets of products account for over 8,000 of those vulnerabilities, so some of these priorities are pretty easy to identify. Other things being equal, which system would you worry about more in your environment, Debian Linux, which is on pace to hit around 740 vulnerabilities in 2018, or Windows 7, which is likely to top out closer to 130 vulnerabilities?
So, after determining which systems you use, consider which ones have the most vulnerabilities. That may entail some tedious, time-consuming analysis, but should not be particularly difficult. But, the next consideration is the dreaded “patching”.
Let’s simplify the “patching” concept with math. If you have Windows Server 2008 systems in your environment, you potentially have as many as 1,116 vulnerabilities to worry about. If you applied all available Windows Server 2008 patches and security updates by January 1, 2018, but have patched exactly nothing since, you only have the 130 vulnerabilities from 2018 to worry about. If you applied those same patches and are current as of 7 September, 2018? At the time I am writing this, that was FIVE weeks ago, so it is not like I am worried about patching every single thing, every single day.
That would be 0 published vulnerabilities.
I mean, 0 vulnerabilities is a good number, right?