Chat with us, powered by LiveChat
    • Solutions

    • Network Vulnerability Scanning Software Services
    • Analyze
    • Score
    • Automate
    • What is on my network?
      Quickly, comprehensively and accurately assess endpoints and servers for operating system and application vulnerabilities.

    • Which assets are at risk, and what should I do about their vulnerabilities?
      Identify which assets are at risk and receive actionable intelligence to reduce workload and increase effectiveness.

    • How do I measure my overall risk and where should I focus remediation efforts?
      Benefit from a clear, easy-to-understand metric to determine your organization’s security posture.

    • How can I integrate Frontline vulnerability findings into my security workflow?
      Easily integrate discovered, analyzed, scored, and prioritized vulnerabilities into leading security workflow management platforms and SIEMs.

    • Test
    • Educate
    • Compliance
    • How do I assess where I’m exposed from an attacker’s perspective?
      Assess your “network attack surface” and your “personnel attack surface”.

    • How do I ensure all personnel are cognizant of risky “digital behavior”?
      Increase the security IQ of employees, contractors, and patrons to effectively defend against a security breach.

    • Am I meeting requisite compliance standards?
      Leverage the expertise of one of the world’s longest tenured PCI Approved Scanning Vendors (ASV) to achieve compliance AND an optimal level of security.

    • Frontline.Cloud Subscriptions

    • Frontline ATS Advanced™
    • Frontline Advanced™
    • Frontline Pro™
    • Frontline Active Threat Sweep Advanced (Frontline ATS Advanced) complements your existing endpoint protection technologies providing an agentless, easy to deploy method to quickly and reliably analyze assets for active threat activity and indications of compromise.

    • Frontline Advanced is Digital Defense’s flagship vulnerability management offering. Powerful and effective, the service is delivered in a rich, affordable and easy to consume subscription.

    • Frontline Pro provides the same industry leading solution subscription as Frontline Advanced, but adds a Personal Security Analyst (PSA) to help lift the burden of vulnerability management.

    • Frontline PCI Pro™
    • Frontline Pen Test™
    • Frontline WAS Advanced™
    • Frontline Payment Card Industry-Professional (PCI-Pro) service guides businesses through the PCI Data Security Standards (DSS) requirements maze with security expertise and personalized recommendations to achieve compliance.

    • Frontline Pen Test offers a conveniently packaged sequence of periodic (and scheduled) pen tests into an annual subscription.

    • Frontline Web Application Scanning Advanced (WAS Advanced) as a subscription will provide the highest level of results through a system that is easily deployed and maintained.

    • Frontline.Cloud Platform

    • Frontline Active Threat Sweep™
    • Frontline Vulnerability Manager™
    • Frontline Web Application Scanning™
    • Frontline Active Threat Sweep (Frontline ATS), an agentless system, enhances your existing defense-in-depth coverage by uncovering gaps in your present endpoint protection, active threats and indicators of compromise.

    • Frontline Vulnerability Manager (Frontline VM) is the industry’s most comprehensive, accurate, and easy to use VM system – bar none.

    • Frontline Web Application Scanning (Frontline WAS) has been developed to provide the highest level of dynamic web application testing results through a system that is easily deployed and maintained.

    • Technologies

    • DDI NIRV™
    • DDI VRT™
    • DDI DNA™
    • DDI NIRV – the technology core of Frontline RNA™ – works on the principle of real-time event-based tuning. As it learns more about hosts and the network, NIRV adjusts its plugin sets and auditing mechanisms in real time – leading to far more accurate and complete scanning data.

    • While Digital Defense has achieved public acclaim for its superior vulnerability scanning, vulnerability management, and best practice consultative services, we are also actively involved in security threat research.

    • Digital Node Attribution (DNA) is the core technology within Frontline VM that eliminates network drift. As point in time scans from RNA are fed into Frontline Vulnerability Manager™.

    • Professional Services

    • Frontline Pen Test Project™
    • Frontline Social Test™
    • Frontline Cyber Threat Management™
    • Understanding and addressing network and host vulnerabilities is, of course, an essential element to strong information security.

    • Social engineering is a popular technique attackers use to gain access to your network and, ultimately, valuable information held by your organization.

    • Frontline Cyber Threat Management solutions offer organizations expert threat intelligence to evaluate their level of risk in the ‘open, deep and dark web’.

    • SecurED® Training
    • TEAM™
    • Consultative Services
    • SecurED, an entertaining awareness training designed to optimize employee retention of serious security intelligence and best practices.

    • TEAM is a comprehensive online learning management system that helps you address Security Training, Education, and Awareness Module (TEAM™) to reduce risk.

    • As your organization grows in size and complexity, determining exposure to information asset risks becomes more challenging, as does your ability to identify threats and implement effective plans to address them.

