Most companies use vulnerability scanning software to interrogate their computer assets. The theory is that you run the scanner, get a ranked list of vulnerabilities on each computer, and fix them, making your company harder to hack.
Ah, but theory rarely ends up becoming practice. Every company I visit ends up compiling a huge list of vulnerabilities, then mostly not doing anything about them. I routinely see companies with tens of thousands of outstanding vulnerabilities. Last month I ran into a company that had more than a million.
Why do most companies seem content with simply discovering and cataloging the vulnerabilities, rather than also fixing them? Certainly the sheer number must be overwhelming. I mean, when every computer in your environment has dozens to hundreds of vulnerabilities, where do you start?
Take it from the top
I can answer that question: Resolve the highest-risk, most critical vulnerabilities first. Start with your most critical servers and admin user’s computers, then move on to the less critical computers and users. This assumes you have an accurate inventory of your computer environment, a list of your most critical applications, and a deep understanding of their dependencies.
For example, your HR system may be critical, but what else does it take to support it? Today, most systems require network equipment, interfaces, DNS, maybe Active Directory, and other infrastructure support services. Critical user workstations would include not only network and infrastructure admins, but elevated users of the HR system.
If you do a really good analysis of your business-critical systems and all their dependencies, you may discover that 40 percent or more are considered critical. Critical system should not contain critical vulnerabilities, right?
Of course, not all “critical” rankings are equal. Most vulnerability scanning software programs ranks vulnerabilities with either simple descriptors (low, medium, high, critical) or use a numeric scoring system. One of the best known of the latter is the Common Vulnerability Scoring System, which ranks vulnerabilities from low (0.0) to high (10.0). I especially like rating systems that include factors such as the effort needed to fix and whether the exploit is actively used in the wild.
Cleaning up the neighborhood
Regardless of a third party's thoughts on what is or isn’t critical, what really counts is the susceptibility of your environment to exploitation of the vulnerability and whether or not it has been used against you successfully in the past. Your line of business and/or infrastructure may have special characteristics that minimize or elevate a particular vulnerability in your environment.
Plus, vulnerability scanners frequently report every vulnerability, regardless of whether the software exhibiting that vulnerability is being actively used. I often find software that not only hasn't been run in years, but is unlikely to be run again ever. Most vulnerability scanners don't make that distinction, though it's critical.
Keep in mind that even the best vulnerability scanning software isn't all that accurate. I know I’ll get email from vendors for saying this, but vulnerability scanners are less reliable than horribly unreliable antimalware software. Whenever I run behind a vulnerability scanner to manually assess systems, I always find 50 percent more vulnerabilities.
It's not the vulnerability scanner's fault. It can only look for what it's been coded to look for, and computers are notoriously complex. A decent forensics investigator or hacker can find items that a vulnerability scanner misses -- a funny filename in a weird place, software that shouldn't be there, a list of passwords, and so on -- that leads to a breadcrumb trail that only the human mind can follow.
In general, most vulnerability scanning is horrible at finding unpatched software. Some of the best patch management software programs can detect tens of thousands of different programs. The best vulnerability scanners look for something like a few hundred programs.
Focus on vulnerabilities that will give hackers a foothold in your environment. Too many people obsess over what the bad guys do once they already have the keys to the kingdom. Are they going to steal network credentials? Are they going to plant keylogging malware? Are they going to steal critical information?
Once the bad guys are in and gain elevated privileges, it's essentially game over. Focus instead on stopping intruders from obtaining elevated credentials on your network in the first place.
This begs another warning: Some vulnerabilities -- ignorant users, for example -- will never be found by vulnerability scanning software. Most companies tell me their environments are most commonly exploited by unpatched software and social engineering. While you're getting rid of vulnerable software, don't forget to bulk up your users with security training.
Don’t simply sit there with a list of thousands or millions of vulnerabilities that you’ll figure out how to correct someday. Without plugging the worst of them, you can’t secure your environment.
Of course, everyone responsible for running vulnerability scanning software already knows this. I'm preaching to the choir. I realize it’s not you -- it’s management that doesn't get it. Send them a link to this article with my blessing.