Alerts

Managing Your Attack Surface to Save Your Business

By Corey Thomas, Vice President, Rapid 7

BOSTON – January 12, 2009 – The recent rapid-fire release of a pair of major patches by Microsoft in December underscores the risks that businesses take when they expose any part of their IT environment to the public Internet. It also demonstrates how quickly the attack surface for a business’s IT systems can expand. A business’ attack surface is the sum of the IT infrastructure vulnerabilities that malicious parties can exploit.

While Microsoft did a good job in getting the word out on a critical update for its Vista operating system, and an even better job in its subsequent emergency patch for Internet Explorer, a business can’t depend on this level of awareness or response for issues that can rapidly expand their attack surface

There are many reasons why a company can’t just put its faith into the hands of publicity campaigns from vendors or automated update processes and hope for the best. The most important is that the updates may not cover everything in your enterprise. This is especially true since many of the critical vulnerabilities in a business are from poorly configured systems. Over time, hackers get more sophisticated in how they attack poorly architected or poorly configured systems. The second is that most businesses don’t dare implement the updates without testing to make sure they’ll work in their enterprise. Finally, there’s the issue of compliance – you have to be able to prove that you maintained the level of security required by whatever regulatory authorities affect your company.

The problem extends beyond just Microsoft products. If you’re running an enterprise that uses Linux or Sun platforms in addition to Windows, and if you’re running critical applications that come from third parties, there are even more potential vulnerabilities and even more updates to manage. The problem is especially critical for those managing sensitive data that can be accessed from web applications. These systems represent not only the system most likely to be attacked but also the systems that suffer most often from configuration problems in addition to patch problems. The issue is exacerbated by the fact that there is a constant stream of new vulnerabilities that receive much less attention than those from Microsoft. The only effective way that a company can handle this complex environment is through an automated vulnerability assessment tool.

Vulnerability assessment tools do what IT managers can’t. These tools scan the entire network, including Windows machines, but also including machines running other operating systems, databases, and web applications as well as your network infrastructure including firewalls and routers. They check each to make sure that all vulnerabilities are reported, and recommend fixes to each.

What’s perhaps more important is that a good vulnerability assessment tool can evaluate the risks it finds according to how much they may affect your network. Knowing whether a vulnerability is high risk or low risk can make a big difference when it comes to deciding which one to fix first. Likewise, knowing the difference between potential risks and actual exploits can be critical in determining the urgency of applying a patch.

Rapid7 Nexpose can seek out and expose vulnerabilities in all of your systems, including your Web applications, your databases and your enterprise network. In addition, Nexpose can perform compliance scanning. This scan can be either inside or outside your firewall, and in each case the scan compares your environment with the availability of remediation, and issues a report of the vulnerabilities along with recommendations for action and instructions on how to fix the resulting problems.

Once the scan is complete, you gain transparency into your security profile. This transparency gives you the ability to see what’s critical, what’s important, and what can be done at a later date. You then know what steps must be taken immediately to maintain the integrity of your network. Even though your security profile will change over time as your enterprise grows and the nature of the threats change, you’ll always know that you’re not missing something really important.

The knowledge that you know what’s really going on with your enterprise security profile is just as valuable for its peace of mind as it is for protecting your network and meeting the demands of the regulators. With vulnerability assessment, you know that you can make your enterprise as safe as you want it to be and you know how to keep it that way.

Corey Thomas is VP Marketing and Product Management for Rapid7.