written by Chris Griesemer
We have performed vulnerability exams for banks for the past 11 years. What are vulnerability exams? I’m glad you asked that question. Basically we use special software to scan all nodes (computers, firewalls, servers, printers, etc.) for vulnerabilities on a network. An example of an especially high risk vulnerability might include a patch not being installed on a computer, passwords less than 8 characters or default administrator usernames still being used.
Patch management has always been one of the highest risks to a network. Remember when Microsoft first came out with XP, it seemed like there was a new patch update released almost daily. As time has gone on, XP has become a secure operating system.
XP has actually become so secure that hackers have taken their focus off of the operating system and started targeting third party software. The two major players in third party software are Adobe and Java. Let’s look at Java for a second. As of today, the current version of Java is 1.6.0 23 (which translates to version 6 update 23). Let’s say you have Java version 1.6.0 21. By not upgrading to the latest version, you would have a possible 29 vulnerabilities on your computer.
If you had version 1.6.0 05 you would have a possible 100 vulnerabilities on your computer. Now let’s say you have 10 computers on your network, even if you had version 1.6.0 21 you would still have 290 vulnerabilities on your network, and I haven’t even talked about Adobe yet. What stands out to me, is that by not updating to the latest version, you would have a possible 290 ways for a hacker to compromise data on your network.
Alright, enough about Java. With Adobe the problem you run into is it isn’t just one program. Most users have at least Adobe Reader and Adobe Flash on their computer. If you are not on the latest version of Flash and Reader, you can count on around 50 vulnerabilities per computer. Again, if you have 10 computers on your network, that is 500 Adobe vulnerabilities. If you couple that with Java, you have a total of 790 vulnerabilities on your network.
So what needs to be done to decrease this number of vulnerabilities?
- Train employee’s how to update these software program
- Have a network administrator update each computer
- Install patch management software like shavlik
If you have any questions, feel free to email or call me.
By Chris Griesemer, IT Security Specialist