Category Archives: Patching

Windows XP – Looming End of Life (E0L) – What are the risks ?

As I’m fairly sure that you may have gathered, Windows XP is going to go end of life very, very soon. 8th April this year (2014) in fact. This is proving to be a little bit of an issue for more than one organisation, many people have come to love Windows XP – and the old mantra of “if it ain’t broke, don’t fix it” has, until now – meant that there was little reason to move to Windows 7 or, even less to the poorly received Windows 8(.1). This has meant that, right now, across the world there are IT departments who are having a little bit of an issue – how to upgrade _all_ the machines in the organisation to Windows 7 as soon as is humanly possible. I have to say though that of the multiple organisations that I know of, not a single one is going to have finished their upgrade by the 8th …

So, realistically, where does this leave them in terms of risk ? I was actually asked this by a customer this morning – please quantify our risk. Well, I’m a big fan of statistics, not a great mathematician, but the concept definitely amuses me. So, thought I, what is the probability of there being a certain type of vulnerability this month. A quick Google didn’t throw up many sites with statistical data for XP patches, and I didn’t want to go through all of the Microsoft stuff myself, so I’ve borrowed the data from the excellent guys over at Secunia1. The following graph shows the vulnerability severities ( 356 in total over the last 10 years )2.

Criticality

This isn’t entirely helpful as these don’t map directly to the Microsoft Classifications ( Critical, Important, Moderate, Low ). Let’s make one or two assumptions here then – we’ll assign the top four Secunia categories to the equivalent Microsoft ones, and we are going to assume that the vulnerabilities were evenly distributed over the 10 year period ( 120 months ). So, 1% of the vulnerabilities is equivalent to 3.5 vulnerabilities ( roughly – it’s 3.56, and I know that I should round up, but this is all assumption anyhoo ! ) So, each of those segments above equates as follows:

  • Critical ( Extremely) – 4% or 14 vulnerabilities
  • Important ( Highly) – 38% or 133 vulnerabilities
  • Moderate (Moderately) – 24% or 84 vulnerabilities
  • Low (Less) – 28% or 98 vulnerabilities

If we continue with our assumption that these have been evenly distributed over the lifetime of XP ( 10 years/120 months) we can see that the percentage probability of a given criticality occurring in a given month is equivalent to the total number of (vulnerabilities / 120) * 100 which give us the following:

  • Critical – Approx 10%
  • Important – Approx 110% ( More than certain !)
  • Moderate – Approx 70%
  • Low – Approx 80%

Well, that’s not very good news – it would suggest that each month moving forward would increase the number of vulnerabilities by these amounts, so at the end of 1 year you’d expect to see, on average:

  • Critical – 1.4 vulnerabilities
  • Important – 13.3 vulnerabilities
  • Moderate – 8.4 vulnerabilities
  • Low – 9.8 vulnerabilities

Ok, that’s fine – but what we are actually interested in is the residual risk isn’t it – what are we left with after we have considered our controls & countermeasures – what mitigation is in place. Well, the following information gives us a bit of a better idea:

location

Using the base assumption of even distribution we get the following probabilities of it occurring in a single month:

  • Remotely exploitable – 180% ( Nearly two guaranteed to be remote exploits !)
  • Local Network – 50%
  • Local System – 60%

Or as above, that’s:

  • Remotely exploitable – 1.8 a month, or 21.7 a year
  • Local Network – 0.5 a month, or 6 a year
  • Local System – 0.6 a month, or 7.2 a year

You can keep going if you want to, the following graph shows the actual impacts:

impact

I’m not going to do that here, I don’t really think that it has much value. The point is that there is a distinct bias towards the first vulnerability being announced being an “Important, Remotely Exploitable” one.

So what ? Well, that’s interesting actually. Microsoft has given up patching XP, but that’s not the same thing as being left defenceless. Both Anti-Virus and Firewall technology for XP is going to continue being supported for some time – and if these countermeasures have been implemented, then there is a good chance that any given vulnerability will be completely mitigated by them – the trouble is, until the vulnerabilities are actually announced – you aren’t going to be able to tell how effective your controls will actually be – and you may need to do some fairly rapid reconfiguration of your firewalls &/or AV signatures to ensure that you are detecting and preventing those attacks.

Please don’t take that as permission to slack off in your upgrades, or even worse, decide that you can accept that risk – the best course of action is to upgrade to a patched and supported OS, however, the above at least has a stab3 at quantifying the level of the problems !

