Where can I get information on unfixed security holes in an OS

Question

I have been assigned (as the youngest, hence the IT specialist, of the team [none of us have any IT background at all]) the task to check out our industrial computers.

It turns out the situation is dire, with key machines running stuff as old as Windows NT 4.0 or Windows Server 2003.

As always in this situation, is a question of buck for my bang, and no money is getting spend on upgrading if there is no added value.

In order to give an accurate recommendation, I'd like to find a list of security holes for a given OS, with, in an ideal world, an indication of damage and likelyhood, so I can build a damage probability matrix.

Answer 1

The National Institute of Standards and Technology (NIST) provides a very well maintained database of vulnerabilities.

You can find it here: https://nvd.nist.gov/vuln/search

Also in the recent past a lot of national Computer Emergency Response Teams (CERT) have been established, that provide these kind of information to interested people that are maybe not as - how shall I put this - "experienced" as others. Just google for "< your country here > + CERT". The german CERT for instance, has a great service called "Bürger CERT" that provides information about IT-security to the main street.

BUT - and this is very important - if you don't have any IT background at all, your machines run OS this old, I can tell you right now, that the likelihood of a risk occuring is preeeeetty high. If these are key machines, hire someone to do this and upgrade them ASAP.

Answer 2

Did you have a look at www.exploit-db.com ? Simply search for your OS name, it should already give you some information, fixed or not

Answer 3

Unless you are actually a OS security expert, knowing the exact holes has little value. What matters is that they are no longer maintained software. You must then assume that if an attacker can access those machines, he could easily get high priviledges and execute arbitrary code.

So the questions are:

• can these machines be reached from the outside?
• can these machines be reached by not allowed employees

If the answer to any of those question is yes, then the risk of compromission is serious. You can mitigate it either by upgrading to current versions of OS - and set up procedures to keep them current - or by removing those machines from any uncontrolled network. Here uncontrolled means just if anybody whose job is not to deal with the machine has a potential network access.

If the problem it to find money for the upgrades, the standard way is just to evaluate the cost if the machines go out of order - which is just the simplest compromission use case. That is something that managers normally do understand.

Answer 4

Sounds like you're in a somewhat sticky situation.

My first recommendation would be to enlist the help of someone with a technical background. In any case, however, a vulnerability scanner will help show you the true state of your critical infrastructure. It's fairly easy to set up an evaluation of Nessus or use OpenVAS (free) and perform credentialed scans of your machines. Using a vulnerability scanner will greatly reduce the amount of manual work you have to do researching which vulnerabilities affect what platform.

Obviously a best case scenario (and where every company should try to be) is to use a vulnerability scanner in tandem with continuous penetration testing to test your security controls.