{"id":100,"date":"2021-10-18T16:07:00","date_gmt":"2021-10-18T16:07:00","guid":{"rendered":"http:\/\/closehelmsecurity.co.uk\/?p=100"},"modified":"2024-03-17T16:27:14","modified_gmt":"2024-03-17T16:27:14","slug":"security-think-tank-no-easy-fix-for-vulnerability-exploitation-so-be-prepared","status":"publish","type":"post","link":"http:\/\/closehelmsecurity.co.uk\/?p=100","title":{"rendered":"Security Think Tank: No easy fix for vulnerability exploitation, so be prepared"},"content":{"rendered":"\n

Previously Published in Computer Weekly<\/a><\/p>\n\n\n\n

Vulnerability management and disclosure is a tricky business with ethical and business ramifications for software vendors, CISOs and ethical hackers alike \u2013 and CISOs sit right in the middle of this<\/strong><\/p>\n\n\n\n

The issue of vulnerability management puts responsibility of varying natures and degrees across the organisation, including how, when and what to disclose (if anything) if the occasion arises.<\/p>\n\n\n\n

But ultimately, the first duty is to prevent vulnerabilities being exploited and causing damage in the first place \u2013 although the first step in vulnerability management needs to be the acknowledgement that there is no easy fix. <\/p>\n\n\n\n

To put it into context, it requires the CISO and his or her team to remediate vulnerabilities they didn\u2019t cause, in applications and infrastructure they don\u2019t own, as well as regularly bypass their organisation\u2019s change management processes by installing patches they didn\u2019t design, and often have no say in when they are applied.<\/p>\n\n\n\n

But businesses can only operate effectively in a secure environment \u2013 and that necessitates a robust process for identifying, classifying, remediating and mitigating vulnerabilities.<\/p>\n\n\n\n

Asset management<\/h2>\n\n\n\n

The prerequisite for this process is asset management \u2013 an enterprise that doesn\u2019t have its IT assets logged is making a tough task even more difficult. To help this activity, there are many tools that automatically roam the network to identify applications and infrastructure and automatically catalogue them in an inventory management system.<\/p>\n\n\n\n

However, automated scanning tools need to be engaged with caution near the operational technology (OT) used for industrial control systems because of the varied nature of the technology, and the critical nature of the infrastructure to an organisation.<\/p>\n\n\n\n

With an inventory of everything that could be up for grabs for an attacker, the next step is to identify the assets that are actually under threat \u2013 networks, operating systems, applications, and so on \u2013 alongside the possible vulnerabilities. <\/p>\n\n\n\n

Threat intelligence<\/h2>\n\n\n\n

That, of course, means knowing what vulnerabilities are out there \u2013 and are currently most likely to be used. In principle, this is straightforward \u2013 it\u2019s a case of scanning applications or programs developed in-house before they are deployed or connected to the network, and signing up to vendor mailing lists for updates as they occur.<\/p>\n\n\n\n

But the reality is that breaking zero-day vulnerabilities often become\u00a0common knowledge on social media\u00a0before the vendor has communicated a potential issue, making this a key source in view of the need to respond quickly to new vulnerabilities.<\/p>\n\n\n\n

Alternatively, the attackers themselves might break the news about a vulnerability within their networks, sharing exploits online so that other attackers can take advantage of them. On occasions, they might disclose it to the wider world, for example if the objective is to force changes in behaviour by their targets.<\/p>\n\n\n\n

And the role of bug bounty schemes,\u00a0in which individuals are compensated for reporting bugs, particularly those relating to security exploits and vulnerabilities, ethical hackers and penetration testing in identifying exploits, cannot be underestimated.<\/p>\n\n\n\n

Prioritisation<\/h2>\n\n\n\n

With information on both assets and vulnerabilities, an all-important priority list can be created to set out a hierarchical system of assets and the actual threats they face. That said, it is often challenging for a CISO, who will face a persistently high threat volume, to categorise the risk types and be realistic about which vulnerabilities are most likely to be used.<\/p>\n\n\n\n

