While a lot of time and effort goes into ensuring that networks
are patched, the gap between
vulnerability
announcements and patch availability remains a serious and
often costly issue for too many companies.
But by proactively managing the risks, you can strengthen
general defences until those critical system patches arrive.
The first step is to take advantage of information that is
available. Operating system suppliers such as Microsoft and
application suppliers such as Citrix and Apple regularly release a
list of known vulnerabilities that they are working on.
Vulnerability flag
This information can help reduce the risks associated with the
vulnerability, which is the reason why the suppliers release it in
the first place. But vulnerability alerts also attract the
attention of those who craft malicious code. The industry has
little choice but to be proactive in managing the risk.
Most vulnerabilities have both a known port number for network
access and a recognisable pattern of attack, which is often the
first information available about a given vulnerability.
Blocking a port number on the firewall is the first line of
defence for reducing the risks associated with a known
vulnerability. The tactic was used by many companies to counteract
the Blaster worm, which used several ports to spread its malicious
code.
Often a rule set for an intrusion prevention system (IPS) will
also be available. Such pattern recognition rules help an IPS
identify malicious network activity and shut it down before it can
contaminate more systems.
By ensuring the rule set on an
IPS or IDS (an intrusion detection system, which will alert you
only if it detects malicious activity) is up to date, you minimise
the risk of malicious activity.
While many years have passed since the ILoveYou, Melissa and
BubbleBoy viruses troubled e-mail servers, unchecked e-mails remain
the primary source of network contamination. Configuring the
corporate spam filters is therefore another important step in
protecting the network from similar attacks. Prohibiting access to
online e-mail services such as Yahoo and Gmail can also reduce the
quantity of spam.
However, unless you inform all staff of the dangers posed by
malicious code, an employee may unwittingly cause an infection
despite the best efforts of the security professionals. It is
crucial that end-users know how to use the internet safely, and how
to recognise phishing websites and e-mails.
Educating employees about these types of attacks and alerting
them to dangers as they arise is now an essential step in securing
the organisation.
Such measures should be part of a formalised procedure for
addressing the risks associated with a vulnerability. Figuring out
how to react to a situation can otherwise be a time-consuming
process. Much of the stress associated with a vulnerability is due
to questions from management, such as what are we doing about
this?, how does it affect us?, and who is working on this?
Pre-patch routine
When a vulnerability alert is released, your job is to stay on
top of developing events, train employees not to fall victim to the
scams and actively manage risks on the network - and then apply the
patch as soon as it is available.
Proper risk management of unpatched system vulnerabilities is as
essential to maintaining network integrity as the patches
themselves.