Qualys Blog

1127 posts

Overwhelmed by Security Vulnerabilities? Here’s How to Prioritize

In our second installment of the Qualys Top 10 Tips for a Secure & Compliant 2017 blog series, we tackle the bane of many InfoSec teams: Deciding which vulnerabilities to remediate first.

Thousands of new vulnerabilities are disclosed every year, so knowing which ones must be immediately patched or mitigated has become a major challenge for InfoSec teams everywhere.

No security team has the resources to patch every single one, and even if they did, they’d still need to identify and address the most critical ones first. Why? Because not all vulnerabilities are created equal. Some are trivial, while others can be disastrous. Pinpointing the software that must be patched with the greatest urgency is essential.

Unfortunately, many organizations lack a precise, strategic, automated and systematic process for prioritizing their vulnerability remediation work. As a result, hackers constantly exploit common vulnerabilities and exposure (CVEs) for which patches have been available for weeks, months and even years.

In its 2015 Data Breach Investigation Report, Verizon found that almost all of the vulnerabilities exploited in 2014 had been disclosed more than a year earlier.

Clearly organizations have a prime opportunity to slash their risk of breaches through an effective vulnerability prioritization program — ideally, one that ranks vulnerabilities based on their risk to the organization, and prioritizes their remediation accordingly.

A Snapshot into the Current State of Vulnerability Prioritization

SANS Institute’s second annual survey on continuous monitoring (CM) programs — titled “Reducing Attack Surface” and published Nov. 2016 — shows there is plenty of room for improvement in organizations’ vulnerability prioritization and remediation efforts.

The study, which polled organizations of all sizes and from most industries, found that only 12% described their vulnerability ranking process as “fully automated,” while another 43% called theirs partially automated.

Meanwhile, only 7.5% called their remediation process “very effective” — meaning that their processes “include automated prioritization and workflow to ensure vulnerabilities are repaired or shored up” securely across systems, and that repairs are maintained.

Another 54% rated their remediation process “effective enough,” which means they manage to keep attackers out, but are in need of more repair status visibility and of more workflow automation. The remaining 37% know what they need to repair but face limitations in follow-through, budgets, staff and tools, including automation.

With regards to the time it takes organizations to remediate, 68% of respondents said they’re able to repair, patch or mitigate critical vulnerabilities in under a month.

While this is up from 54% in 2015, the ideal is to fix critical vulnerabilities in one day, because risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer. Among respondents, 10% reported being able to remediate critical vulnerabilities in 24 hours or less.

Another area of concern: less than 6% of respondents was able to remediate all critical vulnerabilities in their IT environments.

Taming the Vulnerability Overload

Key to properly prioritizing remediation work is the ability to correlate vulnerability disclosures with the organization’s IT asset inventory. To do this, you naturally need a comprehensive and searchable inventory of your IT assets and a complete log of vulnerability disclosures. Both elements need to be continuously updated.

This way, you’ll be able to “connect the dots” and obtain a clear picture of the vulnerabilities that exist in each IT asset.

Then you must delve deeper and weigh more granular criteria about both the impacted IT assets and their vulnerabilities, as recommended in the Center for Internet Security (CIS) Critical Controls Section 4.8, which reads: “Establish a process to risk-rate vulnerabilities based on the exploitability and potential impact of the vulnerability, and segmented by appropriate groups of assets (example, DMZ servers, internal network servers, desktops, laptops).”

The CIS document goes on to recommend applying patches for the riskiest vulnerabilities first, minimizing impact to the organization with a phased rollout and establishing expected patching timelines based on the risk rating level.

4 - Top 10 TipsFor example, with regards to IT assets, you should factor in things like:

  • the importance of the role they play in critical business operations
  • their level of interconnectedness with other assets in your IT environment
  • the level of exposure to the internet via web and mobile apps
  • the size and nature of their user base

Regarding vulnerabilities, take into account whether they:

  • Are “zero day” type
  • Are being actively exploited in the wild
  • Represent a big threat for data integrity and data protection
  • Can lead to “lateral movement” attacks on other systems after the initial breach
  • Are a conduit for DDoS attacks

Out of this type of in-depth analysis will emerge a clear picture of your threat landscape, and based on it, you’ll be able to come up with an accurate remediation plan.

Obviously, these assessments of IT assets and vulnerabilities must be automated, so that they can be conducted continuously. This is necessary because, as stated earlier, new vulnerabilities are disclosed every day. But that’s not the only reason.

Often vulnerabilities disclosed months or even years before can suddenly become more dangerous if, for example, they’re targeted by exploit kits that make them easier to compromise by a much larger universe of hackers.

Meanwhile, your IT asset inventory also changes frequently:

  • Hardware is added, while other hardware is decommissioned, including PCs, tablets, cell phones, servers, storage arrays, IoT sensors and networking equipment.
  • Software is removed, updated and installed, including OSes, databases, middleware, applications and firmware.
  • The business and technology roles of IT assets also change, lowering or increasing their level of importance.

In other words, the intensity and types of threats presented by the vulnerabilities in your IT environment are always shifting and changing, forcing you to reassess your remediation prioritization plan.

What Success Looks Like

Advanced persistent threats, those sinister attacks that are tailored and customized for particular organizations or even individuals, receive much attention. However, organizations are more likely to be hit by automated, wholesale attacks designed to compromise known vulnerabilities that haven’t been patched.

“The tally of really old CVEs which still get exploited in 2015 suggests that the oldies are still goodies,” reads Verizon’s 2016 Data Breach Investigations Report (DBIR). “Hackers use what works and what works doesn’t seem to change all that often. Secondly, attackers automate certain weaponized vulnerabilities and spray and pray them across the internet, sometimes yielding incredible success.”

