Simple defenses are sometimes the best

Evaluating the actual attacks in the wild can pinpoint a few simple security measures that can dramatically reduce the likelihood of a successful attack.

If companies had turned on a security measure known as data-execution protection in Windows systems, they would have been immune to 14 of the 19 attacks based on memory corruption vulnerabilities.

That's one of the data points that led security consultant Daniel Guido of iSec Partners to recommend that corporate defenders focus on the vulnerabilities exploited by current attacks, rather than attempting to give all vulnerabilities equal weight. In a presentation at last week's SOURCE Boston conference, Guido noted that there are some 8,000 vulnerabilities found every year, yet only 27 flaws were massively exploited by malicious software in 2009 and 2010.

That's because, similar to defenders, attackers like to be efficient and don't have unlimited time, Guido says.

"Attackers are better at certain things than they are at others -- they have capabilities that they exercise and they prefer certain tactics, they prefer certain techniques," he says. "If we can inform our defenses to focus on those capabilities, those tactics, and those techniques, then we can make much more effective defenses than just going from top to bottom and patching vulnerabilities from zero to 8,000 every year."

Guido analyzed the most popular exploit kits and malicious software and found that the attackers increasingly use exploitation techniques that first appeared in targeted attacks. Memory corruption vulnerabilities accounted for 19 of the vulnerabilities exploited by such kits, while 11 of the 15 exploit packs also targeted Java flaws.

The lesson, says Guido, is to focus on countermeasures that foil these attacks, rather than focus on compliance and patching every vulnerability. In fact, all the memory corruption vulnerabilities were in five targets: Microsoft's Internet Explorer, Mozilla's Firefox, Sun's Java, and Adobe's Flash and Acrobat Reader applications. Turning on data-execution protection (DEP) -- a technology that prevents attackers from writing code to memory and then executing it -- in those applications can prevent the majority of the flaws from being exploited.

Also see: Does patch management need patching?

"Everybody said you should apply DEP because it is a good thing to do, and that is not a great selling point," he says. "But now that we know what we are getting out of it. I can take this and sell it to my upper management."

Of course, DEP and other protections can be bypassed, but attackers focused on massive compromises are not attempting to circumvent the countermeasures, he says.

In the end, companies should use intelligence on attackers, whether through their own analysis of attack tools or through a security service provider, to determine their defensive focus, he says. The efforts should augment efforts to increase the overall security of the company and should be part of a defense-in-depth strategy, not a replacement, he says.

"I am not advocating just going to get a couple of vaccines and then stop washing your hands," Guido says. "You need to patch the vulnerabilities that are out there, but there are ways to go about it more effectively, to reorder your priorities, to look at different mitigations in the absence of patching, ... because there may be easier ways of dealing with things that are causing you pain."

Copyright © 2011 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.