Patch me if you can: the six steps of vulnerability management

This is the second post in a three-part series on vulnerability management. In this post, elevenM’s Theo Schreuder describes the six steps of a vulnerability management program.

In the first post of this series, we explored why vulnerability management is important and looked at key considerations for setting up a vulnerability management program for success. In this post, we’ll step you through the six steps of vulnerability management.


The six steps of vulnerability management

The six steps of vulnerability management [Source: CDC]

Let’s explore each step in more detail.

  1. Discover vulnerabilities

The most efficient way to discover vulnerabilities is to use a centralised and dedicated tool (for example, Rapid7 InsightVM, Tenable, Qualys) that regularly scans assets (devices, servers, internet connected things) for published vulnerabilities. Information about published vulnerabilities can be obtained from official sources such as the US-based National Vulnerability Database (NVD), via alerts from your Security Operations Centre (SOC) or from external advisories.

Running scans on a regular basis ensures you have continuous visibility of vulnerabilities in your network.

 

2. Prioritise assets

Prioritising assets allows you to determine which remediation actions to focus on first to reduce the greatest amount of risk within the shortest time and with least budget.

Prioritisation of assets relies on having a well-maintained asset inventory (e.g. a Central Management Database or CMDB) and a list of the critical “crown jewel” assets and applications from a business point of view (for example, payroll systems are typically considered critical assets). Another factor to consider in determining prioritisation is the exposure of an asset to the perimeter of the network, and how many “hops” the asset is from an internet-facing device.

 

3. Assess vulnerability severity

After devices are scanned, discovered vulnerabilities are usually be assigned a severity score based on industry standards such as the Common Vulnerability Scoring System (CVSS) as well as custom calculations that — depending on the scanning tool — take into account factors including the ease of exploitability and the number of known exploit kits and plug-and-play malware kits available to exploit that vulnerability. This step can also involve verifying that the discovered vulnerability is not a false positive, and does in fact exist on the asset.

 

4. Reporting

When creating reports on vulnerability risk, it’s important to consider different levels of reporting to suit the needs of different audiences. Your reporting levels could include:

  1. Executive level reporting
    This level of reporting focuses on grand totals of discovered vulnerabilities and vulnerable assets, total critical vulnerabilities, and historical trends over time. The aim is to provide senior executives with a straightforward view of vulnerabilities in the network and trends.
  2. Management level reporting
    For individual managers and teams to manage their remediation work, it helps to provide them with a lower-level summary of only the assets they are responsible for. This report will have more detail than an executive level report, and should provide the ability to drill down and identify the most vulnerable assets and critical vulnerabilities where remediation work should begin.
  3. Support team level reporting
    This is the highest resolution report, providing detail for each vulnerability finding on each asset that a support team is responsible for. Depending on the organisation and the way patching responsibilities are divided, splitting out reporting between operating systems (below base) and application level (above base) can also be advantageous as remediation processes for these levels can differ.
A sample management-level vulnerability report generated using Tableau

 

5. Remediate vulnerabilities

“The easiest way to get rid of all of your vulnerabilities is to simply turn off all of your devices!”

– origin unknown

Remediation can take a variety of forms including but not limited to changing configuration files, applying a suggested patch from the scanning tool or even uninstalling the vulnerable program entirely.

There may be also be legitimate cases where a vulnerability may be exempted from remediation. Factors could include:

  • Is the asset soon to be decommissioned or nearing end-of-life?
  • Is it prohibitively expensive to upgrade to the newest secure version of the software?
  • Are there other mitigating controls in place (e.g. air-gapping, firewall rules)
  • Will the required work impact revenue by reducing service availability?

 

6. Verify remediation

Are we done yet? Not quite.

It doesn’t help if — after your support teams have done all this wonderful work — your vulnerability scanning tool is still reporting that the asset is vulnerable. Therefore, it is very important that once remediation work is complete you verify that the vulnerability is no longer being detected.

Stay tuned for the third and final post in the series, in which we discuss common challenges and considerations for a well-functioning vulnerability management program.


Read all posts in the series:
Patch me if you can: the importance of vulnerability management
Patch me if you can: the six steps of vulnerability management
Patch me if you can: key challenges and considerations

 

Patch me if you can: the importance of vulnerability management

This is the first post in a three-part series on vulnerability management. In this post, elevenM’s Theo Schreuder explains why vulnerability management is so important and outlines some key considerations when establishing a vulnerability management program.

