ISTR X – Everything is vulnerable
We have just released the 10th edition of the Symantec Internet Security Threat Report (ISTR). For the past five years, Symantec has been tracking the various trends in Internet security—involving malicious code, vulnerabilities, and Internet attacks—and compiling them twice a year into the ISTR. In my experience working as a vulnerability analyst, moderating Bugtraq, and contributing to the ISTR, there is one thing that is certain: vulnerabilities are on the rise. For the period affecting the current ISTR X release, we logged 2,249 new vulnerability records into our database, which is also a new high for the most new vulnerabilities in any given six-month period. The previous high was 1,912 new vulnerability records, which was reported in the second half of 2005. As usual, the majority of these vulnerabilities affect Web-based applications (68%-69%).
Not only are there more vulnerabilities, there are more affected vendors than ever before. In light of the ISTR release, I was curious to see how many distinct vendors were affected by vulnerabilities during these reporting periods. For the first half of 2006, the vulnerabilities affected technologies that are distributed and maintained by 1,358 distinct vendors. In the last half of 2005, the vulnerabilities affected technologies from 1,146 distinct vendors. This shows that as the number of vulnerabilities is rising, there are also more vendors on the playing field. It is clear that vulnerability researchers are expanding their efforts to cover a far greater breadth of vendors than ever before. Many of these vendors are small or operate at the hobbyist level, but with the D-I-Y attitude of Web 2.0 technologies, it is much easier for smaller Web application vendors to gain legitimacy. In terms of vulnerabilities, legitimacy means deployment, and deployment means that many more organizations may be exposed to vulnerabilities in these applications than ever before. It is no longer unusual for an enterprise to have a public-facing corporate blog, Wiki-style online encyclopedia, or content management system. This doesn’t even take into consideration more traditional business applications, such as Web-based CRM or e-commerce solutions, which can also be counted among the vulnerable.
What these trends mean for enterprises is that more and more resources are required for managing each stage of the vulnerability lifecycle. This lifecycle includes identifying and assessing the vulnerability in relation to the organization, which can bring in technologies like asset management, vulnerability assessment, and penetration testing. This is in addition to less technologically-oriented disciplines, such as risk analysis. The enterprise is further challenged when mitigating or fixing the vulnerability because this can require policy changes or patch installs throughout the entire organization. It can also involve hitting budgets and can possibly threaten business objectives or uptime, let alone requiring that new challenges are met, such as those posed by compliance with industry-dependent regulatory standards like Sarbanes-Oxley or HIPAA. Enterprises must also deal with the possibility of zero-day attacks, which means that they have to proactively defend against unknown vulnerabilities with whatever best practices and technologies are at their disposal.
With the sheer number of vulnerabilities being reported on a daily basis, there is a higher probability that the enterprise will be affected in some way. The threat landscape has also shifted from noisier attacks to attacks that are more tailored to the particular target. With more vulnerabilities, attackers have more tools in their arsenal. Attackers can take advantage of the fact that a wider range of affected vendors means a higher probability that an enterprise will be affected by an unpatched vulnerability. So, the demands of the vulnerability management lifecycle force organizations to go through each stage in a timely manner with minimal impact to the operations of the enterprise, either from attacks or downtime required for patching. This has changed the face of business, creating new roles within the organization that specialize in vulnerability management and remediation. This is no longer a peripheral duty of administrators; rather, it has grown into a significant full-time responsibility in its own right for many enterprises.
One of my colleagues from Symantec coined the mantra “Vulnerabilities Happen” awhile back in a column for the SecurityFocus Web site. I’d like to add my own two cents to that statement: “Everything is Vulnerable”. What I mean is, instead of simply reacting to vulnerabilities (when they do happen) as part of a contingency plan, we’ve migrated to an era where vulnerabilities will happen with regularity and the contingency plans of yesterday have become the regular business procedures of today.
Download a copy of the latest Internet Security Threat Report here.