by Andrew Freeborn
May 18, 2016
The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that can assist organizations in meeting many of the recommendations and best practices in the DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, suggestions are given for monitoring the network for each of these patterns. This ARC can assist an organization in monitoring its network to reduce the successfulness of these attack patterns and to reduce its chances of a data breach.
The DBIR report recommends quickly keeping up with remediating vulnerabilities from major vendors and being vigilant to remediate older vulnerabilities or mitigate their risk. Remediating vulnerabilities are important, but not all vulnerabilities present the same level of risk to the organization. Depending on the organization, not even the same vulnerability across an organization may present the same level of risk due to the location of the system with the vulnerability.
The report focuses on software vulnerabilities from vendors such as Adobe, Microsoft, Oracle, OpenSSL, Apple and Mozilla. The vulnerabilities from these vendors are typically the ones to be commonly exploited by attackers. All of the vendors produce client-side products used for interaction with websites, which attackers use to leverage attacks against users. Due to the frequent occurrence of attacks with these products, Verizon specifically highlights the need for organizations to closely monitor these vulnerabilities. In some cases, attacks with Adobe vulnerabilities can compromise a user in less than 5 minutes. Exploiting any common vulnerability could give an attacker access to account credentials that could then be used to further the attack to other systems on the network.
Frequently, newly discovered vulnerabilities are quickly exploited by attackers. However, vulnerabilities which have had patches published over a year which remain in the organization are also targets for exploitation. Depending on the organization, older vulnerabilities may exist for one reason or another. Attackers of all types have various methods to detect and exploit not only the newest vulnerabilities, but validate if older and more reliable exploitation vectors with older vulnerabilities still exist. Organizations need to ensure adequate resources are available to address the vulnerabilities and whether or not to remediate them or mitigate their risk.
This ARC assists organizations in improving analyst awareness of higher priority vulnerabilities in the organization. Policy statements included within this ARC report on the vulnerabilities from the aforementioned vendors and specific timelines. The timelines for when to best address vendor specific vulnerabilities are based on the vulnerability time to exploit from the report. Organizations can use these suggested time frames against their own vulnerability patch process to evaluate their current policy to what other organizations experience in time to exploitable compromise. Additional policy statements report on the state of vulnerabilities which have been in the environment for over 30 days and 1 year. These snapshots of points in time can help organization evaluate how well they are doing at remediating vulnerabilities. Having visibility of vulnerabilities within the network allows organizations to proactively respond to threats, mitigate vulnerabilities, and take preventative measures before any serious damage occurs.
The information provided in this ARC provides a baseline to measure the effectiveness of an organization's information security policies and whether the current policies being enforced are effective. The ARC policy statement parameters are guides that can be customized as necessary to meet organizational requirements.
This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The ARC can be easily located in the Tenable.sc Feed under the category Security Industry Trends. The ARC requirements are:
- Tenable.sc 5.3.1
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
Tenable.sc provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. By integrating with Nessus, Tenable.sc ’s continuous network monitoring is able to track vulnerabilities and mitigations across the enterprise.
The following policy statements are included in this ARC:
Less than 5% of systems have unpatched vulnerabilities where the remediating patch was published over 30 days ago: This policy statement displays the ratio of vulnerabilities that have patches published over 30 days ago to the total number of vulnerabilities. If the policy statement is met, the result is displayed in green; otherwise, the result is displayed in red. Vulnerabilities with unapplied patches could be exploited and can result in further compromise to systems. This policy statement will help to identify and monitor vulnerabilities that require patching to remediate. Vulnerabilities with patches available should be remediated to reduce the risk of network compromise.
No systems have unpatched vulnerabilities where the remediating patch was published over 1 year ago: This policy statement displays the ratio of vulnerabilities that have patches published over 1 year ago to the total number of vulnerabilities. If the policy statement is met, the result is displayed in green; otherwise, the result is displayed in red. Vulnerabilities with unapplied patches could be exploited and can result in further compromise to systems. This policy statement will help to identify and monitor vulnerabilities that require patching to remediate. Vulnerabilities with patches available should be remediated to reduce the risk of network compromise.
No unpatched Adobe vulnerabilities were published more than 3 days ago: This policy statement displays the ratio of Adobe vulnerabilities that have patches published over 3 days ago to the total number of vulnerabilities. If the policy statement is met, the result is displayed in green; otherwise, the result is displayed in red. Attackers commonly use exploits in these vulnerabilities as an attack vector. Adobe vulnerabilities with unapplied patches could be exploited and can result in further compromise to systems. This policy statement will help to identify and monitor vulnerabilities that require patching to remediate. Vulnerabilities with patches available should be remediated to reduce the risk of network compromise.
No unpatched Microsoft vulnerabilities were published more than 10 days ago: This policy statement displays the ratio of Microsoft vulnerabilities that have patches published over 10 days ago to the total number of vulnerabilities. If the policy statement is met, the result is displayed in green; otherwise, the result is displayed in red. Attackers commonly use exploits in these vulnerabilities as an attack vector. Microsoft vulnerabilities with unapplied patches could be exploited and can result in further compromise to systems. This policy statement will help to identify and monitor vulnerabilities that require patching to remediate. Vulnerabilities with patches available should be remediated to reduce the risk of network compromise.
No unpatched Oracle vulnerabilities were published more than 20 days ago: This policy statement displays the ratio of Oracle vulnerabilities that have patches published over 20 days ago to the total number of vulnerabilities. If the policy statement is met, the result is displayed in green; otherwise, the result is displayed in red. Attackers commonly use exploits in these vulnerabilities as an attack vector. Oracle vulnerabilities with unapplied patches could be exploited and can result in further compromise to systems. This policy statement will help to identify and monitor vulnerabilities that require patching to remediate. Vulnerabilities with patches available should be remediated to reduce the risk of network compromise.
No unpatched OpenSSL vulnerabilities were published more than 60 days ago: This policy statement displays the ratio of OpenSSL vulnerabilities that have patches published over 60 days ago to the total number of vulnerabilities. If the policy statement is met, the result is displayed in green; otherwise, the result is displayed in red. Attackers commonly use exploits in these vulnerabilities as an attack vector. OpenSSL vulnerabilities with unapplied patches could be exploited and can result in further compromise to systems. This policy statement will help to identify and monitor vulnerabilities that require patching to remediate. Vulnerabilities with patches available should be remediated to reduce the risk of network compromise.
No unpatched Apple vulnerabilities were published more than 140 days ago: This policy statement displays the ratio of Apple vulnerabilities that have patches published over 140 days ago to the total number of vulnerabilities. If the policy statement is met, the result is displayed in green; otherwise, the result is displayed in red. Attackers commonly use exploits in these vulnerabilities as an attack vector. Apple vulnerabilities with unapplied patches could be exploited and can result in further compromise to systems. This policy statement will help to identify and monitor vulnerabilities that require patching to remediate. Vulnerabilities with patches available should be remediated to reduce the risk of network compromise.
No unpatched Mozilla vulnerabilities were published more than 210 days ago: This policy statement displays the ratio of Mozilla vulnerabilities that have patches published over 210 days ago to the total number of vulnerabilities. If the policy statement is met, the result is displayed in green; otherwise, the result is displayed in red. Attackers commonly use exploits in these vulnerabilities as an attack vector. Mozilla vulnerabilities with unapplied patches could be exploited and can result in further compromise to systems. This policy statement will help to identify and monitor vulnerabilities that require patching to remediate. Vulnerabilities with patches available should be remediated to reduce the risk of network compromise.