Vulnerability landscape has significantly evolved over the years. Nowadays, it is becoming a pain area in any organisation to protect its assets from the new wave of advanced persistent threats. The threat environment has become all the more complex and much more dangerous. The new world attackers target specific companies, individuals and data. A typical targeted attack will exploit multiple security vulnerabilities to achieve the ultimate goal Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬« usually, to steal confidential data, compromise a specific account or disrupt operations.
Vulnerabilities are introduced into an enterprise when it acquires systems from vendors or even internally developed systems with known and unknown bugs and/or insecure default security settings. Much of the vulnerability also occurs because the system administrators implement insecure configurations on systems and due to non-existent or inadequate processes and policies in an organisation. Most enterprises do not know the state of their security posture and how and where to start with the vulnerability management. Thus the need for creating an Enterprise Vulnerability Management (EVM) Program becomes a key requirement for an organisation to manage the enterprise security.
Recent Changes in Vulnerability Trends
A large number of data breach incidents have brought to fore exposure of millions of confidential consumer records Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║Ôö£├ÂÔö£├éÔö£ÔûÆ adequate reasons why enterprises must do more to protect themselves from attack. A dramatic change in the security threat landscape is raising the bar for organisations who want to actively minimise successful exploits of vulnerabilities. Recent data shows that exploits are no longer restricted to traditional risks of generic viruses, worms, Trojans and other single-vector attacks. The Internet security threat report 20131 by Symantec Corporation reveals that:
- 42% increase in targeted attacks in 2012.
- Web-based attacks increased 30%.
- 14 zero-day vulnerabilities.
- 5291 new vulnerabilities discovered in 2012, 415 of them on mobile operating systems.
- There is an increasingly sophisticated black market serving a multi-billion dollar online crime industry.
Responses to the 2010/2011 CSI Computer Crime and Security Survey2 show that malware infection continued to be the most commonly seen attack, with 67.1 percent of respondents reporting it. There is continued evidence that attackers are spending more energy customising malware to make it more effective in targeted attacks or Advanced Persistent Threats, as many are now calling them. A Verizon report3 states that, of the breaches they investigated that involved malware in some fashion, 59 percent involved highly customised malware. Twenty-two percent of CSI survey respondents told that at least some of their security incidents involved targeted attacks Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£├®Ôö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö¼ÔòæÔö£├ÂÔö£├éÔö¼├║├ö├Â┬úÔö£┬« 3 percent told that they experienced more than 10 targeted attacks.
What most of the enterprises are still doing?
The fallout from targeted attacks pose serious financial risks; so, many organisations have taken steps to mitigate malware and other vectors of attack by deploying layers of security technologies such as perimeter defence based on Intrusion Prevention System (IPS) and Firewalls, security products like SIEM, VA tool, Anti Malware, Patch Management, HIDS and other products, each catering to different problems. These individual tools, though strong in their areas, have limited view of the enterprise level threats and information sharing between these tools is far from perfect, if not non-existent. The net effect is that a number of vulnerabilities that are not picked up as sophisticated attacks are launched after substantial social engineering and are dispersed over time and systems. Technologies like these are essential components of network security, yet while they are effective in their own spheres of purpose, none perform the most fundamental of all security measures - vulnerability management.
 Internet Security Threat Report 2013, Symantec Corporation, Vol 18, April 2013
2010/2011 Computer Crime and Security Survey, CSI