IT Focus Area: Security
February 2, 2017
10 Steps to an Effective Vulnerability Assessment
As we conduct more and more business online, the digital world has become a hacker’s paradise.
Addressing the sheer volume and evolution of cyber attacks is daunting for even the most security-conscious IT teams. It requires an in-depth understanding of organizational risks and vulnerabilities, as well as current threats and the most effective policies and technologies for addressing them. Only by understanding their risks can organizations target limited security dollars to the technologies and strategies that matter most.
So how can companies arm themselves with the information they need to make informed decisions about cybersecurity?
Many cyber attacks take advantage of basic, often unnoticed security vulnerabilities, such as poor patch management procedures, weak passwords, Web-based personal email services, and the lack of end-user education and sound security policies. This makes an effective vulnerability assessment a critical first step in the effort to protect data.
81 percent of breaches leveraging hacking techniques (misconfigurations, vulnerabilities or exploits) used stolen or weak passwords in 2017, up from 63 percent in 2016. —Verizon 2017 Data Breach Investigations Report
Even the most secure network is likely to have some unknown vulnerabilities. Vulnerability scanners are useful tools for identifying hidden network and host vulnerabilities. However, for many organizations, vulnerability assessments are highly technical and are carried out mostly for compliance purposes, with little connection to the organization’s business risks and executive security budget decisions.
Vulnerability assessments typically identify thousands of granular vulnerabilities and rate them according to technical severity, rather than taking into account the affected business and its mission-critical processes. They can also identify a single vulnerability several times, recommending multiple patches and upgrades, when in reality a single security solution could address all of them.
Ideally, a sound security strategy should tie business impact and an organization’s overall security strategy to the results of a vulnerability assessment, enabling an understanding not only of where true business risks lie, but also of which vulnerabilities should be addressed first and how to address them effectively.
Tying Vulnerability Assessments to Business Impact
Getting maximum benefit from a vulnerability assessment requires an understanding of your organization’s mission-critical processes and underlying infrastructure, and applying that understanding to the results. To be truly effective, it should include the following steps:
1. Take an active role
Once the business decides to perform a vulnerability assessment, they should take an active approach to finding out what the current state of security is. It is important to actively screen potential vendors, engage in the scoping process, provide security consultants with what they need to do the job, and engage in the process to facilitate success. When key stakeholders decide to get involved in the process as participants and students, the knowledge gained from that collaboration will allow the business to consume the results more effectively, and put them on a better footing to face the issues of tomorrow, having been guided through the process by an experienced professional today.
2. Identify and understand your business processes
Identify and understand your organization’s business processes, focusing on those that are critical and sensitive in terms of compliance, customer privacy, and competitive position. There is no way for IT to do this in a vacuum. In many organizations, it requires collaboration between IT and representatives of the business units, the finance department and legal counsel. Many organizations put together security strategy task forces with representatives from each department, who work together for several weeks to analyze business processes and the information and infrastructure they depend on. Those with significant domain knowledge are the most valuable resources in this discovery process. The primary objective is to document “the way it’s done” and understand what the true process is.
3. Pinpoint the applications and data that underlie business processes
Once the business processes are identified and ranked in terms of mission criticality and sensitivity, the next step is to identify the applications and data on which those mission-critical processes depend. Again, this can be accomplished only through collaboration between IT and other business players. From extensive collaborative discussions, you may discover applications that are more crucial than expected. For example, email may be a critical application for one department, but overshadowed by in-house instant messaging in another.
4. Find hidden data sources
When searching out applications and data sources, make sure you consider mobile devices such as smartphones and tablets, as well as laptops and desktop PCs. While some data may reside in a static location, the overwhelming majority will exist and interact in an ecosystem of devices and information pathways. Collectively, these devices often contain the most recent, sensitive data your organization possesses. Work with the business units to understand who is using mobile devices for accessing and sharing corporate applications and data. Understand the data flows between these devices and data center applications and storage.
While considering the internal workings and movement of data, thought should be given to information that has migrated outside of the organization’s figurative four walls. Office 365 allows any employee to access mission-critical information on any device, in any location, at any time. In order to understand this external footprint, determine if your business users are sending business emails over public channels such as Gmail or Yahoo mail. Another often hidden category to investigate is your software development environment, as they are inherently less secure than production environments. Software developers and testers often use current, sometimes mission-critical data to test new and upgraded applications.
5. Determine what hardware underlies applications and data
Continue working down the layers of infrastructure to identify the servers, both virtual and physical, that run your mission-critical applications. For Web/database applications, you may be talking about three or more sets of servers — Web servers, application middleware and database — per application. Identify the data storage devices that hold the mission-critical and sensitive data used by those applications.
6. Map the network infrastructure that connects the hardware
Develop an understanding of the routers and other network devices that your applications and hardware depend on for fast, secure performance. It is important to determine if specific subnets are designed to contain sensitive assets such as Windows domain controllers, or a particular business unit, such as Development or Human Resources. Understanding how data gets from point A to point B is essential — and knowing where a particular type of data lives is critical.
