5 Tips For Effective Vulnerability Management
by Robert Bond
Vulnerability Management Best Practices
Vulnerability Management, especially the critical process of strategic patch management, have placed massive demands on organizations because of the high number of software vulnerabilities, the speed at which hackers take advantage of those vulnerabilities, and the complexity of corporate data centers.
Risk of not Having Vulnerability Management in Place
The Equifax breach is one of nearly countless high-profile attacks that were ultimately caused by one or more known software vulnerabilities. The impact from these types of cyberattacks have become a nightmare for organizations due to the dramatic loss in equity, damage to the brand, loss of customer trust, and increasingly, costly litigation and fines. For example, the seemingly small software flaw behind the Equifax breach, evolved into a one of the company’s most traumatic events in its history, resulting in a share price drop of over 33% in the days after the breach was made public.
Software vulnerabilities are typically the gaps in information security defense that attackers have and are increasingly exploiting in order to compromise systems and move the attack from low value assets to high value assets. Vulnerabilities are typically errors in software code that allow attackers to inject malware into the system to start the attack. This is a wide definition, but in the context of cybersecurity threats, it is usually applied to problems in a product. A simple example would be a browser plugin having a remote memory corruption flaw that can be exploited by a hacker.
The extent of the problems caused by vulnerabilities is staggering. Major changes to the enterprise IT environment, such as Cloud computing, big data, and the Internet of Things (IoT) are making the job of vulnerability hunting increasingly difficult as security teams are chasing an ever-growing list of technologies, software, as well as an exploding amount of their customer and employee’s sensitive data. This is leaving the enterprise susceptible to cyberattacks with serious repercussions.
To quantify these issues, let’s look at how cybersecurity touched the world last year. The Online Trust Alliance (OTA) in a recent report, found that cybersecurity incidents doubled in 2017. They also pointed out in the same report that fairly simple cyber-hygiene, patch management, and security best practices could have helped mitigate many of the attacks.
As we have already mentioned, vulnerabilities play a large role in these statistics. Some of the worst “Common Vulnerabilities and Exposures” (CVEs) to come out of 2017, included the Apache Struts vulnerability which was behind the Equifax attack; the flaw allowing a REST plugin on the Apache Struts framework to be exploited. Others included the infamous ‘Krack’ vulnerability which allowed the exploit of the WIFI security protocol WPA2, as well as a 17 year-old flaw in Microsoft Office. In fact, during 2017, there were a total of 14,712 known vulnerabilities. This forces the average organization to change its process from systematic patching, for example every two weeks or monthly, to risk-based patching where critical vulnerabilities are defined by a vulnerability score; the priority of the asset and the likelihood of the organization being targeted as elements in the risk assessment.
As we move into 2018, it appears as though this trend continues concerning the scope, complexity, and damage of attacks due to poor vulnerability management practices. One of the latest examples is the Panerabread.com attack with, potentially, several millions of customer records, including payment card details, exposed. To ensure that organizations remain operating effectively and can maintain a secure environment, the discipline of Vulnerability Management needs to become a priority; not only for the information security team, but also clearly for the viability of the organization as a whole.
Best Practices to Follow
Using Vulnerability Management as a Holistic Exercise in Cybersecurity Threat Mitigation
Vulnerability Management is a multi-stage process, which if performed correctly, will allow organizations to identify and evaluate vulnerabilities before they become known and exploitable by hackers. It gives an organization the knowledge needed to mitigate security risks in a complex cybersecurity threat landscape. The creation of a Vulnerability Management program should, ideally, be seen as a fundamental part of the security strategy of a business and include a security patch management process.
Security Standards and Vulnerability Management
There are a number of standards and organizations that can help you understand what this type of program entails.
NIST, for example, has created advisories on what a Vulnerability Management program should encompass. And, standard ISO 27001 has a number of areas that focus on vulnerability management and assessment. Designing and carrying out an effective Vulnerability Management program can be demanding but is clearly a worthwhile investment.
Using an expert threat and vulnerability management service provider to carry out assessments, scans and offer remediation activities, is an option that has been increasingly adopted due to most organization’s lack of manpower and resources. This type of service, if delivered by true information security experts, will identify weaknesses in your systems and offer help with hardening your IT infrastructure. This type of service will also help to identify areas where procedures can be improved and will almost always assist in updating your security strategy and policies.
People and Processes Equals Ongoing Vulnerability Management
A Vulnerability Management assessment is obviously not a one-off event. The methods and tools used by cybercriminals are continually being developed to circumvent protection. And, of course, software vulnerabilities are always being identified and patched.
Bug Bounty programs, such as those run by Microsoft and Google offer rewards for white hat hackers who find bugs in their products. Once found, the company releases a patch – this is an ongoing process which translates to ongoing maintenance and vigilance back at your organization’s base.
An effective Vulnerability Management strategy involves understanding what your security goals are and having a process of continuous vigilance around vulnerabilities in your IT environment. Vulnerability Management is most effective when the goals of the program are aligned to the business.
Five Tips for Effective Vulnerability Management
#Tip 1: Develop your vulnerability knowledge base
Knowledge is power, so the saying goes, and the first stage of a Vulnerability Management program is about awareness and preparation. Assess the state of vulnerabilities. An effective Vulnerability Management program needs to start with maintaining a current knowledge of known CVE’s. Make sure your security team is signed up to receive regular CVE alerts. Maintain a knowledge-base of these alerts. To apply this knowledge, you will also need to have a comprehensive asset inventory, which, of course, must include data assets across their lifecycle. This asset index needs to be complete – any missing endpoint or data object could be the point of failure for the entire program.
#Tip 2: Map your vulnerability process knowledge
The information gathered in your knowledge phase will be used to carry out a mapping exercise to further understand where the likely weaknesses will be identified. You should aim to produce a Vulnerability Management policy document. This is a valuable exercise, as the document will be your guide to the scope and frequency of the vulnerability scans you will carry out in the next phase of the process. It is important to remember to include your entire extended infrastructure as identified in Tip 1 above.
#Tip 3: Use the tools of the trade
Using the right tool for a job makes the job a whole lot easier.
Vulnerability scanning is a step on the road to effective Vulnerability Management, but not the whole story. Vulnerability scanning is an automated way to check the flaws in your systems, usually using specialized tools to execute the scan. The scan will look for known vulnerabilities. For example, in the case of Equifax, a scan did identify the vulnerability in the Apache Struts plugin. It was a known vulnerability and one that in Equifax’s case, should have been identified as a critical vulnerability and patched immediately. A vulnerability scan should be used across all networks, out to all the extended endpoints. The scan will create metrics and often also offers a visual representation of issues which makes analysis easier.
In addition to vulnerability scanning, you should also consider using Penetration testing. Vulnerability scanning and Penetration testing used together, provide a more holistic view of potential weaknesses.
#Tip 4: Apply your findings
There is an art to the prioritization of vulnerabilities. This is where your prior knowledge and vulnerability scan visualization tools come in handy. Spotting the important vulnerabilities and knowing which ones are most vital to patch, can save you time and money. How you apply your scan and Penetration test findings, should fit alongside your risk management strategy.
Vulnerability Management programs usually use a scoring system known as a Common Vulnerability Scoring System (CVSS) which is an industry standard system. Analysis of vulnerabilities using the CVSS can help to prioritize vulnerabilities and apply a level of severity to each.
It is important at this stage to validate your vulnerability scan results using Penetration testing tools. This allows you to double-check the vulnerability itself, making sure it isn’t a false positive.
Finally, you need to work out remediation exercises to treat the vulnerabilities. This is usually a patch or a fix for a software flaw. Mitigation exercises are sometimes needed if there isn’t a patch available.
And, an important thing to remember, is to test any fixes and patches before going live.
#Tip 5: Rinse and repeat for effective vulnerability management
Vulnerability management is again not a discreet, single event. The process needs to be performed on a continuous basis. Cybercriminals are ever evolving and so are their tools and technology. They are also playing a continuous improvement game and now have code that searches for vulnerabilities streamlining their process of an attack. An effective Vulnerability Management plan should evolve as well with asset priority, vulnerability criticality, and resource prioritization for patching as the primary variables. Optimization of a program is one of the benefits of using best-of-breed vulnerability scanning tools and specialist services who understand how to run an effective Vulnerability Management program.
The modern enterprise is going through a transition period of digital transformation. New technologies, like the IoT, big data, increased enterprise mobility, and Cloud computing are making our organizational infrastructures ever-more complex. This is also opening up new channels and new vulnerabilities for cybercriminals to exploit. A robust and effective Vulnerability Management program will limit the opportunity for attackers and reduce any potential damage.
August 22, 2018