Another "Patch Tuesday" has come and gone, with a long list of Microsoft security patches. One of the tasks I reserve for myself is assessing each patch's importance when viewed from within the context of our organization's security controls framework. In other words, is a critical patch really critical for the devices my team protects?
One of the most important measures used to answer this question is information exploitability. How easy is it to access sensitive data using the unpatched vulnerability? In this post, I walk through the process I use to answer that question.
Risk vs. exploitability
There is a clear difference between risk and exploitability. Exploitability is a measure of vulnerability. Added to threat assessments and annual rate of occurrence information, exploitability contributes to a measure of probability of occurrence.
Probability of occurrence is part of the venerable risk formula (Risk=Threat * Vulnerability * Business Impact), with (Threat * Vulnerability) defining probability of occurrence. But when measuring information exploitability, probability of occurrence calculations require us to drill down into the vulnerability factor, looking at the components that comprise vulnerability mitigation. The result is a measure of how well our data is protected.
Determining exploitability levels
Data exploitability levels are determined by four measures: accessibility, significance, copyability, and detectability (Heiser, 2007).
Accessibility is the ease with which data is accessed. It is a big factor in whether a vulnerability is a significant leakage concern. Data easily retrieved, manipulated, and stored in low trust repositories are excellent targets for cybercriminals. Methods of access to the data include:
- Enterprise search solutions
- Data warehouses
- Read-only direct database access for query functionality
- Access via other business intelligence systems
Data with no value puts the business at no risk if improperly accessed or modified. As value of information to an outside entity increases, so does the probability that a criminal will apply the effort necessary to acquire it. The attractiveness of information to an outsider depends on several things, including:
- How easy it is to sell and its market value
- Whether it provides the attacker, or the attacker's employer, with competitive advantage
- Whether the information has social or political significance that can be leveraged to advance an agenda
This is a no-brainer; the easier it is to copy data, the harder it is to protect.
Detectability is the measure of an organization's ability to monitor for and react to anomalous use or movement of data. It further gauges the extent to which users, and black hats, are aware that the data is being monitored.
Putting it together
The following formula depicts the relationships between these four components.
The formula is something I created to help my analysts understand how exploitability is measured and mitigated. Note that detectability is a key element in controls design. In this context, it includes both extrusion/intrusion detection and response.
Using exploitability to assess patch importance
When Microsoft and other vendors release patches, they rate each in terms of general risk. Microsoft's rating system, for example, usually results in a mix of Important or Critical patches each month. However, each organization's controls framework is unique. Patch importance is further affected by the strength of data access and usage policies and how well compliance is enforced.
A patch Microsoft classifies as Critical might fall to Low in my Low/Medium/High rating system when exploitability is combined with other factors, including the basics:
- Network segmentation
- Firewall placement and configuration
- IDS/IPS placement and configuration (both network and endpoint)
- Measurable employee awareness
- Application of appropriate server and end-user device security templates
- System redundancy
- Application versions and configurations
- Database versions and configurations
The final word
Patching is an important part of a security program. When and if to apply patches, however, depends on how much risk the vulnerabilities actually present to your business. It's possible that the time you'd spend testing a patch, applying it, and then dealing with potential issues might be better spent working on other security challenges. Challenges which put your business, customers, employees, and investors at greater risk.
Heiser, J. (2007, August). Understanding data leakage. Gartner Research, Research Article #G00149979. Retrieved October 25, 2007 from http://www.gartner.com/
Tom is a security researcher for the InfoSec Institute and an IT professional with over 30 years of experience. He has written three books, Just Enough Security, Microsoft Virtualization, and Enterprise Security: A Practitioner's Guide (to be published in Q1/2013). Before joining the private sector, he served 10 years in the United States Army Military Police with four years as a military police investigator. He has an MBA and CISSP certification. He is also an online instructor for the University of Phoenix.