Just for the record by the way, I have confirmed with Microsoft that there will be patches for XP released on Tuesday the 8th April – these will be the last ever XP patches, but for those of you who have a monthly patching policy, you won’t actually breach your policy until the following month …


1. Guys, if you read this link, you should definitely bring back the free Vulnerability Alert mailings – but if you don’t a free subscription for plugging you would be welcome 😉

2. Ok, I realise that this is not 100% legitimate, there wouldn’t be an even distribution over the years, so this really is a generalisation. The distribution over the years actually looks like this …

distribution

If I had paid attention in University Mathematics lectures, I would remember how to do this more accurately, but I didn’t and I don’t…

3. You should look carefully at what your organisational risk appetite is, and also the full business impact of a vulnerability being exploited. Also, please remember that you may have obligations under other things (PCI/DSS for example) that you need to meet…

Five free ways to improve your security

Peer Review

Peer Review (Photo credit: AJC1)

We’re in recession, lest we forget – it isn’t like the press is going to let it slip from our minds – so money in a tight field is getting tighter. However, even for large businesses improving security need not cost the earth, or indeed anything at all ( apart from some time, and we must recall that time is equal to money ). To that end, I thought that I’d put down five very cost-effective and pragmatic ways to significantly improve your security.

1. Patching

Certainly at a desktop or server OS level, patches are mostly available for free. ( If you have devices, operating systems or applications that require a maintenance contract for patch updates – this isn’t quite for free, however let’s, for the time being assume that this cost is covered off already. ) Patching up to date ensures that, with the exception of those pesky “zero-day” problems, that your system is protected against known vulnerabilities. I’ve been to many, many organisations where patching is so out of date the measure is years – that’s seriously wrong. The excuse is often – “our application is so unstable we can’t” – let us think carefully about this statement and consider, under these circumstances what we should do about it … if and only if this is true and there is nothing that you can do to get the application maintained – then can it remain as is – however the device or server should be isolated behind other mitigations. ( So much so that if I am scanning your network in a vulnerability or penetration test – I don’t want to be able to see the patch level. )

2. Review your Firewall Rules

When was the last time you reviewed your firewall rules ? You’ve added some recently I’m willing to bet, but have you purged old entries ? Do you have a process for deleting rules when they are no longer needed ? Each “allow” rule is a doorway into your network – if it isn’t needed, lock the door. Incidentally, at this time it is wise to pre-empt the next point, is there supporting documentation surrounding your firewall ruleset ? At a minimum, you need to know what the rule is for in English, ( e.g. “allow port 80 tcp to 123.234.123.234 from 123.235.0.0” doesn’t tell me anything, “http website access to the stock server from the warehouse subnet” does. ) And who owns it ( John Smith from Warehouse Control ). That way, a review involves going through the list calling Bob and asking him if he still needs that rule.

3. Documentation

Review your docs – dry run through processes and procedures – do they still work ? Update them if not. Are there any documents that are clearly missing ? Write them. Review your policies, you are of course doing this annually anyway aren’t you, but IT moves faster than on a yearly basis, and I’m pretty sure that a mid-term review wouldn’t do you any harm – issue errata if you don’t want to actively change the policy at this stage – but keep the changes to hand for the updates and it will save time later. Check that your supporting documentation is up-to-date and relevant – such as your firewall rules above – if it isn’t in English, make a translation – you might know what it means, however if you get hit by the proverbial bus ( or get an offer you can’t refuse ) – then your successor will need to figure it out – the more uncertainty there is in that time the higher the risks of an incident – if you want an incentive a public breach that might be blamed on you after you’ve left ( “My predecessor left such a mess it was impossible to manage” ) might haunt you for a long time. It never ceases to amaze me how small this industry actually is.

4. Cull dead accounts

Like old firewall rules, old, unused accounts are opportunities to an external attacker. Hopefully you have a policy in place for removing accounts when an employee leaves, but it is still well worth going through and auditing. Look for test accounts, administrator accounts, contractor or supplier accounts and system accounts that wouldn’t be identified by a leavers process, and may well not have the same lockout or expiry controls. At the same time, have a quick check to make sure that all accounts have the correct settings – there are many tools and code available for walking AD or other directories to look for specific settings freely available on the net.

5. Educate a bit

I’m not talking about a huge CBT on security here – that’s hardly free. However writing and sending an e-mail to all staff is. Give some thought to what your major concerns and issues are, write a positive statement of ways to manage these risks ( one per e-mail, send a few ) and get it out there. Creating awareness, putting ideas into the heads of staff and giving them details of whom to contact with concerns or questions is going to reap long-term benefits that you can only imagine now. This is probably the largest return on investment that you can imagine – proactive staff will head off problems you have yet to conceive, and, given a voice, they’ll give you ideas and suggestions that will not only improve security, but could well make your business more profitable overall.

These are just five simple suggestions – you could extrapolate a little I’m sure to find a few other things that won’t cost a thing, but will improve your security ( here’s a clue – if you start with the word “review” or “audit” and follow with things like “running services”, “configurations” or “file/folder/group permissions” you’ll probably come up with another few ). It’s an interesting time to be in Security – budgets are down, but threats are up – pro-active low-cost work could be the difference between success and failure – these things really should be part of a security routine anyway – but we are so often firefighting or implementing the next new thing that we don’t get much of a chance – this breathing space might actually be what the doctor ordered …

Tagged , , , , , , ,