The second Tuesday of every month (“Patch Tuesday”) is a very busy day for information security warriors. They have to digest a flood of information from affected vendors (primarily Microsoft and Adobe) and then cross-check and correlate that against whatever their security vendors say. They have to take into account their actual environments, the assets and resources in them, and the users controlling those assets and resources. In the end they are supposed to come up with some quantitative measurement of their risk. Assuming they fully understand the threats and their exposure to them–this can be a highly perplexing task. McAfee Labs wants to help.
The McAfee Risk Advisor Patch Tuesday Summary Reports
The McAfee Risk Advisor product provides a number of ways to easily visualize threats and the associated availability of detectors and countermeasures. We in McAfee Labs post product and countermeasure data in a variety of forms, and in a variety of places, on Patch Tuesday. We hope that our efforts with McAfee Risk Advisor will provide insight and guidance into how to interpret and digest some of these reports.
Today we will focus on our coverage report for the December releases from Microsoft, and we will define some of the terms used in the McAfee Risk Advisor reports that outline McAfee product coverage and countermeasures.
In the preceding table, we see an excerpt from the December Patch Tuesday Summary Report. Threat Name, Vendor Rating, and Attack Vector are pretty straightforward entries, but what of the others?
Depending on whom you ask, exploited can mean a variety of things. For our purposes, we mark a vulnerability as exploited when we know there to be either proof-of-concept exploit code or actual, in-the-wild, exploitation. In the wild could mean malware targeting the vulnerability, or it could be a report of a targeted attack (vulnerabilities associated with Aurora, for example).
This is a McAfee report, so we refer to McAfee countermeasures. This column indicates whether at the time the report was generated we have released content or countermeasures to protect users against possible exploitation for a given vulnerability (or whether the technologies provide protection “out of the box”). Specifically, McAfee Risk Advisor tracks the following McAfee technologies as countermeasures:
- AV (DATs and products that consume the McAfee antivirus DATs and Engine)
- MWG (McAfee Web Gateway)
- HIPS (Host Intrusion Prevention)
- HIPS features in VirusScan Enterprise (Generic Buffer Overflow Protection)
- McAfee Firewall Enterprise
- McAfee Application Control
- NIPS (McAfee Network Security Platform)
This indicates the available of a McAfee technology to detect the presence of a vulnerability in an environment or asset. McAfee Risk Advisor tracks the following McAfee Technologies as detectors:
- McAfee Vulnerability Manager (Foundstone)
- McAfee Policy Auditor/NAC SCAP
Understanding how we break down these threats in our various reports can go a long way in helping one accurately assess risk.