The issue of vulnerability management puts responsibility of varying natures and degrees across the organisation, including how, when and what to disclose (if anything) if the occasion arises.
But ultimately, the first duty is to prevent vulnerabilities being exploited and causing damage in the first place – although the first step in vulnerability management needs to be the acknowledgement that there is no easy fix.
To put it into context, it requires the CISO and his or her team to remediate vulnerabilities they didn’t cause, in applications and infrastructure they don’t own, as well as regularly bypass their organisation’s change management processes by installing patches they didn’t design, and often have no say in when they are applied.
But businesses can only operate effectively in a secure environment – and that necessitates a robust process for identifying, classifying, remediating and mitigating vulnerabilities.
The prerequisite for this process is asset management – an enterprise that doesn’t have its IT assets logged is making a tough task even more difficult. To help this activity, there are many tools that automatically roam the network to identify applications and infrastructure and automatically catalogue them in an inventory management system.
However, automated scanning tools need to be engaged with caution near the operational technology (OT) used for industrial control systems because of the varied nature of the technology, and the critical nature of the infrastructure to an organisation.
With an inventory of everything that could be up for grabs for an attacker, the next step is to identify the assets that are actually under threat – networks, operating systems, applications, and so on – alongside the possible vulnerabilities.
That, of course, means knowing what vulnerabilities are out there – and are currently most likely to be used. In principle, this is straightforward – it’s a case of scanning applications or programs developed in-house before they are deployed or connected to the network, and signing up to vendor mailing lists for updates as they occur.
But the reality is that breaking zero-day vulnerabilities often become common knowledge on social media before the vendor has communicated a potential issue, making this a key source in view of the need to respond quickly to new vulnerabilities.
Alternatively, the attackers themselves might break the news about a vulnerability within their networks, sharing exploits online so that other attackers can take advantage of them. On occasions, they might disclose it to the wider world, for example if the objective is to force changes in behaviour by their targets.
And the role of bug bounty schemes, in which individuals are compensated for reporting bugs, particularly those relating to security exploits and vulnerabilities, ethical hackers and penetration testing in identifying exploits, cannot be underestimated.
With information on both assets and vulnerabilities, an all-important priority list can be created to set out a hierarchical system of assets and the actual threats they face. That said, it is often challenging for a CISO, who will face a persistently high threat volume, to categorise the risk types and be realistic about which vulnerabilities are most likely to be used.
Tools that scan and report on vulnerabilities tend to shock and overwhelm. CISOs are looking for clarity on simple measures that can remove a high volume of likely or most damaging attacks, rather than having to wade through large amounts of data that does not take into account the organisation’s risk tolerance, mitigations, or ability to respond.
Patch management is, understandably, a popular reference in discussions around effective vulnerability management, and it is an important part. However, it has to happen in conjunction with asset management and be combined with penetration testing and vulnerability assessments, as referenced above.
Indeed, response plans are often better informed with threat intelligence on who may be attacking what systems with what mechanisms, while SOAR (security orchestration, automation and response) functionality can provide a more effective defence when new exploits are identified.
Also, not all vulnerabilities have patches, or it may be that the patch by itself isn’t sufficient. Sometimes network layer protection or rebuilding access control models is also required, which is time-consuming and arduous, especially if it is on a critical system or one facing the internet.
Vulnerability management cannot be undertaken by a single person or team. It needs coordination from many different units within an organisation, along with highly and continuously trained individuals – the expense of which can be prohibitive to board buy-in. It also requires CISOs with hybrid skillsets able to balance the requirements of the business with the constantly shifting security landscape and across multiple channels.
Some form of downtime or disruption to the business is usually required as system changes are made, with “maintenance windows” usually determined by each separate application owner. Navigating the often multiple approvals required can be time-consuming – and potentially can take longer than identifying the fix required.
It is also important to consider whether making the changes and addressing the vulnerability will actually make the organisation more secure. For example, low-level vulnerabilities will often be ignored in order to prioritise higher-risk vulnerabilities which might cause a greater impact to the business if exploited.
Equally, patching might have unexpected consequences, such as the recent Microsoft Windows update that removed many organisations’ print networks. Not undertaking a change, or even rolling it back, along with leaving the vulnerability to exist, need to be considered as options.
Security teams working with OT – such as supervisory control and data acquisition (SCADA) – are likely to find the constraints around vulnerability management even tighter. Scanning is problematic, downtime is often non-existent, and there is no test environment to confirm that there will be no impact. Network-level controls to restrict access to vulnerable devices are often the preferred option – although, if not already in place, are time-consuming to implement.
In summary, vulnerability management demands a full understanding of the organisation’s assets, what they are running, whether they have direct access to the internet, and how critical they are to the business.
Teams need to be vigilant in scanning for information that impacts their operations – ingesting vulnerability news for zero-days, while also not shying away from using unorthodox methods of obtaining information such as social media.
It is challenging work in an IT environment that faces an increasing number and variety of threats – making it essential that every organisation takes it seriously.