Firefighting:
Looking back at 2018 the evidence supports that many organisations struggle with the fundamentals of maintaining a reasonably secure posture.
We’re still seeing large amounts of vulnerabilities which have been common place for over 15 years. Items such as Cross-site scripting, SQL injection and command Injection, all are still relatively common. The question is why? What can be done to improve the situation?
In the latest vulnerability Stats report there is quite an amount of preventable vulnerabilities on exposed production systems; from systems still vulnerable to NotPetya due to lack of patching to Injection vulnerabilities (SQLI, RCE, etc) due to insecure coding.
It comes down to focusing on fundamentals of cyber security and secure application development. A couple of items make life much easier, reduce the probability of breach and provide overall situational awareness.
Visibility and Profile:
At a minimum I’d personally recommend focusing on a method to gain visibility & attack surface awareness. Which moving parts of your estate have a potential for attack? Is there anything exposed to the public Internet or an untrusted network which shouldn’t be? Do I have exposed ports, protocols & services, can I answer this question today? If something changes how shall I be made aware of it in a timely manner? Do I know where all my enterprise API’s are hosted? Can I identify all ingress points to my organisations systems.
Visibility and profiling needs to be continuous and constant. As systems change, firewall rules are altered, systems are spun-up and torn-down & DNS changes, continuous profiling should be able to keep you abreast of the situation and generate alerts based on the criteria that matters to you.
Visibility and profiling may not detect CVE (Common Vulnerabilities) but can certainly detect exposed systems, services, API’s & consoles which generally should not be accessible via the public Internet.
Visibility on a continuous basis is a cornerstone to cyber security.
Continuous Fullstack assessment:
Coupled with visibility and profiling, regular or continuous vulnerability management can help detect mis-configurations, known vulnerabilities (CVE), systems which require patching, systems which require hardening and not to mention default configurations all of the above may result in a security incident.
Fullstack vulnerability intelligence in effect means that the vulnerability detection service covers both the hosting infrastructure (Cloud, Data Center, On-premise) and any Web applications or API’s which reside “ontop” of it.
A fullstack approach does not separate infrastructure and web layer vulnerabilities into silo’s but provides a fuller picture of the potential risks an organisation may have. This lends to the DevSecOps view of the world. It also views vulnerabilities with a risk based approach view of the world; Regardless of which aspect of a system is vulnerable, its still a risk to the organisation.
Measure & Track
Vulnerabilities need to be tracked all the way to mitigation. Vulnerabilities don’t go away once reported. We need to track the speed at which we are closing high and critical risk issues coupled with tracking of which “important” items are getting closed; we need to focus on vulnerabilities which are most important to the organisation across all of the organisations assets. Prioritization is a challenge if one does not have complete enterprise-wide visibility.
Metrics worth recording:
Marketing Executive of Edgescan