The general vulnerability management process consists of determining an inventory of critical assets of the organization, through an internal risk assessment process, on which penetration tests will be carried out and vulnerability scans will be executed, to obtain an inventory of vulnerabilities. The idea is to prioritize the remediation of vulnerabilities based on some indicator of criticality or impact.
It is common to find that the vulnerability analysis and remediation processes of some organizations do not fulfill their mission.
Sometimes we find huge inventories of vulnerabilities, and exhausted IT areas that rarely manage to have the time and resources to fix them
Why doesn't this process work?
Traditionally, one way to understand IT infrastructure is to visualize it as a castle with a wall around it, or as the vault of a bank, where there are goods or values that we want to protect.
When using this mental model, against the traditional IT infrastructure of companies, the following assumptions are usually made:
- There is centralized control of infrastructures and applications.
- There is a clearly defined boundary between the external and internal elements of the infrastructure.
- The elements that must be protected are well identified, such as: information, databases, internal networks, computers, applications, users, physical locations.
- There are control points or (Firewalls), which allow you to decide what enters and leaves.
- There are secure areas or networks, where you can place equipment, sensitive databases.
- There are well-defined managers who can introduce new technologies or services or can create new applications.
- The attack surface can be visualized as those points on the wall that can be attacked from outside the perimeter. Vulnerabilities are cracks in the wall that protects the organization.
But the reality is very different. The attack surface in a company today is complex, there is no defined boundary between internal and external elements. Assets are constantly changing, and there are interdependencies with service providers. Not all elements of the infrastructure are under the control of IT areas. The consideration that a computer is safe or reliable, just because it is located in a certain network or segment, is risky.
Some security challenges of today's companies are:
- SaaS applications
As a result of digital transformation initiatives, the presence or digital footprint of companies and their attack surface has increased.
Organizations now have many SaaS solutions, ranging from collaboration and office automation platforms to specialized ERP or CRM applications.
Increasingly, contact between employees, organizations and customers is made through SaaS applications, and cloud services, which can be accessed over the Internet from virtually any device and place in the world, increasing the possibility of unauthorized users accessing information, or accidentally publishing sensitive information.
- The use of IoT devices
Another element that has now increased exposure to attacks is the increasing use of IoT devices.
IoT devices are probably one of the fastest growing and most versatile technologies in home and business applications.
The diversity of devices, and their omnipresence, present security challenges such as:
- Users can install them without the review or authorization of IT areas, which makes it very difficult to maintain an up-to-date inventory.
- Firmware and Software is updated infrequently
- Insecure services running on the device
- Weak embedded passwords
- Insecure APIs
- Lack of secure update mechanisms
- Use of outdated components
- Insecure transfers of information
- Shadow IT
It consists of all applications that are used or developed by users, without the review or consent of the IT or security areas of the organization. Users use Shadow IT, it's because they think they can work more efficiently, and interact easily with other employees.
Initiatives such as "Bring or use your own device" allow employees to use their own smartphones or computers; If not enough prevention measures are taken, these programs favor an increase in the use of Shadow IT applications, which in turn increases the attack surface also increasing the possibility of leaks and inconsistencies in the information,
- Context information is available on social networks, Deep & Dark Web sources.
Passwords and leaked users can be used in successful attacks. Targeted attacks are becoming more frequent every day. The information available on social media, and Deep & Dark Web sources, allow a targeted attack to be more credible by a victim.
Cyber Threat Exposure Management
A new proposal is appearing in the community to solve address this problem.
Admittedly, the attack surface is constantly growing, not static, and composed of many more elements than just those that IT can control. If this expanded attack surface is not considered, assets or resources that could be considered low or medium priority can be the entry to attacks.
And on the other hand, it must also be taken into consideration that it is not always necessary to remedy 100% of vulnerabilities and that the protection measures that each organization has put in place, and the correct evaluation of the impact of attacks helps us to prioritize and debug the number of remediations that must be executed.
Some elements that a threat monitoring plan should take into account are:
- Count on an asset inventory that includes IT-managed infrastructure, as well as that which IT has no control over, such as SaaS applications, Shadow IT applications, IoT devices, and information from external sources such as Deep & Dark web. Among others.
- Asset inventory should be refined, mapping discovered assets against services and assets critical to the organization.
- Vulnerability analysis must include additional information such as the assessment of the security posture of SaaS applications, configuration errors, excessive user permissions, etc.
- Prioritize and refine the inventory of vulnerabilities. whereas not all vulnerabilities necessarily need to be corrected. Considering factors such as the urgency of remediation, the degree of exposure, the criticality of the assets, whether there are compensatory control measures, the possible impact and cost of the remeasurement, etc.
- Use penetration testing, attack simulation tools (BAS), and read teaming exercises to verify whether the prioritization performed was correct, and that there are no exploitable vulnerabilities that have been eliminated in the previous steps, but that they can have an impact on the organization.
- Design and execute a remediation plan.
.png?width=27&height=27&name=Threads_(app).png){kind=small}