7. Identify which controls are already in place
Document the security measures you already have in place — including policies, technical controls such as firewalls, application firewalls, intrusion detection and prevention systems (IPS/IDS), virtual private networks (VPNs), data loss prevention (DLP) and encryption — to protect each set of servers and storage devices hosting mission-critical applications and data. Understand the key capabilities of these protections and which vulnerabilities they address most effectively. This is the heart of the “defense in depth” strategy and may require some fairly extensive research, including scanning websites and reviews and speaking with security company representatives.
8. Run vulnerability scans
Only when you’ve understood and mapped out your application and data flows and the underlying hardware, network infrastructure, and protections does it make sense to run your vulnerability scans. The intellectual exercise that has been performed to this point is what allows security analysts to interpret the results of the scan clearly and with an objective focus on the critical aspects of the business.
“One of the biggest mistakes companies make is using a scan to determine what to patch, instead of scanning to verify successful patching. This sets the organization up for more vulnerability rather than less.” —Ben Holder, Senior Principal Consultant, Sirius Security
9. Apply business and technology context to scanner results
Your scanner may produce scores of host and other vulnerabilities with severity ratings, but since results and scores are based on objective measures, it’s important to determine your organization’s business and infrastructure context. Deriving meaningful and actionable information about business risk from vulnerability data is a complex and difficult task. After evaluating your staff’s level of knowledge and workload, you may determine that it would be helpful to partner with a company that is well-versed in all aspects of security and threat assessment. Whether undertaking this task internally or getting outside assistance, your results need to be analyzed to determine which infrastructure vulnerabilities should be targeted first and most aggressively. Consider the following:
The number and importance of assets touched by the vulnerabilities
If a vulnerability affects many different assets, particularly those involved in mission-critical processes, this may indicate that you need to address it immediately and comprehensively. On the other hand, if the scanner finds multiple vulnerabilities in infrastructures running less critical applications accessed only by a few users, they may not have to be addressed as aggressively. Triage should be performed based on the new knowledge acquired through the assessment process.
If the vulnerabilities identified by the scan affect infrastructure that already has multiple layers of protection in place, some of those vulnerabilities may, in fact, be addressed already by existing technologies. For example, a vulnerability found on a server protected by application firewalls, encryption, and other countermeasures may not be as important to address as the same vulnerability found in a less-protected infrastructure used in testing and development, particularly if it makes use of data with stringent compliance requirements. It’s important to weigh criticality against existing protections to determine which vulnerability could expose your business to serious risk.
Available security technologies
Your vulnerability assessment report may recommend scores of software patches and upgrades to address security holes, but constantly applying patches and upgrades can drain IT time and resources. There may be other security technologies that are more efficient and effective. For example, cross-site scripting vulnerabilities may be more easily and comprehensively addressed through a strategically placed Web application firewall (WAF) than by constantly applying patches and upgrades to multiple components. The key is to understand how the risk profile would change when certain security technologies and policies are applied.
Cyber attacks frequently take advantage of the weakest links in your infrastructure — and frequently those weak links can be found at branch offices or among mobile and IoT devices. If your scan reveals a number of vulnerabilities at a branch office or another remote infrastructure, this could indicate that further investigation and protection measures are required. Professional IoT security assessments, including standard discovery and assessment services and targeted evaluations of specific devices and platforms, can help you evaluate the vulnerability of the organization’s devices and establish an understanding of associated attack vectors.
10. Conduct penetration testing
Once the vulnerability assessment is complete, and the business feels it has remediated enough findings to improve its security posture, it’s critical to have a new set of eyes examine the environment and challenge assumptions. Penetration testing is designed to push upon your security practices to determine whether a malicious actor can leverage a vulnerability that can be exploited to gain access to valuable information. While the technical attack is played out, penetration testers will challenge the assumptions you’ve generated as part of your vulnerability assessment. Is the group of servers behind firewalls being monitored by anti-virus protected enough? Is the list of discovered entry points into critical applications complete, or can the penetration testers find a new method of access you weren’t aware of?
It is common for the business to be too close to the subject matter. A comprehensive evaluation with specific goals should be conducted by experienced testers to help the business gain perspective on which areas may not have been considered previously, and what the next area of growth should be as part of the security assessment lifecycle.
The Importance of Adding Context
Attackers will never stop trying to take advantage of vulnerabilities. As long as exploits exist, you need a process in place to continuously find and remediate your vulnerabilities. Continuous vulnerability assessments are an important part of effective cybersecurity. They can be invaluable, but only if their results are weighed in the context of the business and existing security infrastructure. By analyzing assessment output with business risk in mind and applying that knowledge to the development of a sound security strategy, CISOs and other IT executives can help their organizations make the most of their security budget and strengthen their overall security and compliance posture.
View more presentations from Forsythe Technology