What evil lurks?

When I ask C-level execs if their organizations are secure, what I often hear is Sure we are! We have firewalls, IPS, antivirus and patch management. To that I typically say That's great, but what are you doing about the five classes of vulnerabilities? I usually get raised eyebrows in return, to which I add Yes, that's right—there are five categories that every organization must address.

1. Missing patches
   While the media loves to sensationalize patch-related issues, they are not as prevalent as one might think. In fact, the average vulnerability scan shows that only 20-30 percent of vulnerabilities involve patches. The other four classes I'm about to discuss make up the remaining 70-80 percent.



2. Unsecured accounts
   Unsecured accounts are by far the most common element of unsecured systems. These typically are a result of poor password management, e.g., bad policies such as expiration and complexity, dormant accounts, or allowing users to choose their own passwords.



3. Unnecessary services
   Just like locking your doors while leaving a window open, if you run unnecessary services on systems, you're setting up an easy target for unauthorized access. Remote access services are a perfect example of this. Think telnet, ftp or a web server running on a Windows desktop. Better yet, think about a laptop in your mobile workforce.



4. Backdoors
   Backdoors, which are particularly insidious, are usually dropped on systems in the form of spyware from visiting malicious web sites and can result in data theft and loss of intellectual property.



5. Configuration errors
   These are typically found in registry settings on Windows, configuration files on Linux/Unix systems, configuration settings on switches and routers, or sample files left behind on web sites or application servers. Windows systems, for example, can be configured by a registry key to bypass the logon screen.

Automation is key
Understanding these five broad categories is only part of the battle, however, as evidenced by the 155 new vulnerabilities announced each week in 2006. Preparing your organization to tackle these challenges on a daily basis will take substantial planning and automation. Fortunately there are technologies available to help enforce your own secure configurations, identify vulnerabilities in your network and automate their resolution.

Despite the solutions available, I often hear that mandatory post-remediation testing and its associated downtime is too much for organizations to handle. For those situations, intrusion prevention solutions can block unwanted access or malicious traffic from targeting systems until the actual remediation steps can be applied. This is a highly effective strategy when faced with a rapidly propagating exploit or targeted attack.

Getting on board
Those of you who know me know that for years I've been on a soapbox evangelizing the benefits of vulnerability remediation. However, one thing you might not have heard me say is that now even the U.S. government is waking up to the importance of this issue. Case in point, the Office of Management and Budget recently sent a memorandum to all federal civilian agency CIOs requiring them to use "best practice hardening guides" for securing and auditing all Windows XP and Vista operating systems. The guides contain checks and enforcements that cover each of the five classes of vulnerabilities I've discussed in this article. Imagine that.

If the federal government can do it, so can you. Go ahead, challenge your teams to deploy, audit and maintain systems that are secured against the five categories and which will also address new vulnerabilities that will inevitably be announced each week. I suspect your initial conversations will go much like the one I described at the beginning of this article, but let me know if I'm wrong. I hope I am.