Vulnerability Management: False Confidence, the Remediation Gap and Other Challenges

Nov 30, 2015

Share with Your Network

Organizations believe their vulnerability management programs are more mature than they really are, and the time it takes to remediate vulnerabilities remains an issue for many businesses, according to two recent reports.

A SANS whitepaper, What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring, concluded that security practitioners are overconfident in their current state of continuous monitoring:

… survey results starkly illustrate that we are approaching a dangerous state in which we believe we have appropriately addressed problems, though we have, in fact, not adequately remediated them—therefore unknowingly leaving a window of opportunity open for attackers.

“Each of the questions taken on their own – there’s nothing really major that’s unsound. But looking at those questions together is very interesting,” said David Hoelzer, SANS Fellow Instructor, author of the paper, and founder and CISO of CyberDefense, the parent company of Enclave Forensics.

“More than half of these [organizations] are saying that they are mature or maturing. They say that, but then when we look at the coverage of assets  … no one is even willing to say that they are covering 100% of their publicly exposed systems.”

Hoelzer, who was a guest on the latest episode of the Cybercrime and Business Podcast, said that gap in perception is a cause of concern.

“I would not define what we’re seeing in that report as anything like mature,” he said. “It seems as though our criteria or the bar we’re trying to reach is not high enough.”

Closing the Remediation Gap

One of the biggest challenges around vulnerability management is the time it takes organizations to remediate those vulnerabilities, or the remediation gap.

According to Kenna Security’s recent report, The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks, even “conservative” estimates found that the window of opportunity for many exploits remains significant:

  • On average, it takes businesses 100-120 days to remediate vulnerabilities.
  • At 40-60 days, the probability of a vulnerability being exploited reaches over 90 percent – indicating that most successfully exploited vulnerabilities are likely to be exploited in the first 60 days. The gap between being likely exploited and closing a vulnerability is around 60 days.
  • As of August 1, 2015, there have been a total of 1,272,152,215 successful exploits this year from a sample size of approximately 50,000 organizations. This is compared to 219,951,631 exploits in 2013 and 2014 combined.

“The gap that we’re looking at is getting much bigger, and I think that is happening because attackers are getting really, really good at automated attacks,” said Kenna Security’s senior data scientist Michael Roytman, who was also featured on this week’s podcast.

Old Vulnerabilities, New Problems

According to Roytman, enterprises often have a huge backlog of vulnerabilities. That “security debt” is one of the primary reasons for the remediation gap. In addition, it can be difficult to know which of those vulnerabilities are actually being exploited.

For example, attackers continue to exploit old vulnerabilities, as pointed out in the report:

  1. CVE-2010-3055 was exploited 121,000 times in 2014. It allows attackers to run arbitrary code in phpmyadmin via a POST request, and phpmyadmin runs millions of sites worldwide. It’s a CVSS 7.5, which means it’s bound to fly under the radar more often than not. But it shouldn’t.
  2. CVE-2002-0649 is an ancient worm that exploits SQL Server 2000 and Microsoft Desktop Engine 2000. Reading the Wikipedia article on the worm makes it seem like it’s a long forgotten problem, but we witnessed 156,000 successful exploitations in 2014. It’s not new, it’s not hip, it’s not current, so one talks about it – but it’s a significant threat.
  3. CVE-2000-1209 is also not to be forgotten, with 272,000 successful exploitations. It exploits Microsoft SQL Server 2000, SQL Server 7.0, and Data Engine (MSDE) 1.0, including third party packages that use these products such as Tumbleweed Secure Mail (MMS), Compaq Insight Manager, and Visio 2000.

The report concluded: “These vulnerabilities are not new – in fact, they’re extremely old – and yet they perfectly represent the kind of unremediated vulnerabilities that automated attacks attempt to find. They’re the windows that the criminals rattle around and try to pry open.”

“Huge Opportunity” for Threat Intelligence

Integrating threat intelligence into vulnerability management is recent development, Roytman said, as the data available now wasn’t available five or ten years ago. But threat intel can help provide the biggest bang for the buck in terms of  deciding which of the potentially thousands of actions an organization should take first.

“What’s surprising to me is the lack of information about what is being exploited,” Roytman said. “Integrating those data sources, disseminating that knowledge, is something that can really shorten the remidation gap, and it was surprising to me to see how many enterprises don’t have that information integrated.”

He added: “We’re kind of at this crossroads where the data is flowing in, but maybe we’re not integrating it into our vulnerability managment practices, and that’s a huge opportunity.”


© 2022 Kenna Security. All Rights Reserved. Privacy Policy.