Patching Holes

Fixing network vulnerabilities can be easier than you think.

For years, information security managers have operated under this rule of thumb: Holes in systems-the unintentional errors in the underlying code or configurations that allow viruses, malware, worms and hackers into a network-present the biggest security problem. At least 95 percent of all network intrusions and downtime are the result of these mostly known vulnerabilities.

That makes security management fairly straightforward. If the security manager kept on top of what security holes were found and the patches were released to plug those holes, the networks would be almost entirely inoculated from unwanted intrusions.

Unfortunately, that's not the case anymore, according to Alan Paller, director of research at the SANS Institute in Bethesda, Md., which provides cybersecurity training and manages the Internet Storm Center tracking threat trends. While known vulnerabilities remain a major concern, two other threats have increased at a pace that makes them a high risk for networks as well.

One is so-called spear phishing, in which a hacker tricks employees, usually through an e-mail message, to provide personal information either about themselves or about other employees, including top executives. The cyberthief then uses that information to create a false identity or to gain access to online accounts. The other threat is called unvalidated inputs or input checking, in which a hacker embeds a command in a string of characters within a field (say, one asking for your name) to obtain personal information. The command tricks the underlying database to provide the database's entire list of names and personal information. These two attacks have become so common that they now account for two-thirds of all cyberattacks, Paller estimates. The traditional security flaw of not patching systems on a routine basis accounts for the other third.

By focusing on these three kinds of cyberattacks, security experts say organizations can eliminate just about all of their security problems.

How to Patch

Like any other thief, a cyberthief looks for the easiest way in. That means looking for vulnerabilities in programs and hardware, many of which are easily found on the Internet. Hackers move from organization to organization looking for the one system that hasn't been patched.

By creating a patch management process in your organization, you can secure your systems dramatically. It sounds easy, but apparently it's not. Less than half of all organizations worldwide have a process in place that IT executives follow routinely to keep systems and programs patched for the latest vulnerability, according to a 2006 survey conducted by CIO magazine and management consultant PriceWaterhouseCoopers. Even fewer government agencies have created such a process; less than 40 percent of all public sector IT managers say they follow a patch management process.

Why don't more IT managers follow what is arguably one of the best ways to keep viruses, malware and hackers out of their systems? Because it takes a lot of time. Even when the system is patched, new code can create errors, which take even more time to fix.

Lack of time is becoming less of an excuse because information is easier to come by. The National Institute of Standards and Technology's National Vulnerability Database, a repository of all known vulnerabilities and how to fix them contains almost 25,000 known vulnerabilities collected from the Common Vulnerability and Exposure dictionary, which is managed by the technology nonprofit Mitre Corp. in McLean, Va., and funded by the Homeland Security Department. The dictionary lists all known security holes in computer systems. When a new security hole is discovered in a computer system, Mitre assigns it a number, writes a short description and posts it on its CVE Web site ( Within hours, typically, it appears on the National Vulnerability Database. Within a day or two, NIST posts links to how to fix the vulnerability.

In a typical week, Mitre alerts NIST to 100 to 150 vulnerabilities. With that many to check into, it's no wonder most system administrators avoid creating a patch management process. But security experts also offer ways to manage the long list of holes by providing help in focusing on those that can cause the most damage and that are most pertinent to your infrastructure.

Rating Threats

First, NIST and Mitre assign each vulnerability a score from 1 to 10 on the Common Vulnerability Scoring System. The higher the score (the most severe have a score of seven or higher), the greater the chance the vulnerability will create havoc and put data at risk. Focus on those vulnerabilities that are the most severe, says Robert Martin, principal engineer at Mitre.

You can refine that list even more. The National Vulnerability Database Web site allows users to add their own network characteristics so that the scores reflect the threat to their specific systems. For example, you can rate how much data you are at risk of losing or how much damage could occur to your systems if the weakness is exploited-low (light loss), medium (significant loss) or high (catastrophic loss). Do this evaluation for all vulnerabilities that are appropriate to your network and you can create a list of security holes that present the greatest threat.

You also can search for vulnerabilities that affect only those products and programs that make up your information architecture. Type in a name of any product plugged into your network and see what vulnerabilities are returned. Sort through those using the severity score, placing the most severe at the top of your fix-it list.

For the most effective protection, conduct a risk assessment of your networks to find where data is stored, and identify conduits to that data. Program managers and other employees might have stored sensitive data on systems that you are not aware of. Talk to them to find out.

If the job still seems big, it's because, well, it is-albeit not as big as before. By whittling it down to the vulnerabilities that pose the biggest threat, you'll remove work that might not provide much return in terms of security.

This is the first in an occasional series on how to put together a program that can increase network security-without spending your entire workday doing it.

Stay up-to-date with federal news alerts and analysis — Sign up for GovExec's email newsletters.
Close [ x ] More from GovExec