As a recently demonstrated Windows exploit known as HotPotato shows, companies that rely on vulnerability scanning as their primary tool for patch management and/or overall information security risk management may be giving themselves more of a false sense of security than anything else.

Many companies rely heavily or exclusively on automated vulnerability scans to identify and prioritize vulnerabilities for remediation. This prioritization often results in critical and high severity vulnerabilities, as reported by the scan tool, being fixed while reported medium and low severity vulnerabilities are allowed to persist. Scanning networks and fixing obvious critical vulnerabilities is a key part of any information security program but relying on "scan and fix" as the primary method of protecting the network from attacks, rather than using it as a check-up tool, will result in enormous blind spots that will remain exposed to attack.

Attacks have become more sophisticated and often rely on more of a stepping-stone approach to breaching networks. This approach strings together a series of lower severity vulnerabilities that are less likely to be patched in order to gain an initial foothold on the network, escalate privileges, and then get the "keys to the kingdom" that will be used to install persistent backdoors and steal sensitive data.

Attackers often get their initial foothold by exploiting vulnerabilities in client software like web browsers and document viewers through phishing attacks or malicious websites. Internet Explorer, Flash, Java, and Acrobat Reader regularly come up as the most exploited software packages as shown in NTT Com Security's Global Threat Intelligence Report. These "local" vulnerabilities will not be detected by a scan from a network perspective simply because scanning tools are typically configured to look only for vulnerabilities in network-facing services.

The process of escalating privilege once a basic user or service account has been compromised also tends to rely on local vulnerabilities or on the way that systems communicate with each other across the internal network. The Hot Potato exploit, demonstrated at the ShmooCon 2016 conference and based on an earlier exploit published by Google’s security research team shows a real-world example of how overlooked vulnerabilities can be strung together to attain higher privileges. The exploit relies on a series of separate vulnerabilities in Microsoft products which allow an attacker with a normal low-privilege account to gain “SYSTEM” privileges, the highest available in Windows.

The individual vulnerabilities involved in Hot Potato also show us another problem that arises when organizations rely solely on security patches to keep attackers out: The vulnerabilities that underlie the Hot Potato exploit have been publicly known for 15 years yet can still be exploited. Microsoft’s response thus far indicates that they intend to leave Windows vulnerable by default due to backwards compatibility and ease-of-use concerns. This forces system administrators who are savvy enough to even know about these issues to choose between hardening the configurations of their systems or potentially breaking backwards compatibility with their older systems and leaves system administrators who aren’t following the minutiae of Windows configuration hardening recommendations exposed and vulnerable.

Effectively protecting a network requires more than just scanning for vulnerabilities and applying patches to the most critical. At the most basic level, organizations should be supplementing their external network scans with internal scans that utilize credentials to check for local vulnerabilities and penetration tests that can demonstrate how a real attacker would string together multiple vulnerabilities in ways that scanning tools can’t.

Remediation in the aftermath of a scan or test should also focus on more than just what the scanning tool identifies as critical and high severity vulnerabilities. All vulnerabilities should be considered in the context of the potential consequences if they are exploited, including if they are exploited together in ways that scanning tools can’t predict. This may mean that certain low or medium severity vulnerabilities become a priority and that alternative remediation methods may need to be implemented for vulnerabilities that vendors refuse to patch.

This brings us to one of the unfortunate truths of many companies’ approach to information security: they simply haven’t done the inventory and risk assessment activities that would help them decide which vulnerabilities should be a priority, instead using the much more rudimentary vulnerability scan as a substitute for a real information security management process. Risk assessments should be seen as the centerpiece of the core security decision-making process with vulnerability scans only being one among many inputs into that process. To do otherwise is inviting attackers to string together the vulnerabilities that have been sliding through below the radar.