In 2017 the American credit bureau Equifax suffered a breach of its corporate servers leading to customer data being leaked from its credit monitoring databases. The fallout from the breach included the exposure of the personal information of almost 150 million Americans, resignation of the company CEO and a reputation battering that included a scathing report by the US Senate.

The breach occurred due to attackers exploiting a vulnerability in the Apache Struts website framework — a vulnerability that was unpatched for over two months despite a fix being known and available.

With a proper vulnerability management program in place Equifax could have prioritised remediation of the Apache Struts security patch and prevented huge impact on consumers, to its reputation, and saved US$575 million in eventual legal settlement costs.

It’s little wonder that vulnerability management features heavily in well-respected cyber security frameworks and strategies, such as the NIST Cybersecurity Framework and the Australian Government’s Essential Eight. Equifax has also come to the party, putting a program in place: “Since then, Equifax said that it’s implemented a new management system to handle vulnerability updates and to verify that the patch has been issued.”

So what is “vulnerability management”?

Vulnerability management is the end-to-to end process from the identification of vulnerabilities in your network to the verification that they have been remediated.

The first priority in vulnerability management is to scan the network. And by the network we mean everything. Servers, routers, laptops, even that weird voice-controlled air-conditioning system you have in your offices. Having visibility of unpatched vulnerabilities in your network allows you to prioritise patching and prevent potential breaches.

In subsequent posts in this series, we’ll step through the key elements that comprise the vulnerability management process and discuss some key challenges and considerations for a well-functioning program.

For now, here are two key consideration when starting to think about establishing a vulnerability management program:

Firstly, it is important to be clear and transparent about the true state of risk in your environment as nothing will get done if the risk is not pointed out. Even if a vulnerability is “risk accepted”, it needs to be continuously logged and monitored so that if a breach occurs you know where to look. Visibility of where the greatest vulnerabilities lie encourages action. It’s easy to fall into an “out of sight, out of mind” approach when you are not getting clear and regular reporting.

Secondly, In order to get this regular reporting, it is advantageous to automate as much as possible. This reduces the effort required to create reports on a regular basis, freeing up resources to actually investigate and analyse vulnerability data.

Stay tuned for the next post in the series.


Read all posts in the series:
Patch me if you can: the importance of vulnerability management
Patch me if you can: the six steps of vulnerability management
Patch me if you can: key challenges and considerations

News round-up July 2020 — European court decision on international data transfers, software vulnerabilities, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

This month saw some big plays in the world of privacy – most notably the striking down by a European Court of a mechanism for international data transfers. We look at the implications for Australia organisations coming out of the judgement. This month we’re also reminded of the inherent vulnerability of software via stories about backdoors in Chinese tax software, a flood of critical patches released for popular enterprise software products and, of course, more yarns about ransomware.

Key articles:

Chinese bank requires foreign firm to install app with covert backdoor

Summary: Tax software required to be used by organisations that conduct business in China has been found to have been infected with malware.

Key risk takeaway: This discovery by security researchers is a cautionary tale for any business with operations in China. Dubbed “GoldenSpy”, the backdoor in the tax software reportedly allowed the remote execution of commands on infected computers. A similar backdoor was later discovered in the other of the two Chinese-government authorised tax software products. Concerns have long been raised about the invasive security provisions levelled at western businesses by China, though the covert nature of this incursion is rather more sinister. The FBI warns that companies in healthcare, chemical and finance sectors are in particular danger. Echoing the FBI’s advice, businesses should ensure they patch critical vulnerabilities on their systems, monitor applications for unauthorised access and protect accounts through multi-factor authentication.

Tags: #cyberhygiene #cyberespionage

 

Europe’s top court strikes down flagship EU-US data transfer mechanism

Summary: The EU-US Privacy Shield, a key framework for regulating transatlantic data transfers, has been declared invalid by the Court of Justice of the European Union with immediate effect. Alternative international data transfer mechanisms remain valid subject to additional obligations imposed upon companies.

Key risk takeaway: Though primarily focused on transatlantic transfers, the Court’s judgement will also give pause to Australian organisations that use Standard Contractual Clauses (SCCs), a key tool for Australia-EU data transfers. Whilst confirming that SCCs remain a valid means for international data transfers under the GDPR, the Court’s judgement imposes an onus on companies relying on SCCs to undertake case-by-case determinations on whether foreign protections are adequate under EU standards and whether additional safeguards are required.

