In this week’s blog we’ll share a vulnerability assessments overview and discuss how they can help you find holes in your security programs before malicious hackers can take advantage of them. Lauren Bellero spoke with Keith Melancon to get his thoughts on this topic. Keith oversees Delta Risk’s work with the Department of Defense (DoD) and Department of Homeland Security (DHS), including vulnerability assessments and pen testing on behalf of these agencies for local governments and universities, as well as critical infrastructure providers.
Lauren: In your own words, can you give us a vulnerability assessments overview and discuss the differences between them and penetration testing?
Keith: Vulnerability assessments are a key aspect of confirming that your vulnerability remediation program is effective or that you are comprehensively patching systems, both for the operating systems and the software that is running on them. It also includes mapping or cataloging the target network, which usually results in some rogue systems being found that are typically not being managed. A penetration test is the step after a vulnerability assessment. Once a network has been mapped and scanned for vulnerabilities, a penetration tester can probe selected vulnerabilities to see if they can be breached and they can gain unauthorized access to show a specific risk does exist.
Vulnerabilities are only one part of the equation in securing systems as part of a cyber security program, though. Having other effective controls in place like antivirus software, firewalls, access control lists and secure coding can reduce the risk that a vulnerability may have on a system and enhance your security posture. Having an independent third-party assess your security posture with either of these methods gives you an attacker’s view of your system or network and allows you to see areas that may have been overlooked.
Lauren: How would you describe the differences between Delta Risk’s vulnerability assessments and other organizations you’ve worked at, or do they usually follow a pretty set formula?
Keith: Vulnerability assessments can be very simple and straightforward, especially if they are low cost. However, that low cost means you’re most likely getting the formatted output of a vulnerability scanner software, such as Nessus. While this does give you information you need, such as criticality and recommended fix actions, it doesn’t tell the whole story. Effective vulnerability assessments should involve validating the vulnerabilities, because many times the scan will return false positives. This should be done during an assessment to make sure you understand the vulnerability and confirm that it does indeed exist.
In assessments where there are many thousands of vulnerabilities, the focus should be on confirming the high impact vulnerability—critical and high rated vulnerabilities. During this process, our assessors work with your team to go over the weaknesses, point out those most likely to be exploited by an attacker (such as EternalBlue), and confirm that the vulnerability is there on the system.
Lauren: What are some of the other benefits of vulnerability assessments, besides the obvious one of finding issues before attackers can exploit them?
Keith: As mentioned above, during the enumeration phase, the focus is on finding undocumented assets. An accurate inventory of software and hardware assets is a bedrock principal of securing your network (CIS Top 20 1 &2). Our team of experienced assessors focus not just on the vulnerabilities, but also on assessing the risk that the vulnerabilities pose. Some vulnerabilities may be mitigated by other controls already in place. Other vulnerabilities, if corrected, may adversely impact a key system. Mitigating the risks vulnerabilities pose must be more involved than just clicking an “update” button.
Our risk analysis looks at the balance between security and operability as defined by the owner. Not knowing about the vulnerability means you are accepting unknown risk – with the vulnerability assessment, you have defined your risk and understand what risk you have accepted, which can lead to mitigation through other applied controls.
Lauren: What are some of the most common vulnerabilities that you or other Delta Risk experts have seen in client engagements in the past year? Has this changed much from 2017 or was it about the same?
Keith: Unfortunately, most of the assessments I’ve been part of over the past two years involved organizations that didn’t have an effective vulnerability management program. Unsurprisingly, we found a lot of issues. The most troubling were related to three primary areas – unsupported operating systems, freeware downloads, and EternalBlue.
In the case of unsupported operated systems, it comes down to organizations not moving people to newer platforms. After a system has been out for around 10 years, the manufacturer typically ends support for the platform. In the case of Microsoft, for example, this means that Windows 2003 and Windows XP no longer have automatic updates pushed to them. Despite this, many organizations have some systems still running on these outdated platforms, as well as Linux-based platforms. Since these platforms are no longer patched, they present an easy target for an attacker. In these cases, vulnerability management requires these systems to be replaced by newer, supported platforms.
Second, we see many versions of freeware that are downloaded, such as the Adobe family of software. This is important because of the large number of vulnerabilities that are Adobe-based and how they have been so effective in phishing exploits. While Adobe does a good job of pushing updates, the users must apply those updates or they don’t help. I’m not picking on Adobe, but since Adobe software is widely installed, it presents a persistent risk to corporate networks if not effectively managed.
Lastly, EternalBlue has cropped up in every vulnerability assessment that we have done over the past year. This is a critical vulnerability that was exposed by “The Shadow Brokers” in April 2017 as part of a group of exploitation tools allegedly developed by the National Security Agency (NSA). Although Microsoft immediately issued a patch to fix this issue, including a special patch for the unsupported Windows XP and Server 2003 systems, it remains a primary target for malicious actors, with the WannaCry and Petya ransomware attacks using this vulnerability as their primary attack vector.
Lauren: Have you seen any new vulnerabilities appearing this year that took you by surprise? Any stories you can share related to this?
Keith: While vulnerabilities are always being discovered, the continued pervasiveness of EternalBlue is still a major concern. I know I’m talking about it a lot, but if this is out there and it is a primary attack vector for hackers, why wouldn’t you prioritize patching this? The reason is that many people don’t seem to be aware of what is going on because there is too much area to cover in the IT and security space. A chief information security officer, or CISO, is responsible for so many areas that things get overlooked.
I spoke at a conference recently and, in a room of 40 cyber security professionals, only two had even heard of EternalBlue. Understaffed and underfunded organizations are most at risk due to their focus on fighting fires and keeping the business functions online. This is not a way to ensure security and it will ultimately lead to a breach. This is why hiring an outside contractor like a managed security services provider, or MSSP, to complete specific functions or provide subject matter expertise, is a good strategy for small and mid-sized businesses. These are companies that typically don’t have the expertise to implement an effective vulnerability management program on their own and need some outside help.
Lauren: Any predictions for what we might see next year, particularly with regards to cloud security, Internet of Things, or otherwise?
Keith: The insane part of working in cyber security is that things remain the same. We often forget, or don’t know, that the CISO position was first created only 24 years ago. Despite the huge advances taking place in capabilities, especially with the cloud and the Internet of Things, the only real change is the increase in your security responsibilities. With the scrutiny that has been levied on firms like Google and Facebook over user privacy concerns and the handling of user information, these things are going to continue to stand out.
Protecting user data, while a primary concern for businesses now, will continue to evolve with the introduction of more comprehensive privacy frameworks like General Data Protection Regulation (GDPR), and legislation aimed at protecting consumers. Organizations, mainly small and mid- sized companies, will have to comply with these frameworks while exercising the due care that is being established by the large companies to avoid legal repercussions.
Lauren: Is there anything you think it’s important to mention that’s usually overlooked when discussing this topic?
Keith: Vulnerability assessments are just one tool in a comprehensive security program that is focused on risk. Any of the security frameworks that are available prescribe multiple controls to help ease the failure or lack of other controls. Tools are needed for most networks to help manage the workload required for vulnerability assessments. Having employees trained to utilize the tools can be difficult, considering other responsibilities.