When we leave our property unattended, we normally do a manual security check to make sure we leave it secure. We check the doors and windows are closed, locks are applied and alarms are engaged. Whilst I know that my doors and windows are not impenetrable, I also know that their design is unlikely to suffer an exploitable issue today that was previously not a concern.
For example, I don’t have to worry that a software design error deep-down in the technology stack has suddenly made my front door easy to break through with very little effort (at least not with traditional locks). Neither do I have to worry that this problem is now being actively searched for by numerous criminals, who can automate instant scans on all the front doors in my city to see which ones have this particular vulnerability, that’s a manual task for front doors.
Now let’s take this metaphor into the cyber security world.
Making the most of any vulnerability
Many organisations are coming to realise, particularly in the last 12 months, that even the big software vendors struggle to assure security in their products. For example, VPN gateway devices that are designed to facilitate secure access into the organisation and keep it safe can suddenly overnight become the devices that provide an entry point for cybercriminals into the network due to a new vulnerability.
There is an army of testers on the internet probing and poking for holes in every major application out there. Some do it for legitimate vendor bug bounty programmes, where vendors pay them to disclose bugs in their products, others to sell onto the black-market. These are the most dangerous kinds of vulnerabilities referred to as ‘Zero Day’. Named as such as they are usually unknown to the vendor, there is no fix. Luckily, these are not common but they are real threats.
A frequent tactic used by ransomware gangs is to exploit vulnerable or poorly configured systems that are facing the internet. In many cases these are not new issues. They are known about by the vendor for some time, but simply haven’t been fixed by the end-user.
This exploits two things in many enterprise IT teams:
- Lack of knowledge: they don’t have the knowledge to recognise the risk the vulnerability actually poses to their business systems (if they did, they may well have addressed it beforehand)
- Lack of resources and time: they simply don’t have the resources and time to fix the problem, even if they know it exists
However, vendors are getting better at managing software vulnerabilities. Microsoft have even added a feature to their Exchange email platform that will automatically apply security fixes from now on. The fallout from the Microsoft Exchange hacks earlier this year led Microsoft to experiment with a much more aggressive direction towards rolling out emergency security patches. In other words, the consuming enterprise cannot be trusted to do so in good time.
Currently, this is unique to Exchange but every Tuesday Microsoft release their latest round of updates. Each week contains a critical fix to be applied as quickly as possible. In fact, previous recommendations of 30 days to apply have now dropped to 7 – 14 days, as the urgency to push organisations to fix vulnerabilities quickly has increased.
So, where do you go from here?
Keeping up with where vulnerabilities exist on your infrastructure is in itself a daunting task. The landscape changes daily so intelligence has to be current.
Then there are the challenges of applying remediation. Patches and workarounds can be disruptive to implement, requiring the negotiation of downtime in the organisation and impacting of services. Patching has to be planned and patches tested before they are applied. However, trying to achieve this in a 7 to 14 day period is often simply not realistic.
They can have unforeseen consequences so often, there is a reluctance to apply them. Sometimes patches are not available and instead more granular configuration changes are required, adding to the risk of something breaking.
Faced with this challenge and an increasing number of vulnerabilities to address, one of the most effective tools in the IT arsenal is intelligence. It allows for better prioritisation of vulnerabilities, focusing resource and efforts on those that present the most risk to the business. Prioritisation should be based on a combination of vendor scoring and up to date intelligence about how and where it is being used.
For example, the Microsoft Exchange vulnerability received mainstream media attention, attributed to nation state spying and made a priority to anybody who was running Exchange and watching the news. However, most vulnerabilities do not get such attention. Instead, a source of continuous intelligence through software or third-party services is a good way to stay ahead.
A wrap-up, but not the end
To wrap-up this blog, here are my key recommendations to you:
- Know what is and what should be in your environment
- Monitor vendor information for updates or discovered vulnerabilities
- Regularly scan infrastructure to determine what is visible, to who and what may be exposing a risk by being out of date
- Prioritise vulnerability management to higher risk problems an apply security fixes as quickly as possible
Don’t let the lights go out
Exploiting software vulnerabilities is just one of the many evolved tactics cybercriminals use today.