Protecting Against An Avalanche of Vulnerabilities

Keeping up with system vulnerabilities is no easy task. Gone are the days when IT can rely on “Patch Tuesday” and perimeter security solutions. Sure, there are still plenty of operating system flaws to contend with, which patching corrects, but third-party applications now pose even more problems.

According to a study by the security firm Qualys, desktop applications like iTunes, Firefox, PowerPoint and, surprisingly, antivirus programs account for more than 60% of critical vulnerabilities. And attackers are focusing on new network targets as well.

VoIP servers and phones, IM servers, and even printers and faxes are now consider weak points that may provide access to an otherwise hardened network. Added to that, user-introduced errors and network misconfigurations can undermine even the best security plans.

Faced with these issues, as well as industry regulations like HIPAA (Health Insurance Portability and Accountability Act), Mercy Hospital in Miami, Fla. had to change the way it went about securing its network. But before new security measures could be introduced, Mercy had to get a better understanding of its network.

According to Moses Hernandez, a network engineer for Mercy, in the past the task of studying the network was done infrequently. “We used scanning to get a feel for the network and know what was on it,” Hernandez said. “We simply needed to get an idea of what was out there.”

Soft on the Inside

However, after scanning for inventory and topology, Mercy realized it had to keep scanning on an ongoing basis. Networks can change dramatically over time, and new vulnerabilities are discovered in operating systems and applications on an almost daily basis. “Vulnerability assessments have become so important that we scan every week or even every day,” Hernandez said.

In other words, simply hardening your network against outside intruders is no longer an effective strategy. Increasingly, with guest access and partner applications and distributed networks, it’s more and more difficult to define what “inside-the-network” even means.

According to Ross Brown, CEO of vulnerability management vendor eEye Digital Security, in the past the term “vulnerability” had a specific meaning, referring to flaws in systems or software. These could be fixed via patches. Today, the term “vulnerability” has a broader meaning, encompassing not just software flaws but also user-introduced vulnerabilities, network misconfigurations, and even interoperability problems. The new generation of vulnerability management tools even discovers instances where users are putting the organization at risk by not following corporate policies.

A recent survey by Computer Security Institute (CSI) and the FBI found that nearly 52% of participants were hit by security breaches, many from outside of the organization. However, 68% said that a significant portion of those breaches came from within the network.