Governance and risk management, IT risk management, Patch management
Beyond “Patch or Perish” – The CISO’s Risk-Based Approach to Fixing Vulnerabilities
Mathew J. Schwartz (euroinfosec) •
September 9, 2019
Each week seems to bring a new slice of “patch or perish”.
For those not in the know, this cat-and-mouse game of vulnerabilities looks like this: IT teams rush to test and apply newly released critical updates to software and systems – under the guise of checks and balances. mitigation or compensation – before hackers create and work in the field. exploits for the flaws corrected by the patches.
Such efforts continue unabated. The Risk Based Security VulnDB team, for example, counted 11,092 newly disclosed vulnerabilities in the first half of 2019. Public exploits existed for 34% of these vulnerabilities, 53% of all vulnerabilities could be exploited remotely and near. 5% of all bugs also affected security software.
Some weeks are worse than others. The U.S. Agency for Cybersecurity and Infrastructure Security, in its August 19 Weekly Vulnerability Summary, released on August 26, described nearly 600 new vulnerabilities, about 20 percent more than the average week. The flaws included 49 serious vulnerabilities in software developed by Adobe, Google Android, IBM as well as for WordPress, plus 170 medium-severity flaws, eight low-severity flaws and 360 vulnerabilities for which no severity had yet been assigned.
Risk management challenge
Security experts warn that patch management, or the broader issue of vulnerability management, needs to be part of a much more holistic approach to risk management.
“I don’t see much written about vulnerability management in more holistic terms compared to fixing patches / bugs,” says Phil Venables, Board Member and Senior Risk and Cyber Security Advisor at Goldman Sachs Bank, via Twitter. “I have always found it extremely useful to think of vulnerability management as four layers, building on each other and in turn becoming more powerful as a risk mitigation approach.”
Here are its four levels of vulnerability management:
- Bases: Make sure the Vulnerability Management team has full coverage of the organization and ranks the criticality of each vulnerability and also maps all system dependencies.
- Components: Discover and correct component faults. It is the most well-known component of vulnerability management.
- Configuration: Discover and correct configuration faults.
- Architecture: The highest layer involves “enumeration and application of architectural goals,” he says. This includes identifying the necessary constraints, such as “developing rules for potentially toxic arrangements of components that should never exist” and then ensuring that the vulnerability management team is responsible for constantly monitoring them. Likewise, such a program should identify obligations, including “to develop default architecture / design models for the deployment of common services and then monitor their compliance”, as well as the enforcement of their use throughout the process. software development lifecycle.
Not fixing the right system at the right time – or in some other way alleviating the flaws – can have huge repercussions. Equifax, for example, asked all IT staff to make sure they had installed a critical patch for all Apache Struts implementations, but failed to confirm that all Struts systems had indeed been patched. . In the meantime, attackers quickly infiltrated its systems, installing 30 web shells for remote access and exfiltrating huge amounts of data (see: Equifax Breach “Completely Preventable,” House Report Says).
As Venables also noted, numerous security incidents “Are not due to a lack of control design but to expected control failures”, which may include patch management. As a result, he says, controls must be continuously monitored and validated, with any failure treated as a security incident.
Start here: “Do we have it?” “
Organizations can’t fix what they don’t know. Conversely, they can’t make a well-calculated decision about what to fix first – or temporarily postpone the fix – as well as what they can safely ignore.
His vulnerability management team learns to dream the following questions in their sleep, he says: do we have it? Do we run it? Where is it? Is it vulnerable? From who / what / where can it be used? What is the exposure to losses? Do we care? What should we do if we do? Is it isolated / systemic / architectural and is there a design pattern we can use to prevent it?
Correction of delays
Despite these tips, failure to patch systems quickly is very common, depending on the number of vulnerable systems remaining.
My version: “do we have it, do we run it, where is it, is it vulnerable, to whom / what / where, is it exploitable, what is the exposure to losses, is it that we care, what should we do if we do, is it isolated / systemic / architectural and is there a design pattern we can use to prevent it? https://t.co/K2ZD5BBefy
– Hoff (@Beaker) September 2, 2019
In recent weeks, for example, warnings have intensified about the many unpatched SSL VPNs manufactured by Pulse Secure and Fortinet. Security experts say the attackers ran large-scale scans to identify machines that have yet to be updated with the fixes released in April and May. Attackers can exploit vulnerabilities to steal data, including passwords, and gain unauthenticated remote access to corporate networks (see: Chinese group APT began targeting SSL VPN loopholes in July).
Waiting for BlueKeep attacks
Or take calm before the storm regarding the BlueKeep vulnerability in older versions of the Windows operating system (see: Militarized BlueKeep exploit released).
On May 14, Microsoft released fixes for the vulnerability (CVE-2019-0708) that attackers can exploit to compromise Remote Desktop Services on Windows and gain full remote access to a system, including privileges of a system. full administrator and the ability to execute arbitrary code. Microsoft last month warned that the BlueKeep exploit code was in the wild. But many organizations took a long time to correct.
“Patches, or rather good cyber hygiene, are an integral part of every organization’s defense against cyber attacks,” Raj Samani, chief scientist at McAfee, recently told Information Security Media Group.
The number of systems that have yet to receive the RDP patch that protects against BlueKeep attacks “shows that the fundamentals of good cyber hygiene remain neglected for so many businesses,” he said.
However, many CIOs and CISOs have been trying for years to overcome the challenges of patch, vulnerability and risk management, only to see them continue to become more and more complex.
“In a nutshell, managing addiction has become much more difficult,” Venables told ISMG.