It’s a new year, full of opportunities! This is true for hackers as well.
Common predictions for cybersecurity in 2020 include more targeted ransomware, new ways to attack the cloud, and issues with deepfake technology. Already in 2020 the Department of Homeland Security (DHS) has issued a warning concerning the potential for cyber attacks stemming from Iran.
This means there’s a chance that dealing with a discovered vulnerability may move to the top of your to-do list this year.
The size and complexity of most modern systems means that software often has imperfections. Whether these impact only the proper functioning of the system or its security determine whether or not they are bugs or vulnerabilities.
The longer a vulnerability exists, the more dangerous it becomes. Risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer.
If a vulnerability can be exploited and used to damage an organization’s security, it’s important to remediate it as soon as possible after discovery.
The Vulnerability Remediation Process
Vulnerabilities can be discovered in different ways. In the best case, an organization discovers it through vulnerability scanning or a penetration test before any harm is done. The far less desirable way for a vulnerability to be discovered is as a result of it being exploited by a malicious user.
Regardless of how the vulnerability is found, there are a few important steps to take in the remediation process.
Scope and Triage Determination
The first step after discovering a vulnerability on an organization’s systems is determining the severity of the issue. This determination should be based on two factors: scope and impact.
Scope refers to the number of systems that are or can be impacted by the vulnerability. This could refer to direct impacts, where an Internet-facing system is known to have the vulnerability, and indirect impacts, where a system may be affected by other vulnerable systems.
In order to accurately determine scope, an organization must have a complete index of all its assets. This includes a comprehensive and searchable inventory of your IT assets and a complete log of vulnerability disclosures that are updated continuously.
Determining the scope of a vulnerability is important for determining the resources required in a vulnerability remediation effort.
The other component of severity is the potential impact of the vulnerability, measured by how dangerous and exploitable the vulnerability is. The greater the potential impact of exploitation or the more easily a vulnerability can be exploited, the more urgent it is to take action to remediate it.
Based upon the scope of the vulnerability and its severity, the organization’s security team can perform triage and develop a plan for managing the vulnerability. Having an accurate understanding of each vulnerability’s scope and severity is especially important when multiple vulnerabilities are discovered at once since it allows the team to prioritize them properly.
Patch Development and Testing
Once a vulnerability has been discovered and triaged, it’s time to take action to close it. The scope determination in the previous stage identifies where the patch needs to be applied, so the main challenge at this step is developing the fix.
The difficulty of this stage mainly depends on the software containing the discovered vulnerability. If it is third-party commercial software, a patch may be publicly available. For in-house or open-source software, the organization may have to develop the patch itself.
Whether developing an in-house patch or applying an external one, testing in a non-production environment is a crucial part of the process. Applying an untested patch may cause more problems than it solves due to poor interactions with existing software. For this reason, testing should be performed on an environment that resembles production systems as closely as possible.
If a patch is developed in-house, it is also a good idea to develop an exploit for the vulnerability as well. This is helpful since it provides a more complete understanding of the vulnerability and can be used to test that the patch is effective before it is applied.
The final step in the vulnerability remediation process is developing a detection signature for exploitation of the vulnerability. If an exploit was previously developed, it can be used as part of signature generation.
This signature is valuable for protecting the network both preventatively and retroactively. By including the signature in an intrusion detection system or other protective solution, the organization can identify future attempts to exploit systems that may not have been patched.
If the organization also retains traffic logs, they can retroactively check these logs for hits on the signature, which may help with identification of past exploitation of the vulnerability. If any detections are found, the security team can begin incident response procedures to deal with the identified intrusion.
Properly Managing Cyber Vulnerabilities
Managing a cyber vulnerability can be a time and resource intensive process, but the payoff can be significant. Cyber incidents frequently have large price tags for their victims, so closing a vulnerability before it’s exploited can generate significant savings.
However, before an organization can close a vulnerability, they need to find it first. This is why vulnerability scanning and penetration testing are so important for all organizations.
For more information about how a security audit can help your organization, reach out for a consultation.