Don’t forget the fundamentals
Looking back at 2018 the evidence supports that many organisations struggle with the fundamentals of maintaining a reasonably secure posture.
We’re still seeing large amounts of vulnerabilities which have been common place for over 15 years. Items such as Cross-site scripting, SQL injection and command Injection, all are still relatively common. The question is why? What can be done to improve the situation?
In the latest vulnerability Stats report there is quite an amount of preventable vulnerabilities on exposed production systems; from systems still vulnerable to NotPetya due to lack of patching to Injection vulnerabilities (SQLI, RCE, etc) due to insecure coding.
It comes down to focusing on fundamentals of cyber security and secure application development. A couple of items make life much easier, reduce the probability of breach and provide overall situational awareness.
Visibility and Profile:
At a minimum I’d personally recommend focusing on a method to gain visibility & attack surface awareness. Which moving parts of your estate have a potential for attack? Is there anything exposed to the public Internet or an untrusted network which shouldn’t be? Do I have exposed ports, protocols & services, can I answer this question today? If something changes how shall I be made aware of it in a timely manner? Do I know where all my enterprise API’s are hosted? Can I identify all ingress points to my organisations systems.
Visibility and profiling needs to be continuous and constant. As systems change, firewall rules are altered, systems are spun-up and torn-down & DNS changes, continuous profiling should be able to keep you abreast of the situation and generate alerts based on the criteria that matters to you.
Visibility and profiling may not detect CVE (Common Vulnerabilities) but can certainly detect exposed systems, services, API’s & consoles which generally should not be accessible via the public Internet.
Visibility on a continuous basis is a cornerstone to cyber security.
Continuous Fullstack assessment:
Coupled with visibility and profiling, regular or continuous vulnerability management can help detect mis-configurations, known vulnerabilities (CVE), systems which require patching, systems which require hardening and not to mention default configurations all of the above may result in a security incident.
Fullstack vulnerability intelligence in effect means that the vulnerability detection service covers both the hosting infrastructure (Cloud, Data Center, On-premise) and any Web applications or API’s which reside “ontop” of it.
A fullstack approach does not separate infrastructure and web layer vulnerabilities into silo’s but provides a fuller picture of the potential risks an organisation may have. This lends to the DevSecOps view of the world. It also views vulnerabilities with a risk based approach view of the world; Regardless of which aspect of a system is vulnerable, its still a risk to the organisation.
Measure & Track
Vulnerabilities need to be tracked all the way to mitigation. Vulnerabilities don’t go away once reported. We need to track the speed at which we are closing high and critical risk issues coupled with tracking of which “important” items are getting closed; we need to focus on vulnerabilities which are most important to the organisation across all of the organisations assets. Prioritization is a challenge if one does not have complete enterprise-wide visibility.
Metrics worth recording:
- MTTR – Mean time to fix. (one should expect this to be lower for high or critical issues)
- Average Assessment count – How frequent is the asset being assessed. It it matching deployment schedules.
- Risk Density – High/Critical/Medium Risks per asset/Exposure Index, Vulnerable Assets %
- CVE Landscape: The percentage of assets which have at least one CVE associated to it.
- Remediation Performance: Focusing on high and Critical vulnerabilities how quick are we closing our vulnerabilities.
- Patch Perfromance; Mean Time To Remediate (MTTR) for vulnerabilities which have vulnerabilities that have CVEs associated with them. Vulnerabilities that are associated with CVEs are typically remediated by patching or upgrading the affected software.
- Maximum Severity: The maximum severity value associated with the vulnerabilities on your assets. Ideally this should be as low as possible. A high value indicates that a potentially dangerous vulnerability is present somewhere in your infrastructure.