  • Get a Quote

I was recently putting together material for a recurring vulnerability management meeting with one of our clients. This involves comparing authenticated scanning results from one scanning period to the next in an effort to determine progress in addressing high-risk vulnerabilities; particularly, missing Microsoft, Adobe and Java patches, as vulnerabilities in these products are generally considered of highest risk for client-side exploitation by malware, directed attacks via phishing, etc.

In previous meetings, this client had several instances where they were missing a patch related to Microsoft Security Bulletin MS14-058, which was released on October 14, 2014. This is a vulnerability with the highest severity rating given by Microsoft – ‘Critical’ – in which an attacker could perform remote code execution by exploiting a vulnerability in the kernel-mode driver¹.   In compiling data for today’s meeting, I found their active vulnerability count for MS14-058 had dropped significantly. This is to be expected as MS14-058 was superseded by Microsoft Security Bulletin MS14-079 on November 11 addressing a denial of service vulnerability in the very same kernel-mode driver². However, MS14-079 was nowhere to be found within the new list of active high-risk vulnerabilities. This puzzled me as I had assumed that when a patch with a ‘Critical’ rating was superseded, the superseding patch should logically also be rated as ‘Critical’. In this case, MS14-079 is actually rated as a ‘Moderate’ risk by Microsoft, which is the third highest severity rating (behind ‘Critical’ and ‘Important’) Microsoft gives its security bulletins.

The above situation got me thinking. What if an organization had a patch management process in which it did not immediately patch vulnerabilities due to lack of manpower, pre-patch testing and usability requirements or simply a lack of urgency? What if an organization only deployed patches (whether through a patch management system or manual patching) with a ‘Critical’ or ‘Important’ rating, but accepted the risk and allowed ‘Moderate’ and ‘Low’ issues to go unpatched? Is it possible a ‘Critical’-rated patch could be superseded by a lower-risk patch before the ‘Critical’-rated issue could be addressed? If so, this would mask the fact the organization had an unpatched ‘Critical’-rated vulnerability on their network and greatly increasing their risk.

Imagine the following scenario: An organization has a quarterly patching process in which only those Microsoft patches rated ‘Critical’ and ‘Important’ are applied on the 1st day of each quarter. On October 1, the organization applies all known patches. On October 14, ‘Patch Tuesday’ arrives and among other ‘Critical’ patches, MS14-058 is released. Since the next patching cycle is not until January 1, these patches are not applied. November’s patch Tuesday arrives and MS14-058 is superseded by MS14-079. However, MS14-079 is rated ‘Moderate’. When January 1 arrives and the organization goes to apply all of their ‘Critical’ and ‘Important’ patches, MS14-079 is not included. However, this also means that MS14-058 is not included. The organization now thinks they have patched all of their Critical vulnerabilities and reduced their risk; unfortunately, because of Microsoft’s current superseding mechanism, the organization still has a Critical vulnerability on every Microsoft system across their network, leaving them at risk for exploitation.

I decided to test this theory for myself. Since I was up to date on patches on my Windows 7 image as of this morning, I uninstalled MS14-079, rebooted my machine, then ran Windows Update. The following is a screenshot of what I saw: 

(Click the image for a larger version) 

Obviously, since I removed MS14-079 (KB3002885), it now shows I am missing this patch.

Note: The fact that it shows up in Windows Update as ‘Important’, but the KB article calls it ‘Moderate’ shows a bit of inconsistency on Microsoft’s part. Different patch management systems may handle these designations differently.

 I then uninstalled MS14-058 (KB3000061):

(Click the image for a larger version) 

After again rebooting the system and running Windows Update, my theory proved to be true. I am shown that I am missing the ‘Moderate’-risk MS14-079, completely masking the fact I am also missing a ‘Critical’ update in MS14-058:  

(Click the image for a larger version) 

I also took a look at how Windows Server Update Services (WSUS) handles this superseding situation. Once again, it only shows I am missing a ‘Moderate’ risk update and that I should manually “verify…the superseding update first.”

(Click the image for a larger version)  

 

Although MS14-079 is of ‘Moderate’ risk, that is only true if you have already patched for MS14-058. I have posed this question to Microsoft on their Facebook page and am awaiting an answer. Bottom line, Microsoft needs to have a mechanism within its patch rating and Windows Update mechanisms that determine if any superseded patches have not been applied and upgrade the rating of that bulletin appropriately. An even better solution would be where a new policy is instituted where a patch can only supersede another patch of equal or lesser risk rating; otherwise, a new, non-superseding patch should be released. I will update this post if and when I hear back from Microsoft – stay tuned!

____________________________________

¹ “Microsoft Security Bulletin MS14-058”
² “Microsoft Security Bulletin MS14-079”