If an InfoSec team patches, remediates, and mitigates the right vulnerabilities at the right time, its organization will avoid falling prey to most cyber attacks. In a way, it’s a defense similar to immunization.

When the most dangerous and critical vulnerabilities are consistently addressed in your most important IT assets on a timely basis, your organization will be in a solid position to withstand the daily attacks from hackers seeking to exploit unpatched gaps.

We’ll continue this series next week with a trio of tips for ensuring your organization complies with external regulatory mandates, enforces internal policies and assesses the risk of doing business with vendors and other third parties.

Qualys ThreatPROTECT helps you take full control of evolving threats, so you always know which to remediate first. Start your free trial.

What’s New SSL Labs 1.26.5 (13 Jan 2017)

Today saw another SSL Labs release, which brings several new features and includes one fix. In this blog post I will discuss what the new features are and why they’re interesting. As always, you’ll find the (recent) history of SSL Labs releases in the change log.

Continue reading …

Five Things to Know About Qualys’ FedRAMP Authorization

The FedRAMP authorization obtained by the Qualys Cloud Platform was one of Qualys’ significant achievements in 2016. Why is that, you may be asking? Here we explain five reasons why the FedRAMP (Federal Risk and Authorization Management Program) approval is important for Qualys customers and partners. (And we explain what FedRAMP is!)

Continue reading …

January 2017 Patch Tuesday Video Highlights

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Microsoft released three security updates for Office, Edge and LSASS.

Adobe Security Update for January: Flash and Acrobat Fixed

Adobe started 2017 with release of two security bulletins – one for Flash and the other for Acrobat and Reader. Since Flash vulnerabilities have a high potential of being weaponized in exploit kits, organizations should apply both the updates as soon as possible. A total of 13 vulnerabilities were fixed in the Flash update, while 29 were fixed in the Acrobat and Reader. If unpatched, flaws in both the bulletins can potentially allow attackers to take complete control of the affected system.

Continue reading …

Microsoft Starts 2017 with Record Low Security Updates

Happy New Year! In the first Patch Tuesday of 2017 Microsoft fixed only 3 vulnerabilities which makes it one of the smallest patch months ever. Patches were released for Microsoft Office, the Edge browser and LSASS.  It’s an unusually small patch update and will definitely make system administrators happy. It is worth noting that starting next month Microsoft will scrap the existing system where users get a document each month in favor of a new ‘single destination for security vulnerability information’ called the Security Updates Guide. The new security portal is driven by an online database, and instead of having to browse through an index of documents, users can sort, search, and filter the database to find details about a specific security bulletin and its associated updates.

Continue reading …

Hackers Are Having a Field Day with Stolen Credentials

Login credentials have always been a weak link in cybersecurity’s protection chain, a situation that’s worsening. However, this trend could be reversed with a bit of effort from end users, website owners and software vendors.

2016: The Year of Stolen Credentials

Hackers made hay of the sorry state of credential security in 2016. They stole millions of username and password combinations from online services of all shapes and sizes. Blogs and discussion forums were hit particularly hard.

Exploiting credentials is an old attack vector that still works wonders for hackers. In its 2016 Data Breach Investigations Report (DBIR), Verizon added a section about credentials, revealing that 63% of data breaches involved weak, default or stolen passwords.

“This statistic drives our recommendation that this is a bar worth raising,” reads the report.

Continue reading …

Information Security and Compliance: New Year’s Resolutions You Can Keep

A new year has started, giving InfoSec professionals the perfect opportunity to evaluate what’s working and what’s not in their organizations, and, filled with that early-January optimism, set out to do better.

In that spirit of improvement and renewal, Qualys is kicking off today a blog series that outlines helpful tips — not just flimsy resolutions — for ensuring data security and compliance throughout the year.

In this initial post, we’ll discuss the first three of the Qualys Top 10 Tips for a Secure & Compliant 2017, addressing the importance of IT asset visibility, proper management of vulnerabilities, and continuous monitoring.

Continue reading …

Office Depot Extends the Value of Cloud-based Security via Qualys APIs

When Office Depot went looking for a new vulnerability management system, it picked Qualys’ for several reasons, including the variety and capabilities of its application programming interfaces (APIs). This was the topic of a recent talk by Office Depot Director of Global Information Security Jon Scheidell.

Since deploying Qualys Vulnerability Management (VM) about three years ago, the office supply chain has made ample and effective use of Qualys APIs in ways that have helped improve its overall security posture and its business operations.

“They’re one of the security vendors that does a better job of not only creating APIs for different features but also documenting them very, very well,” Scheidell said during a recent presentation at the Black Hat USA 2016 conference.

Qualys has always prioritized the extensibility of its platform via APIs, starting in the early 2000s with the release of its first product, and it has intensified its API efforts in the last four or five years.

Today, almost all of the major functions of the Qualys Cloud Platform are accessible to third party developers via APIs. In addition to Vulnerability Management, Qualys offers complete API sets for Web Application Scanning, Web Application Firewall, Policy Compliance, Continuous Monitoring, Malware Detection and the platform’s underlying asset management and tagging functionality.

Continue reading …

What You Need to Know About the Upcoming Leap Second

The U.S. Naval Observatory announced on July 6, 2016 that a leap second will be added to official timekeeping on December 31, 2016 at 23 hours, 59 minutes and 59 seconds Coordinated Universal Time (UTC).  This corresponds to 6:59:59 pm Eastern Standard Time, when the extra second will be inserted at the U.S. Naval Observatory’s Master Clock Facility in Washington, DC.

Qualys has completed our assessment of the Qualys Cloud Platform and its sensors (scanners), and we do not expect any impact or adverse effect.  In the time since Qualys was founded in 1999, there have been leap seconds in 2005, 2008, 2012 and 2015, all with no reported impact to Qualys systems or customers.

Continue reading …