Vulnerability Management: Point & Shoot
"Whoever is the 1st in the field and awaits the coming of the enemy will be fresh for the fight; whoever is 2nd in the field and has to hasten to battle will arrive exhausted".
Today's battlefields have become the numerous corporate networks and web applications, with the 'enemies at the gates' being from various abilities and needing clever combatants to impose their will on these enemies.
"Securing yourself against defeat lies in your own hands but the opportunity of defeating the enemy is provided by the enemy themselves. Thus, the good fighter is able to secure themselves against defeat, but cannot make certain of defeating the enemy".
Your enemies are constantly on the prowl for exploitable vulnerabilities, but with ever increasing technology reliant business processes, how can you hope to gain an advantage over these aggressors? This starts by business using their defensive measures more proactively and by truly understanding your environment and the systems that support your data/communication flows, for your most important business operations. You can't defend what you don't know and a proactive defence involves the ability of being able effectively identify the NORMAL from the ABNORMAL and being able to effectively respond to the presence of the ABNORMAL.
Crucial to this effective defensive strategy is to ensure that only well-maintained assets are relied upon in support of your important business operations. Each asset needs to be 'locked-down' so that only the essential Service, Ports & Protocols are enabled, unnecessary software is removed or disabled and these essential systems/software is subject to regular upgrades. This becomes the foundation of your defences!
Being the foundation to your defences, this MUST become your baseline so it is essential that this strong foundation is validated and documented. I recommend that you confirm your baseline through initial configuration scanning (e.g. Firewalls, Routers, Switches - Nipper Studio and Laptops, Servers, etc. - CIS CAT). Being the foundation of your defences, it is recommended that this be documented and subject to formal change management, moving forward. As with any foundations, these should be periodically checked (e.g. 6 monthly, Quarterly, etc.) and reported on, with any anomalies being treated as an incident.
Now that the firm foundations have been established, you need to ensure that the dynamic infrastructure remains secure. We all know that systems and software are constantly having new vulnerabilities being discovered, requiring frequent updates. However, many of these updates can have detrimental impacts on the environment they serve. Consequently,any updates need to be thoroughly investigated and applied to a test sample first, before being applied to wider target systems. Applying updates to a wider environment can be simplified, though the use of automated patching platforms. However, these solutions should not be treated as 'Point & Shoot' options, as they are not infallible and their use does not guarantee that all their updates will be effective or have been applied. This would leave some critical assets vulnerable to exploitation, as seen in the lessons-learned from the Kubernetes flaw.
Consequently, it is important to ensure that the patch management solution is supported by an effective vulnerability management program (not 'Point & Shoot'), where the identified vulnerabilities are reported in alignment to the business importance/interests. Understanding the vulnerabilities that exist within a specific high importance business process should not only be of interest to the IT department, but also to the affected business owners and the Board members. Vulnerability management can be one of the most demoralising (imagine 10s of thousands of high to critical vulnerabilities, without any business context) and under-appreciated roles, within an organisation. Yet, this is the most important parts of your business for those opportunist attackers - as seen in the Equifax breach.
Thus for an effective patch and vulnerability management program, you need to consider the following 10 steps, against your prioritised business environments:
Carry out Vulnerability Scan
Initiate remediation activities
Run Patch Report
Apply automated patch updates
Run Patch Report
Initiate remediation activities
Carry out Vulnerability Scan and compare results with step 2
This may not defeat your enemies but will go along way to ensure that you minimise their opportunities and will provide additional reassurances to the business, and may encourage non-IT departments to truly appreciate the vulnerabilities that apply to their business environments, which need to be remediated against or appropriately risk managed.