Tags: #privacy #GDPR

 

Apple Just Crippled IDFA, Sending An $80 Billion Industry Into Upheaval

Summary: Apple’s shift to requiring opt-in consent for IDFAs, a unique identifier which enables advertisers to track user behaviour across apps for targeting and attribution purposes, threatens to upend the mobile advertising ecosystem.

Key risk takeaway: Apple continues to brandish its privacy-centric approach as a key competitive asset and brand differentiator. This latest move was announced alongside a series of privacy-conscious updates and has been celebrated by privacy advocates as a fundamental step towards greater user transparency and control over use of their data. The change involves users now receiving explicit prompts requiring opt-in consent, as opposed to these controls being buried within Apple’s settings. The update has particular implications for both Facebook and Google, whose ad-tech services depend on aggregating large troves of data with IDFAs. Meanwhile, in another fillip for privacy advocates this month, the public broadcaster in the Netherlands has published data showing that it grew ad revenue after ditching ad trackers and moving to contextual ads.

Tags: #privacy #trust

 

Twitter partially shut down as hackers compromise 45 high profile accounts

Summary: In a coordinated attack, hackers gained control of dozens of high-profile Twitter accounts, including former US President Barack Obama, US presidential candidate Joe Biden, Amazon CEO Jeff Bezos, Elon Musk, Apple and many others.

Key risk takeaway: While the hackers’ motivations here appear to have been rather benign (to propagate a bitcoin scam message), their unprecedented access could have had much more serious consequences. Imagine a nation state with full control of these compromised accounts, intent on derailing an election. It should raise the question for any organisation – what damage could a hacker do with access to your internal tools? The methods behind the attack were also relatively standard: social engineering to gain access to an internal customer support tool, which they used to reset account passwords. No zero-day cyber-gymnastics here. The obvious lesson here is ‘back to basics’ – training and awareness and restricted privileges. The deeper concern is how Twitter and other social media have become so central to our democracies – failures of this kind cannot be allowed to happen.

Tags: #socialengineering #databreaches #geopolitics

 

2020 is on track to hit a new data breach record

Summary: Troy Hunt’s ‘Have I been Pwned’ database reaches 10 billion records, while a new report estimates that 8.4 billion records were exposed in the first quarter of 2020 alone.

Key risk takeaway: The internet is now awash with compromised credentials, making password re-use a greater threat than ever. If you’ve already used a given password before, the likelihood is it’s now out there somewhere and can be used to compromise your account. This threat to account security is compounded by the continued rise of phishing and social engineering attacks, particularly in the new COVID-19 normal. The rapid switch to remote working combined with the uncertainty of the pandemic have given rise to effective new phishing lures such as fake pandemic updates or notifications from popular remote working applications. And so, the parade of data breaches continues. From dating apps, to hotel chainsairlinestelcos and many others, news of data breaches have become part of the background hum of our industry.

Tags: #databreaches

 

Garmin confirms ransomware attack, keeps quiet on possible Evil Corp. involvement

Summary: Garmin said while there was no indication attackers accessed customer data, the attack did interrupt website functionality, customer support services, user apps and corporate communications. This was again one of many ransomware attacks this month.

Key risk takeaway: This particular attack draws attention to the incredibly precarious position ransomware victims find themselves in regarding ransoms. Enduring widespread disruption to services due to WastedLocker ransomware, Garmin reportedly was faced with a US$10 million ransom to decrypt its files. Reports also claim that Russian gang Evil Corp was behind the attack. The gang’s members have been sanctioned by the US government, making any dealings with them illegal. Services are now back online and Garmin has not confirmed whether it paid the ransom. We also learned this month that ransomware gangs are a patient bunch – spending long periods of time within the networks they have breached in order to gather as much information as possible to maximise leverage in ransom demands.

Tags: #ransomware

 

US cyber officials urge patching of bug affecting up to 40K SAP customers

Summary: A critical vulnerability in SAP applications could affect up to 40,000 customers.

Key risk takeaway: Patch your critical systems! The last month has seen a rash of patches released for serious vulnerabilities in widely used systems. In addition to the SAP bug, software company Citrix announced yet more bugs (but with fixes), as did Microsoft, Palo Alto Networks and F5 Networks products. Respected guidance such as the Australian Government’s Essential Eight strategies recommends timely patching as a foundational security practice. In practice, many organisations struggle to prioritise the many, many security fixes that increasingly require acting on. The last month will only have further compounded the headaches of systems administrators (and likely intensified their pleas for more attention to secure coding practices).

Tags: #vulnerabilitymanagement