Tools that scan and report on vulnerabilities tend to shock and overwhelm. CISOs are looking for clarity on simple measures that can remove a high volume of likely or most damaging attacks, rather than having to wade through large amounts of data that does not take into account the organisation\u2019s risk tolerance, mitigations, or ability to respond.<\/p>\n\n\n\n

Patching<\/h2>\n\n\n\n

Patch management is, understandably, a popular reference in discussions around effective vulnerability management, and it is an important part. However, it has to happen in conjunction with asset management and be combined with penetration testing and vulnerability assessments, as referenced above.<\/p>\n\n\n\n

Indeed, response plans are often better informed with threat intelligence on who may be attacking what systems with what mechanisms, while SOAR (security orchestration, automation and response) functionality can provide a more effective defence when new exploits are identified.<\/p>\n\n\n\n

Also, not all vulnerabilities have patches, or it may be that the patch by itself isn\u2019t sufficient. Sometimes network layer protection or rebuilding access control models is also required, which is time-consuming and arduous, especially if it is on a critical system or one facing the internet.<\/p>\n\n\n\n

Practicalities<\/h2>\n\n\n\n

Vulnerability management cannot be undertaken by a single person or team. It needs coordination from many different units within an organisation, along with highly and continuously trained individuals \u2013 the expense of which can be prohibitive to board buy-in.\u00a0 It also requires\u00a0CISOs with hybrid skillsets\u00a0able to balance the requirements of the business with the constantly shifting security landscape and across multiple channels.<\/p>\n\n\n\n

Some form of downtime or disruption to the business is usually required as system changes are made, with \u201cmaintenance windows\u201d usually determined by each separate application owner. Navigating the often multiple approvals required can be time-consuming \u2013 and potentially can take longer than identifying the fix required.

It is also important to consider whether making the changes and addressing the vulnerability will actually make the organisation more secure. For example, low-level vulnerabilities will often be ignored in order to prioritise higher-risk vulnerabilities which might cause a greater impact to the business if exploited.<\/p>\n\n\n\n

Equally, patching might have unexpected consequences, such as the recent Microsoft Windows update that removed many organisations\u2019 print networks. Not undertaking a change, or even rolling it back, along with leaving the vulnerability to exist, need to be considered as options.<\/p>\n\n\n\n

Security teams working with OT\u00a0\u2013 such as supervisory control and data acquisition (SCADA) \u2013 are likely to find the constraints around vulnerability management even tighter. Scanning is problematic, downtime is often non-existent, and there is no test environment to confirm that there will be no impact. Network-level controls to restrict access to vulnerable devices are often the preferred option \u2013 although, if not already in place, are time-consuming to implement.<\/p>\n\n\n\n

Vital work<\/h2>\n\n\n\n

In summary, vulnerability management demands a full understanding of the organisation\u2019s assets, what they are running, whether they have direct access to the internet, and how critical they are to the business. <\/p>\n\n\n\n

Teams need to be vigilant in scanning for information that impacts their operations \u2013 ingesting vulnerability news for zero-days, while also not shying away from using unorthodox\u00a0methods of obtaining information such as social media.<\/p>\n\n\n\n

It is challenging work in an IT environment that faces an increasing number and variety of threats \u2013 making it essential that every organisation takes it seriously.<\/p>\n","protected":false},"excerpt":{"rendered":"

Vulnerability management and disclosure is a tricky business with ethical and business ramifications for software vendors, CISOs and ethical hackers alike \u2013 and CISOs sit right in the middle of this<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,5,27,3],"tags":[10,29,31,32,12,19,33,7,28],"class_list":["post-100","post","type-post","status-publish","format-standard","hentry","category-article","category-computerweekly","category-publication","category-published","tag-application-security","tag-asset-management","tag-operational-technology","tag-patching","tag-security-think-tank","tag-testing","tag-threat-intelligence","tag-turnkey","tag-vulnerability-management"],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/paGq19-1C","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=100"}],"version-history":[{"count":1,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/100\/revisions"}],"predecessor-version":[{"id":101,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/100\/revisions\/101"}],"wp:attachment":[{"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=100"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/closehelmsecurity.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}