In-Depth

The Known Vulnerability Trap

Organizations still get hammered by the foes they know

• By Mathew Schwartz
• 04/16/2003

Money alone isn’t necessarily the issue. Aberdeen Group says that governments and companies worldwide acknowledge spending over $2 billion annually just to find, assess, and then deploy security patches. Many companies also use scanners—such as eEye Digital Security’s Retina Scanner, Harris Corp.’s STAT Scanner, or from Internet Security Systems or Microsoft, just for starters—to find known vulnerabilities. The problem is what happens next.

“Those [scanners] all go out and identify all the vulnerabilities that exist on your network. The problem is the number of pages those logs generate—I've even seen them as long as 1300 pages,” says Jack Doxey of Citadel Security Software Inc. in Dallas. As a result of all that vulnerability information, many administrators either shelve the report or only tackle the biggest risks. That leaves a long list of known yet unfixed vulnerabilities.

It’s not like administrators are slacking off. “With the ever-growing list of vulnerabilities, security administrators simply do not have the time or resources to manage the remediation process manually,” says Pete Lindstrom, research director of Spire Security in Malvern, Pa. The result of not fixing things is well known: “network downtime, reduced worker productivity and in some cases loss of critical information.”

One possible fix for the problem is a relatively new class of tools known as automated vulnerability remediation (AVR) software, from companies such as BigFix Inc., Citadel, and PatchLink Corp. AVR software can do much more than automate patch fixing.

Citadel’s Hercules, for example, can automatically fix five types of vulnerabilities:

-- Insecure accounts (for example, making sure no off-the-shelf default administrator passwords still exist)-- Unnecessary services, including Telnet, PC Anywhere, and FTP-- Backdoors (for example, those that could be exploited by Back Orifice)-- Misconfigurations (such as users having too many access rights)-- Software defects

Citadel says defects that require patches or hot fixes account for 20-30 percent of all vulnerabilities.

Lindstrom says, “With Hercules, security administrators can automate the vulnerability remediation process across multiple platforms and on thousands of devices, saving time and money while allowing administrators to focus on more strategic issues.” The product works on Windows NT and 2000, and pulls log data from a range of existing scanners.

Sometimes, of course, administrators can’t know in advance which combination of fixes will just crash servers. Citadel says version 2 of Hercules, scheduled to ship in May, will include complete rollback capabilities—in case a fix ends up taking down servers. Version 2.0 will also have better vulnerability-signature-writing tools for customizing the product, will run on a range of Unix and Solaris servers, and will let administrators apply rules (which networks get which fixes and the order of applying such fixes).

AVR software is gaining recognition for the time it saves. Citadel, for example, says an East-coast medical center with 75 servers and 3,000 users wanted to get HIPAA-compliant and tried out the company's product. The company originally estimated the manual remediation of vulnerabilities could take five months. The center’s security engineer tested 20 of its Windows NT and 2000 servers, and was able to use Hercules to eliminate or neutralize 91.4 percent of the known vulnerabilities. That scanning and remediation took a couple of days.

“After running manual vulnerability remediation and scans for the past year, we have first hand knowledge of how painful the process can be—not only the initial remediation, but ensuring the changes stay,” says the engineer. He says installation of Hercules on 20 clients and a dedicated server took almost no time. “Hercules installed, deployed and remediated the vulnerabilities flawlessly. I was really surprised, as were my colleagues.”

Time is still necessary after product rollout to truly tailor AVR products to individual environments. “It’s bad form to just do a select-all and remediate. If you want to bring all your systems down, that's a sure way to do it,” says Doxey. Even with some automation, security managers still need to tell the software not only what to automatically fix, but which types of problems should get flagged before anyone potentially gets to just click a “fix” button.