How do I prioritize what to fix?

I spent about six years in vulnerability management before I decided to go be a penetration tester. I was frustrated by having to rely on the analysis of others, and on generalized guesswork to determine what made the biggest threat to the organization. I thought that being able to focus on security research and practical penetration would open my eyes to the realities of offense in a way that would help me make the most sense of security as a discipline.

What I found out was enlightening.

I did not have a sudden epiphany that deobfuscated all vendor vulnerability announcements, or find a Rosetta Stone that suddenly made CVSS scores completely pertinent and useful. Rather, I found that most organizations who are getting patches right are failing miserably with secure configurations.

The truth is, exploitation is hard. Turning the latest Microsoft announcement into a working exploit that will give you a shell with system access is completely beyond the reach of the average attacker. If you can't Google for it, don't have a genius buddy willing to share 0day with you, or can't find it in your favorite online haunts, it's far easier to exploit default passwords, insecure configurations, or people than to write an exploit to abuse a patch.

That being said, the rate of exploits to grant full system access has slowed since Windows XP, but it has hardly stopped. So, exploit development certainly still happens. This isn't an excuse to abandon your patch management. Dedicated attackers who are out to do serious harm definitely still have access to exploits that take advantage of missing patches and unpatched vulnerabilities.

But, if you consider your threat model is driven by likelihood of attack based on prevalence of threat, configurations have got to take a bigger role in vulnerability management and security programs.

No comments: