In recent weeks there have been a slew of critical bugs (CVSS = 9.8) identified across Citrix, Palo Alto, F5, Pulse Secure, Oracle, SAP and Microsoft. Hopefully, the identification and remediation of these types of bugs in a timely manner across your enterprise has been at the forefront of both security and operation's priority list.
After all, if your security team are not monitoring for these vulnerabilities, and the operations team are not patching these bugs under predefined SLAs, you can be assured that threat actors are waiting in the wings. And they will most likely have already performed reconnaissance of your environment, waiting for opportunitielike this to swoop in and exploit an open vulnerability.
And this news should be nothing new. Looking through multiple reports from CERT groups, cyber-security vendors, and cyber security Government Agencies over the last several years, it is self evident that the overwhelming initial entry of attacks do comes from:
Unpatched Systems
Email Phishing Attacks
In my previous post about the copy and paste threat actors, the Email Phishing Attack vector was discussed, so in this post, we will shift our focus to address Unpatched Systems.
Asset Management
I know it is not the "sexiest" topic in the world, but whenever I am asked to talk about Vulnerability Management, I always return first to Asset Management. And it is also no coincidence that we see Asset Management ranked at #1 and #2 in the CIS Top 20 (see Figure 1).
Figure 1 - CIS Top 20 Controls
If you have ever had the opportunity to manage thousands or more assets, you understand the importance of knowing if something is there or not, what that something is, and what version that something is running. And you immediately understand why this would be placed at #1 and #2.
And Why Is That?
Because what you do not know, you do not know. And when it comes to security, what you do not know, can and eventually will hurt you.
So, let me ask you a couple of key questions about your organisation:
Do you have an asset management inventory in place?
Is the asset management database updated in real time?
With nearly all clients that I speak with, they can answer yes to question 1. (Some even let me know they have more than one asset management store). But very rarely do I hear that the asset management system is "effectively" kept up to date - Many times I have reviewed an environment and the asset inventory or network diagrams did not accurately represent what was actually occurring on the network.
And this is extremely concerning for a few reasons:
Firstly, as it is a rather mundane task to keep these things up to date, it is often over looked from within the business. But from an attacker's perspective, this is anything but a mundane task. From their view point, it is an open invitation to explore and discover every nook and cranny of your organisation in the hope of finding a vulnerability in which they can exploit and eventually act out their intentions - be it to squeeze money out of you, steal intellectual property, or cause damage.
It is also extremely important from a quality perspective since everything that is built on top of the asset management inventory would be inherently flawed too. And this is where a lot of organisations get caught out. They think they know, but they don't.
My advice is to be very wary of this, and see how this item can be addressed as part of your Cyber Security Program, as nearly every other Cyber Security Service is built on top of this foundation.
Continuous Vulnerability Management
I would have to say that "continuous" is really the key word in this title. In the above section, you notice that continuous covers the addition and subtraction of assets (in near real time).
And for me, I tend to break Vulnerability Management down into two sub-sections:
Vulnerability Assessment; and
Patch Management
So, time for a couple more quick questions to see how mature your vulnerability management program is:
Do you have a "continuous" up to date view of all your assets?
Do you "continuously" vulnerability scan all your assets?
How often is continuous? (Do you think it is enough)
How are these scans conducted? (unauthenticated, authenticated, agent based)
Do you cover different layers? (OS, Network, Application, Middleware)
Do you have personnel reviewing the results and prioritising outcomes?
Are the scan results automated into the CAB process?
Is patching performed manually, or has parts of the process been automated?
Are patches under and SLA agreement based on risk?
Do you know the lines of reporting for IT and Business sign-off of Risk?
Getting Help
If you answered "no" to a number of the above questions and need help to understand the strategic perspective to roll out an effective Vulnerability Management Program, or want to know more about some of the latest automated technologies we've implemented to address these gaps, then be sure to reach out to us for a confidential discussion.
Comments