Even though the number of new vulnerabilities seems to be flattening, the persistence of known vulnerabilities in IT systems means that increasingly sophisticated attackers still have a target-rich environment. Patch and configuration management can help.
A recent report on cybersecurity trends by HP TippingPoint DVLabs produced some unsurprising conclusions: The continuing incorporation of greater computing functionality into our lives is helping to expand the threat landscape, attackers are becoming more sophisticated, and Web applications are a top source of new vulnerabilities.
However, the part that caught my attention was what the authors called “the unrelenting presence of legacy threats.” Those are vulnerabilities that have been around for a while and for which fixes usually are available. Their persistence continues to ensure a target-rich environment for attackers even as the rate at which new vulnerabilities are being discovered appears to be leveling off.
“Attacks from well-known malware threats continue to plague computer systems,” the researchers found. “While many of these attacks are well understood and well protected against, it is not unheard of to see large organizations as the source of some of these attacks, indicating that when large organizations implement new systems without threat management controls, the systems are quickly infected with familiar threats.”
The lesson here is that protecting systems depends not only on being aware of the latest vulnerabilities and patching them in a timely manner but also on managing patches and configurations during the life of a system.
The good news in the report is that the number of newly discovered vulnerabilities, after rising steadily through the first half of the decade, appears to have peaked in 2006 and leveled off, if not declined, for the past four years. Final figures for 2010 aren't in, but a comparison of vulnerabilities for the first six months of each year shows a slight downward trend for 2007 through 2009, with a slight uptick in the first half of this year.
Web applications have become one of the richest sources of vulnerabilities after they overtook vulnerabilities in operating systems in recent years. “Our current research indicates that Web applications continue to pose one of the biggest risks to corporate networks,” the report states.
But old attacks against known vulnerabilities refuse to completely die out. The report notes resurgences of XP CMDSHELL attacks, SQL Slammer and Conficker. China is the primary source of attacks using XP CMDSHELL for SQL injection and Slammer, but the United States is close behind in second place as a source of the SQL injections.
The problem appears to be the use of older versions of SQL Server that have not been properly configured to disable the ability to run operating system commands in SQL Server. That type of attack surged in May and then spiked dramatically in June.
Older vulnerabilities might not be the biggest threat that administrators face, but they are troublesome because they don't need to be a problem. Securing systems against newly discovered vulnerabilities and exploits will probably always be a cat-and-mouse game in which we are playing catch up. But we should be getting better at laying the old vulnerabilities to rest so they don't come back to haunt us.
Admittedly, that is not easy. Systems continually change, and managing patches and configurations in a dynamic environment can be difficult. But better managing this job would free resources and attention for dealing with new threats.