Types of Vulnerabilities

1. Flaws in software or protocol design
2. Weaknesses in how designs are implemented
3. Weaknesses in how end products are configured

• Noted Events over the last decade of progress
  • Although we are now more aware of the problems which lead to software vulnerabilities, it has become evident that the more complex systems and programs get, the more susceptible they become to malicious attacks.
  • Over the lat 10 years, It has been noted that the number of vulnerabilities reported has slowly increased more and more. (Observation made April 2008, cert.org/stats)
• An unpatched system will roughly last about 19 min’s before being compromised in some fashion by entities once connected to the internet.

Problem Issues related to Vulnerability Management

• Maintaining Awareness

1. Ignorance of these types of problems is quite possibly one of the largest contributing factors to their success, a large proportion of the systems infected by the slammer work in 2001 could have been patched against it due to Microsoft releasing a patch 5 months earlier.
2. Users expectations that something just works out of the box, without any safeguards is a fools mistake, even with companies like dell, etc adding virus protection, etc these attempts are more as a business selling technique and often the packages sold to you expire after demo periods or are not worth the hard disk space they are taking up.Due to user ignorance, problems which have simple solutions continue to plague the community years after the solution has been found.

• Handling the Workload

1. Patching the systems is a considerable additional workloads for;
   1. The system admin of the network (e.g a school or university, or large business)
   2. The end user, who has to take time out of their day to perform the patches
2. Assisted tools exisit to help with this
   1. Microsoft Systems Update Server
   2. Antivirus Control Servers
      1. e.g AVG Business & Kasperski Labs

• Responding Quickly enough

1. Just because a patch exists for an identified vulnerability does not necessarily mean that the system administrator will patch the systems in time before they become infected
2. Even with MS update service enabled this is only a weekly update (Tuesdays)
3. As malware becomes more proficient at spreading itself, the time a system administrator has to be informed and then subsequently patch the system is ever decreasing !

• Informing Attackers

1. Organisations who produce large software packages, such as Microsoft are often the subject of outside entities informing them of vulnerabilities in their software.
2. Unfortunately these outside entities often inform the general community of the threat at the same time, which contains people who are malicious code developers.
3. Some official organisations such as CERT, withhold public announcements of vulnerabilities until the vendor has had sufficient time to develop a counter-measure.

• Reliability of Patches

1. Inevitably the patches for vulnerabilities are brought to you by the very same people who developed the vulnerable software in the first place, hence there is a good chance that the patch, which solves one problem may cause more.
2. Often due to insufficient testing