by David Stern
While it may be true that computers don’t make mistakes, they do run programs that were written by humans. We have grown comfortable with the concept of patching our systems and applications – to improve performance, enhance features and especially to correct ‘bugs’ and other security concerns. Often times, bugs that may be considered harmless are actually dangerous and make the system vulnerable to attack.
Developers are used to the code-bug-patch cycle. We have a long-standing tradition of reporting bugs to our vendors, and the developers fixing them, then releasing the patch. This, of course, takes time. Further, this only works when the bugs are properly reported and the developer’s have time to address them.
Recently, we have seen a rise in a type of attack called a “Zero-Day†exploit. In the simplest form, this is an attack that makes use of a previously unreported bug – so no patch is available. The attack is launched at the same time (or slightly before) the bug is reported.
This has a serious consequence for business today. For example, vulnerabilities discovered in MS Word during December have still not been fixed. Incident handlers are seeing specially crafted attacks against specific targets that take advantage of these vulnerabilities. Since Word has become such a core business application, restricting its use is almost impossible. Users must be extra vigilant when opening MS Word files sent to them via email (which poses an entirely different sort of challenge).
We have always had some need to manage the risks presented by vulnerabilities in our operating systems and applications. As the awareness of security issues continues to increase and gain prominence, it is vitally important that organizations establish and operate vulnerability management and risk assessment programs, and should include the chain of command to improve decision-making.
Ed. note: all of the Security Friday Fast Facts are now archived in the Catalyst Community. Feel free to come there and use them to make your job(s) easier, to discuss them, or to suggest additional topics you would like to see. – Michael | Security Catalyst
Engage with Michael Santarcangelo