Every day, organizations receive a flood of news about recently released computer viruses and worms without a clear explanation of how their networks will be directly affected. Successful defenses against network vulnerabilities require a good understanding of the nature of the risk they pose.
My research, The Laws of Vulnerabilities, reveals four characteristics of vulnerabilities on network perimeters and internal networks, based on a statistical analysis of millions of occurrences worldwide.
As part of this research, 3.83 million network vulnerabilities were analyzed during a recent 30-month period. The data was a statistically valid sample drawn from 6.6 million network scans conducted by global enterprise organizations, as well as random internet users that were auditing security for network perimeters and intranets.
Data was anonymously drawn from the largest collection of vulnerabilities in the real world – the database for the QualysGuard vulnerability management service. The database contains signatures for more than 3,800 vulnerabilities, standardized against CVE, CERT, SANS20 and other sources.
All the vulnerability data collected is anonymous and cannot be correlated to any user, system, organization or location. The statistical analysis identified the window of exposure, lifespan of critical vulnerabilities, resolution response, trends over time and the vulnerability prevalence.
The 'half-life' of vulnerabilities
The half-life of vulnerabilities is the time it takes enterprises to remedy half of their vulnerable systems. During the past year, the half-life of internet-facing vulnerabilities has dropped from 30 to 21 days – a reduction of 30 percent. This is very encouraging, and demonstrates that defenses against external vulnerabilities are improving.
Conversely, analysis of vulnerabilities inside organizations' firewalls found the half-life almost 200 percent longer, at 62 days. Recent worms and automated attacks took advantage of this window of exposure to target internal networks.
Durations of attack potential via internal networks thus represents a serious weakness and requires targeted defenses to assess and reduce risks.
So what exactly is 'prevalence'?
Prevalence is the degree to which vulnerabilities pose significant risks and is one of the indicators for the likelihood of widespread, versus limited, attacks. And it differs for internal and external networks.
Due to unique threat profiles, the most prevalent and critical vulnerabilities for internal networks are different from those threatening external networks. Our research indicates that half of the most prevalent and critical vulnerabilities are replaced by new vulnerabilities each year. Network security teams should correspondingly prioritize their remediation efforts based on asset value and vulnerability prevalence.
The persistence of some threats
The data shows that critical vulnerabilities and their variants predictably recur and pose an ongoing threat to internal and external networks. This issue may largely be our own fault, however, with re-infection caused by the deployment of new systems and servers with images of faulty, un-patched system and/or application software.
The graph (above) demonstrates the re-infection patterns for three major worms – Sasser, Nachi and Blaster – between March and June 2004.
The shrinking exploitation cycle
Recent automated attacks shrank the time-to-exploit window from months down to days. According to our analysis, 80 percent of worms and automated attacks target the first two half-life periods of critical vulnerabilities.
The rapid availability of exploits creates significant exposure for organizations until they remedy their critical systems. The most forceful scenario so far has been the Witty worm, which struck about 12,000 computers running firewalls from Internet Security Systems on March 19, 2004.
Witty reached its peak after about 45 minutes, when it had infected most of the vulnerable hosts. According to analysis at the time, Witty earned several exploitation "firsts" – a widespread, destructive payload; the way it spread in an organized manner with more ground-zero hosts; the shortest interval between vulnerability disclosure and worm release; and the way it attacked only hosts running security software.
Finally, it proved that applications in a niche market are just as vulnerable as those from a software monopoly.
How using the Laws can thwart attacks
The Laws can guide vulnerability management and remediation, helping CIOs, chief security officers, network and IT managers, and security specialists to strengthen and prioritize the protection of internal and external networks. So what is the best way to put them into practice?
The first area is education and awareness. Providing your users with actionable information about threats and remedies is a crucial success factor.
Second, hold regular audits of security systems. New automated audit solutions discover everything that might be susceptible to attack, identify and prioritize vulnerabilities, and provide appropriate remedies.
Next, keep anti-virus software up-to-date. New signatures are required on a continuous basis to ensure protection from ever-changing threats.
Also important is timely patch management. This critical process often requires manual support with automated solutions to remedy systems in need of urgent care.
Another crucial practice is the implementation of real-time threat prevention. Firewalls and intrusion prevention systems can help stop attacks before penetration.
And finally, ensure an ongoing evaluation of security policy . Trend analysis provides data for enforcing policy and ensures that security systems help meet the ever-changing nature of attacks.
In summary, network security attacks are increasing in both number and in sophistication.
The Laws of Vulnerabilities demonstrate four classes of risk to internal and external networks. The timely and complete detection of security vulnerabilities with automated techniques and prioritized application of remedies is the most effective preventive measure security managers can use to thwart automated attacks and preserve their network security.
Gerhard Eschelbeck is the chief technology officer and vice-president of engineering for Qualys, Inc.
