Patch as Patch Can: All Software Is Flawed

Many IT departments have weak patching processes – especially on the client-side. And it’s no wonder – patching is tough. Across all industries and platforms, the Window of Exploit (WOE) – that is, the time lag between announced discovery and the availability of a patch – for web-based vulnerabilities is a whopping 233 days, according to WhiteHat Security. This leaves your organization exposed for an unacceptably long period of time.

It may not be glamorous, but a meticulous patching program is necessary to prevent server and client-side exploits. HP’s DVLabs and other research based on Open Source Vulnerability Database (OSDV) data found that several of today’s successful “Top Ten” vulnerabilities were discovered (and patches were released for them) in the mid-2000s. Yet they continue to be exploited by attackers. Can you say with certainty that none of those vulnerabilities linger in your organization? How do you know?

While many software publishers don’t bother to release patches, the two most aggressive vendors that are religious about patching are Microsoft and Adobe. Ironically, they somehow still account for the majority of client-side vulnerabilities, with the Office Suite products and Adobe Flash Player and Reader topping the list.

Even if you have the world’s best patching process, your organization must strictly enforce policies to prevent re-introduction of vulnerabilities into your environment.

Case in point is Conficker and its infection of millions of unpatched systems since 2008. Three years after Microsoft issued a patch against the flaw, the worm is still looked upon as the most commonly encountered piece of malicious software, representing 15% of all infection attempts (as seen by Sophos customers) in the last six months.

What’s happening is that plenty of infected PCs are spreading the contagion because too many of us are not patching. Apply patches consistently and you will be protected. But the constant noise of Conficker rebounding off network defenses is hiding some of the quieter and more targeted threats.

“By the end of 2011, Conficker was still the largest network threat in the world,” says the most recent Sophos Security Threat Report.

Hand Microsoft credit for taking responsibility and for its transparency. In its own TechNet blog, the company admits with not an iota of ambiguity that “software itself is never completely secure.”

It makes a case that we have all heard before but is worth repeating, namely that security management is a strategy and must be dealt with persistently. There is no complete solution and the work is never finished. There is no gauge to tell you that your network or systems are now secure or not secure. And it doesn’t help to simply add more solutions to the stack.

SecureList and Kaspersky Labs researchers agree that the average PC has at least 12 vulnerabilities at any given time. No matter how well your organization manages patching – particularly on the client-side – and enforces policies, you are likely to see common vulnerabilities reintroduced into your IT environment. You are never totally secure. There is never a point when you can say the infrastructure is secure and walk away. The TechNet post asks, “Why can’t you be 100% secure?” and gives the following reasons:

  • Because people are involved
  • Because users make mistakes
  • Because administrators also make mistakes
  • Because systems don’t always get updated when they should
  • Because software itself is never completely secure

This is a fundamental concept that needs to be understood. There are too many variables and too many dependencies. The take-away lesson here is this: a false sense of security can be your worst enemy.

By Michelle Drolet, founder and CEO, Towerwall

This article was recently published in SYS-CON Media

Beware the wild west of Web applications

Web applications – particularly those facilitating collaboration and communication – are a boon to sales, marketing and productivity. Teams work together more effectively, salespeople enjoy better leads and marketing tools and customer service reps can more closely connect with those they serve.

All of these gains, though, come at a cost: risk. By their very nature, Web applications circumvent many enterprise security controls. They are designed to enable communication, not security. A paper by Sophos reported one new Web threat every 4.5 seconds. Its researchers found an average of 19,000 new malicious URLs daily in the first half of 2011; with 80 percent of those URLs pointing to legitimate sites that had been hacked or otherwise compromised.

Recent data from the Open Source Vulnerability Database (OSVD) shows that the number of new vulnerabilities disclosed decreased significantly during the first half of 2011. At first glance, this may appear as good news. But hold on. It’s not the number of vulnerabilities, but the number of disclosures of new vulnerabilities that has decreased. A distinction without a difference? Unfortunately, no.

Despite the decrease in disclosures of new vulnerabilities, websites of organizations of all types and sizes are still teeming with existing vulnerabilities, and remain open to potentially devastating attacks.

Worse yet, OSVD data show an increase in Web application attacks. According to HP DVLabs, the number of attacks on Web applications is “Ten times the number of vulnerabilities being reported.”

Sophos’ mid-2011 security threat report stated, “Two of the most common and effective attack methods used are cross-site scripting and SQL injection.”  The bad guys even sell packaged exploit toolkits – complete with how-to user guides – enabling the least technical of cybercrooks to get up to speed on doing no good.

Attackers don’t need to develop new Web-based attack methods, yet many have been added to the arsenal in recent years – in part to take advantage of the larger attack surface.
Among the newer methods are SEO poisonings, drive-by hits, malware hidden by URL shorteners, and countless scams that make use of social network “oversharing” – or simply the opportunities resulting from the sheer number of active users (witness Facebook’s 800 million fans). Even the least effective hacker can be successful when targeting such a huge number of potential victims.

The Web is also a haven for geo-political attacks. Two recent examples include “hacktivism,” illustrated by the cascade of Denial of Service attacks related to WikiLeaks – and cyber-warfare, or the use of IT attacks to wage war between nation-states. Cyber-warfare is behind the release of Stuxnet, considered the first malware to include a programmable logic controller and aimed directly at taking down several of Iran’s nuclear power plants in 2010. Still active, Symantec noted that 60 percent of the world’s infected computers are in Iran. Kaspersky and F-Secure also studied the worm and concluded that its sophistication could only be the work of nation-states. (Israel and the US are not above suspicion.) Your average bear web app need not worry about Stuxnet.

Small wonder that Iran is closing down Internet access to the entire country, starting with blocking Google, Yahoo and Hotmail, and replacing it with a government controlled intranet. “All internet service providers must only provide national internet by August 2012,”said Reza Taghipour, Iran’s Communication Minister, who also cited its case for doing so as wanting “to provide clean and filtered internet services to the county.” Good luck!

In its study on Web apps, Sophos also reported that 19,000 web sites were newly infected each day, and that over 80 percent of the malicious URLs examined turned out to be those of legitimate organizations whose websites had been hacked.

Do you know whether your organization’s Web applications contain easy-to-exploit vulnerabilities? Probably not, but if you do, what can you do about it? Most likely the only way out of this mess is conducting regular, ongoing vulnerability scanning and application penetration testing.

By Michelle Drolet, founder and CEO, Towerwall

This article was recently published in Mass High Tech