A widely accepted definition of information security risk is the potential of a specific threat exploiting the vulnerabilities of an information asset, with the following formula used to represent information security risks: Risk = Likelihood x Impact.
The potential impact on information, processes and people is typically estimated during a business impact analysis as part of corporate business continuity planning. However, estimating likelihood of information security risks is often guesswork resulting from combined vulnerability assessments and threats assessments. While assessing the likelihood of risks, many IT security teams will categorise risk using the traffic light system for high, medium or low level. Those responsible for information security in a company should estimate risk levels for all corporate information systems and apply control measures accordingly. Estimating risk levels is a continuous process and it requires the use of tools such as vulnerability assessment scanners and/or contracting the services of companies specialized in ethical hacking.
In May this year, the Financial Times was hacked via the exploit of one of its many blogging systems. The system in question was based on the vulnerable version of a content management system. This case illustrates that the principle of the weakest link in the security chain could affect complex information systems with many interconnected components. To maintain a high level of protection of vital corporate information, it is necessary to assess vulnerabilities of all information systems, since those that are less critical could be exploited to provide access to other, more critical systems.
The likelihood of successfully exploiting a vulnerability is determined by the degree of difficulty in its implementation, skills of the attacker, availability of software tools, capacity of processing power and data connectivity, and publicly available information on the vulnerability.
A vulnerability that is known to be popular among hackers carries a higher likelihood of exploitation. Standard tools for vulnerability assessments are software based vulnerability scanners. These automated tools compare detected application, operating systems and other components on target hosts against proprietary or public databases of known vulnerabilities. They provide reports on detected gaps and recommend implementation of security patches, if they are available.
In assessment reports, automated scanners typically provide links to vendor provided security patches or knowledge base articles with recommended fixes. After testing the top five tools, I have been using Retina CS from BeyondTrust for the last two years. However, automated tools lack human intelligence and cannot recognize relationships among interconnected information systems. A determined hacker is more likely to exploit even the low prioritized vulnerability on one system if it has the potential to lead to a high value business asset.
In today's dynamic business environment where boundaries of responsibilities blur in cloud computing, it is difficult to dedicate resources to the continuous audit of all IT assets. Moreover, certified and skilled manual ethical hacking is costly and time consuming. Nevertheless, there are new assessment solutions for information security managers and IT auditors — hybrid solutions in the form of combined automated vulnerability scanners with manual ethical hacking.
These solutions are less costly than ethical hacking projects, comparable in cost to automated scanners and could be used for regular periodic security assessments of all corporate information systems exposed to the Internet. Their look and feel is similar to automated vulnerability assessment scanners. They do not require administration overhead of ethical hacking projects. These solutions are available on-line and assessments can be scheduled through web portals with very little manual interaction and no expertise required by the customer. Frost and Sullivan recently published an overview of these hybrid solutions.
Hybrid vulnerability assessment solutions are particularly accurate when analysing web based information systems, which are often ranked as high-risk in annual information security reports. The competitive advantage of hybrid vulnerability scanners over traditional automated scanners is in human skills to adapt attack strategies and related tools to particular components of a target. The concept mimics the approach of attackers.
Attackers usually begin with reconnaissance, with the objective of collecting intelligence about the target. These techniques are also used by automated vulnerability scanners. Hackers perform web searches for details about the target company, its employees, and its web identity. They search Internet forums and social networks to identify weak links for possible phishing attacks. These methods are also used by ethical hackers, and are available in their reports with recommended protection practices.
When hackers collect enough information and identify the weakest links in the security chain, they begin manual attacks. The weakest link, as illustrated in the above-mentioned Financial Times case, is typically an information system component that is not updated regularly with security patches therefore vulnerable to published exploits.
Other weak links could be those components that are misconfigured, for example disclosing unnecessary information about software versions in error messages displayed to every user. To be efficient, attacks have to be optimized and adapted to bypass security controls. Automated tools cannot adapt their attack scripts for sophisticated evasion techniques. Undoubtedly hackers can. Ethical hackers, working in the "back office" of hybrid vulnerability scanners, apply the same evasion techniques when assessing the level of exploitability of target systems. This increases the accuracy of exploit level estimates in reports from hybrid vulnerability scanners over automated scanners.
I have tested hybrid vulnerability solutions, such as ImmuniWeb; they offer custom-built scripts in their assessment reports in the form of exploit proof of concept. These scripts are useful for information security teams to verify the likelihood of a risk materializing and to adapt mitigation controls. They could be applied after mitigation controls have been implemented to verify their effectiveness. These target specific scripts were traditionally available only in dedicated ethical hacking and penetration testing projects.
Hybrid vulnerability assessment solutions enrich the arsenal of protection available to information security practitioners in this increasingly insecure cyberworld. With hybrid vulnerability scanners already available on the market, even those information systems identified as being low risk could be included in regular vulnerability assessments. Consequently organizational risk exposure would be more accurately measured and potential business impact further reduced. Indeed, the Financial Times intrusion would probably have been avoided if all their blog systems were systematically tested for security vulnerabilities.
Viktor Polic is adjunct faculty in information security and telecommunications at Webster University in Geneva and CISO at one of the UN's specialized agencies.