When it comes to vulnerability management, the old Donald Rumsfeld quote about ‘known knowns and unknown unknowns’ springs to mind. Unless an organisation understands what its weak points are, how can it strengthen or mitigate them, or accept the risks?
Carrying out a vulnerability assessment and evaluating the risk from any weak points it uncovers can be an essential part of a defence in depth strategy. Taking a more structured approach to vulnerability management saves a lot of potentially unnecessary effort focusing on the wrong risks.
A vulnerability assessment is mainly an automated process that uses security scanning tools to check a web application or network for weaknesses. Unlike a penetration test, it doesn’t involve ethical hacking to check how easy it might be for an attacker to exploit any vulnerabilities. After the assessment, the organisation will have a report explaining the risks it uncovered, and the organisation can then decide how to act on that information.
Vulnerability volume increases
There’s a strong correlation between vulnerabilities and exploits. More than half of the vulnerabilities logged in the NIST (US National Institute of Standards and Technology) National Vulnerability Database (NVD) last year were classified as critical or high severity. This ranking is based on the NIST Common Vulnerability Scoring System [CVSS]. The finding comes from an analysis of the NVD’s 2020 data by Redscan. Its report is available free, and there’s a good writeup of the findings in Security Magazine.
Last year was the highest on record for disclosed security vulnerabilities (also known as CVEs, or Common Vulnerabilities and Exposures). On average, there were 50 CVEs a day, totalling 18,103 for the whole of 2020. Of that amount, 57 per cent were classified as being of a ‘critical’ or ‘high’ severity (10,342). Low-complexity CVEs represented 63% of vulnerabilities disclosed in 2020, and they are increasing compared to previous years. NIST also found that vulnerabilities which require no user interaction to exploit are also rising.
The value of vulnerability assessments: context
All of this puts the value of vulnerability assessments into context. They can help remove the common temptation for security professionals to react to newly emerging or high-profile threats when the actual risk to their organisation might be minimal. Instead, when they know about weaknesses in their specific applications, they can focus on mitigating the risks that matter most.
This is important because many of the most common application vulnerabilities that enabled attacks in 2020 are over five years old. According to Edgescan’s 2021 Vulnerability Statistics Report, 88% of the CVEs Edgescan found in 2020 are between 0-5 years old. Most date back to 2015 and 2016.
The 2020 edition changed emphasis compared to previous years, pivoting away from focusing on the overall percentage of applications that have vulnerabilities. Instead, it looked closer at how many of those vulnerabilities were potentially critical or high-risk. More than half of the vulnerabilities Edgescan found on internal systems were rated as critical or high risk.
There is a strong relationship between vulnerabilities and malware that exploits them to gain access to a victim’s system, or exfiltrate data. As the authoritative 2020 Verizon Data Breach Investigations Report (DBIR) put it: “When the bad actors are not using other people’s keys against your infrastructure, they are using unpatched vulnerabilities in your web apps to gain access.”
Just to pick some examples from the DBIR, last May saw a patch issued for CVE-2019-0708, which was a weak point in the Remote Desktop Protocol better known as ‘BlueKeep’. As the 2020 Verizon Data Breach Investigations Report noted, “a hue and cry to patch so as to avoid an imminent WannaCry-like worm went hyperbolic”. The same report also recorded how the ‘Sodnikobi’ ransomware variant appeared to be spreading from unpatched Oracle WebLogic servers.
A patch in time
A good programme for patching internal applications can help to prevent security incidents even when someone in the organisation has downloaded malware by mistake. However, patching can be complex to manage if it involves a critical system. This can cause issues about how and when to take it offline to apply the patch.
Many vulnerabilities, especially the older ones, are preventable. The issues are clearly defined and patches are available for them. Where patches are not yet available or there are valid business reasons not to apply patches, a mature vulnerability management programme will identify other mitigations and security controls that can be implemented to reduce the risk posed by vulnerable systems.
To quote Francis Bacon, “knowledge is power” and this maxim holds true when it comes to managing vulnerabilities. Without knowing what vulnerabilities exist within your environment you will not know how to best protect your organisation. A robust and mature vulnerability management program provides you with that knowledge. And to return to Rumsfeld’s quote from the start of this blog, it’s a reminder to shift focus away from the unknown and dedicate time to improving knowledge of the problems – and knowing which ones to fix first.