At what criteria should an unpatched machine be considered hacked?

Question

Since every machine connected to the Internet requires security patches, there is a window of time in which those updates have been released and those machines haven't yet been patched.

It is common practice to assume if you do the patch "quick enough" you're safe, however the longer this window is (2 months, 6 months, 1 year) the assumption may become "it's probably already been hacked".

This is a very subjective evaluation of a server's security that I'd like to put into a structure of some type.

Question

Assuming nothing out of the ordinary is occurring with the server, at what point should the server be considered compromised? (e.g. an IIS patch that went unpatched for N days)

How many should N be?

What other things should be considered?

Answer 1

"Average length of time that an announced vulnerability has widespread exploitation", T

"Attractiveness of server as a target", A, on a qualitative scale of 1-5 (higher number representing more attractiveness).

"Ease of exploitation", E, using the CVE score as a basis of common comparison

(T/A) x E = N

Considering that T is now considered to be measured in days (page 1-2), N can be very short, indeed.

That is why mitigation techniques are important, where AV and IDS vendors are faster at implementing detection for announced exploits than Operators are at patching them.

EDIT:

I thought I was employing a variation on standard InfoSec Risk Formulas, and so I thought I would propose the above as a springboard for discussion. But, I am also happy to dig through my material to provide references to where the above framework comes from and my justifications for modifying them.

First: Dillard, K., Pfost J., The Security Risk Management Guide, Microsoft Press, 2004

Second: Munteanu, A., Information Security Risk Assessment: The Qualitative Versus Quantitative Dilemma, Managing Information in the Digital Economy: Issues & Solutions 227

Dillard proposes the following formula to calculate the Threat Frequency Level: TFL = TP × (C / E)

Where: TP = Threat Probability C = Criticality of attack E = Effort to exploit

Munteanu criticizes Dillard’s approach, saying that it does not include a time element, specifically the "average time period for releasing technical procedures to reduce or accept threat”, which Munteanu calls one of the variables of Exposure Time. Exposure Time seems directly relevant to the OP’s question regarding “time to patch”. As TFL is a qualitative factor, and time is a quantitative factor that needs to be a direct relationship, a multiplicative approach seemed appropriate.

So, using a combination of Dillard’s original formula and Munteanu’s proposed modification to calculate a Threat Frequency Level based on historical time to patch, we arrive at:

TFLp = TP x (C / E) x ET

By taking the same model, and instead calculating the TFL based on patching (based on historic data on the time to patch), but instead to replace the time variable with the average time for widespread exploitation (WE), we can calculate the TFL for exploitation:

TFLe = TP x (C / E) x WE

How then does this apply to my hastily written original formula? First, we can equate my “Attractiveness” scale to Dillard’s “Threat Probability”. Probability is measured as a ratio (a number from 0 - 1). To properly represent the relationship if we changed TP to a scale from 1-5, we would have to change it from direct to inverse, so:

TFLe = (C / E) x WE / A

Second, Dillard’s “Effort” (E) is inverse to my “Ease” (E), so that relationship, too needs to change:

TFLe = C x E x (WE / A)

Accepting that Dillard’s WE is synonymous with my T, and that “Criticality” is not a concern of the OP:

TFLe = E x (T / A)

Which looks suspiciously like my original formula...

Is my original formula mathematically exactly similar to the Dillard/Munteanu formulas? No, of course not. But I think mine serves as a useful simplification of the general concepts.