technical-vulnerabilitiesTechnical vulnerabilities are weaknesses in operating systems or software. Exploiting a vulnerability can allow an attacker (e.g. a hacker) or malicious code to increase their access privileges in order to perform malevolent acts.

It is therefore important to install security patches (software updates) as soon as possible to eliminate existing vulnerabilities.

For individuals, it is recommended to enable security patches to be installed automatically, when possible (e.g. Windows). For other software, you can use a free tool (e.g. Secunia PSI) which checks and installs the available updates to your computer. Furthermore, updates should be installed to your other components as well (e.g. your Internet router).

For businesses, it is recommended to implement the effective management of vulnerabilities through guidelines and procedures that should include the following actions:

  • Be informed of the new vulnerabilities that are discovered regularly (e.g. by subscribing to mailing lists or searching through vulnerability databases:  NVD- National Vulnerability Database).
  • Assess the vulnerabilities criticality level according to different criteria (e.g. guide CVSS-2) in order to prioritize the patches which must be installed.
  • Use dissemination or automated deployment tools for patches (e.g. SMS).
  • Test the patches or the methods used on a small group of computers first in order to reduce vulnerability exposure.
  • Maintain a log of the vulnerabilities and patches installed.
  • Validate installing patches through a software inventory (e.g. SCCM) or with a vulnerability scanning software (e.g. Nessus or Secunia VIM).
  • Educate and train the team responsible for the management of the vulnerability tools and procedures.

Lastly, it is important to know that:

  • The vulnerabilities of popular software (e.g. Adobe Reader, Flash, Quicktime) are generally as important to correct as those of Windows.
  • An unsupported product (old version) no longer receives security patches; therefore, it is usually vulnerable. For instance, Windows XP will no longer be supported by Microsoft in April 2014.

To know the products’ supported versions (distributors still provide updates), you can view the Microsoft, Oracle or Adobe.

By Patrick Paradis, Information Security Advisor

View other references on vulnerability management:

– ISO/IEC 27002 : section 12.8- Gestion des vulnérabilités techniques

NIST 800-40 Creating a Patch and Vulnerability Managerment Program

Common Vulnerability and Exposure