Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Verizon 2016 DBIR – Vulnerabilities and Malware

by Megan Daudelin
May 18, 2016

The Verizon Data Breach Investigation Report (DBIR), first published in 2008, is an annual publication that analyzes information security incidents from public and private organizations, with a focus on data breaches. Data breaches continue to have a major financial impact on organizations, as well as an impact on their reputations. Tenable Network Security offers dashboards and Assurance Report Cards (ARCs) that organizations can use to check themselves against the common threats described in the Verizon DBIR. As in previous years, the 2016 DBIR notes that a vast majority of all attacks fall into a few basic patterns. Throughout this and past years’ reports, best practices are noted for each pattern that can assist in thwarting the attacks. Some of the best practices can assist in thwarting multiple attack patterns. The Point-of-Sale Intrusions, Crimeware, and Insider Misuse patterns all mention aspects of the general best practice of eliminating exploitable vulnerabilities.

Risk mitigation efforts need to account for all the devices that connect to the network, which can include a great number and variety of devices. Having adequate scan policies, up-to-date software, and a consistent patch and remediation plan can help reduce the level of risk exposure for an organization. Organizations that do not monitor their risk exposure could be leaving their network vulnerable to attack, intrusion, or infection.

Based on the best practices described in the Verizon DBIR, the Vulnerabilities and Malware ARC assists organizations in improving their vulnerability remediation efforts. Systems and vulnerabilities are identified using a combination of active scans by Nessus and passive monitoring by the Nessus Network Monitor (NNM). NNM can detect hosts that may be missed by active scans, such as hosts that are only connected to the network intermittently. The included policy statements report on systems that have been recently scanned, unpatched vulnerabilities with patches over 30 days old, and systems running unsupported software. Additional policy statements report on various types of systems with exploitable vulnerabilities and detected intrusion events. Unpatched vulnerabilities, unsupported software, and exploitable vulnerabilities can leave a network exposed to malicious activity. Ensuring that systems are scanned regularly is key to monitoring and remediating the vulnerabilities on systems within a network in order to mitigate risk.

The information provided in this ARC provides a baseline to measure the effectiveness of an organization's risk assessment efforts and identifies whether the policies that are currently being enforced are effective. Policy statements can be customized as needed to meet organizational requirements.

This ARC is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Security Industry Trends.

The dashboard requirements are:

  • Tenable.sc 5.3.0
  • Nessus 8.5.1
  • LCE 6.0.0
  • NNM 5.9.0

Tenable's Tenable.sc Continuous View (CV) provides continuous network monitoring, vulnerability identification, risk reduction, and compliance monitoring. Tenable.sc is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. The Nessus Network Monitor (NNM) performs deep packet inspection to enable discovery and assessment of operating systems, network devices, hypervisors, databases, tablets, phones, web servers, cloud applications, and critical infrastructure. The Log Correlation Engine (LCE) performs deep log analysis and correlation to continuously discover and track systems, applications, cloud infrastructure, trust relationships, and vulnerabilities. By integrating with Nessus, NNM, and LCE, Tenable.sc CV’s continuous network monitoring is able to detect events and vulnerabilities across the enterprise.

The following policy statements are included in this ARC:

Less than 5% of systems have unpatched vulnerabilities where the remediating patch was published over 30 days ago: This policy statement displays the ratio of systems with unpatched vulnerabilities for which a patch was published over 30 days ago to all systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Vulnerabilities that remained unpatched for extended periods of time can lead to system compromise or exploitation. This policy statement will help to identify systems that have vulnerabilities with patches available for over 30 days. Unpatched vulnerabilities may be susceptible to exploitation and should be remediated quickly to improve security.

No systems have unpatched vulnerabilities where the remediating patch was published over 1 year ago: This policy statement displays the ratio of systems with unpatched vulnerabilities for which a patch was published over one year ago to all systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Vulnerabilities that remained unpatched for extended periods of time can lead to system compromise or exploitation. This policy statement will help to identify systems that have vulnerabilities with patches available for over one year. Unpatched vulnerabilities may be susceptible to exploitation and should be remediated quickly to improve security.

Less than 5% of critical vulnerabilities are exploitable by malware: This policy statement displays the ratio of critical vulnerabilities exploitable by malware to all vulnerabilities. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Critical vulnerabilities that are exploitable by malware can lead to system infection or network compromise. This policy statement helps to identify critical vulnerabilities that are susceptible to exploitation by malware. Critical vulnerabilities that are exploitable by malware should be remediated immediately to reduce the risk of compromise and infection.

Less than 15% of low, medium and high vulnerabilities are exploitable by malware: This policy statement displays the ratio of low, medium, and high severity vulnerabilities exploitable by malware to all vulnerabilities. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Vulnerabilities that are exploitable by malware can lead to system infection or network compromise. This policy statement helps to identify vulnerabilities of low, medium, and high severity that are susceptible to exploitation by malware. All vulnerabilities that are exploitable by malware should be remediated quickly to reduce the risk of compromise and infection.

Less than 5% of servers have exploitable vulnerabilities: This policy statement displays the ratio of vulnerabilities exploitable on servers to all vulnerabilities on servers. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Vulnerabilities that are exploitable on servers could lead to quicker network compromise. This policy statement helps to identify vulnerabilities that are susceptible to exploitation on servers. These vulnerabilities should be remediated immediately to reduce the risk of compromise and infection.

Less than 15% of clients have exploitable vulnerabilities: This policy statement displays the ratio of vulnerabilities exploitable on clients to all vulnerabilities on clients. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Vulnerabilities that are exploitable on clients can lead to system infection or network compromise. This policy statement helps to identify vulnerabilities that are susceptible to exploitation on clients. These vulnerabilities should be remediated immediately to reduce the risk of compromise and infection.

No Internet-facing systems have detected intrusion events: This policy statement displays the ratio of internet-facing systems on which intrusion activity has been detected to total internet-facing systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Intrusion events include password guessing, IDS events, and network sweeps, among other things. Intrusion events could indicate an ongoing attack or host compromise and should be investigated.

No systems are experiencing spikes in detected intrusion events: This policy statement displays the ratio of systems that are experiencing spikes in intrusion events to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Spikes in intrusion events can indicate system compromise, exploitation, or misconfiguration. This policy statement helps to identify any systems that may be compromised. Systems experiencing spikes in intrusion activity should be investigated.

Less than 5% of systems have malicious processes actively running: This policy statement displays the ratio of systems with malicious processes running to total systems. If the policy statement requirement is met, the result is displayed in green; otherwise, the result is displayed in red. Malicious processes can be indicative of infection, compromise, or misuse. This policy statement helps analysts identify systems that have malicious processes running. Systems running malicious processes should be investigated to determine legitimacy or necessary remediation measures.

 

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training