Skip to content

Page313

Vulnerability Management

Security patches are typically intended to eliminate a known vulnerability. Organizations are constantly patching desktops, servers, network devices, telephony devices, and other information systems. The likelihood of an organization having fully patched every system is low. While unpatched systems may be known, it is also common to have systems with failed patches. The most common cause of failed patches is failing to reboot after deploying a patch that requires one.

It is also common to find systems requiring an unknown patch. Vulnerability scanning is a way to discover poor configurations and missing patches in an environment. While it might seem obvious, it bears mentioning that vulnerability scanning devices are only capable of discovering the existence of known vulnerabilities. Though discovering missing patches is the most significant feature provided by vulnerability scanning devices or software, some are also capable of discovering vulnerabilities associated with poor configurations.

The term vulnerability management is used rather than just vulnerability scanning to emphasize the need for management of the vulnerability information. Many organizations are initially a bit overzealous with their vulnerability scanning and want to continuously enumerate all vulnerabilities within the enterprise. There is limited value in simply listing thousands of vulnerabilities unless there is also a process that attends to the prioritization and remediation of these vulnerabilities. The remediation or mitigation of vulnerabilities should be prioritized based on both risk to the organization and ease of remediation procedures.

Zero-Day Vulnerabilities and Zero-Day Exploits

Organizations intend to patch vulnerabilities before an attacker exploits them. As patches are released, attackers begin trying to reverse engineer exploits for the now-known patched vulnerability. This process of developing an exploit to fit a patched vulnerability has been occurring for quite some time, but what is changing is the typical time-to-development of an exploit. The average window of time between a patch being released and an associated exploit being made public is decreasing. Research now suggests that for some vulnerabilities, an exploit can be created within minutes based simply on the availability of the unpatched and patched program[^11].

In addition to attackers reverse engineering security patches to develop exploits, it is also possible for an attacker to discover a vulnerability before the vendor has developed a patch, or has been made aware of the vulnerability by either internal or external security researchers. The term for a vulnerability being known before the existence of a patch is “zero-day vulnerability.” Zero-day vulnerabilities, also commonly written 0-day, are becoming increasingly important as attackers are becoming more skilled in discovery, and, more importantly, the discovery and disclosure of zero-day vulnerabilities is being monetized. A zero-day exploit, rather than vulnerability, refers to the existence of exploit code for a vulnerability that has yet to be patched.