To ensure effective vulnerability management, it is essential that business leaders take a risk-based approach when making decisions. Stephen Roostan, VP EMEA at Kenna Security, discusses how organisations can manage their vulnerabilities to external threats as the attack surface widens with remote working.
It’s all too easy to get caught up in the hype surrounding a new vulnerability, especially if that hype catches the attention of the CEO who then wants to know if the company is at risk. With today’s headlines publicising the latest big brand names to fall victim to a breach, it’s no surprise that security leaders are under significant and growing pressure to manage risk effectively.
But while all this media hype around security vulnerabilities and breaches serves to draw some much-needed attention to the importance of security, not all vulnerabilities are worthy of the celebrity treatment.
For example, the media frenzy whipped up around Heartbleed a couple of years ago focused widespread attention on a vulnerability in open source cryptographic protocol that put millions of websites at risk and prompted organisations to take much-needed appropriate action. Yet other vulnerabilities that have never garnered media attention can fly under the radar of security teams. In fact, recent research from Kenna Security and the Cyentia Institute, has shown that just 5% of vulnerabilities fall into the ‘high-risk’ category, indicating that they could be weaponised in some way. As an example, manufacturing companies in particular are only able to patch eight out of 10 high-risk vulnerabilities, placing them in one of the top sectors that take a long time to fix vulnerabilities.
Taking an objective view
Framing vulnerability management efforts around security news headlines puts security teams in a precarious position. As the news and hype around security vulnerabilities escalates, it is becoming increasingly difficult for security teams to remain current with the threat landscape and determine how best to prioritise their efforts.
Allocating precious time and energy to yield the biggest dividends where reducing organisational risk is concerned depends on security teams being able to prioritise their efforts based on the factors that really matter. Rather than sinking valuable resources into remediating headline-grabbing vulnerabilities that pose little or no threat to the organisation, identifying the right vulnerabilities to fix increasingly depends on embracing an objective and consistent way to prioritise vulnerabilities.
Let’s take a look at the top four factors that security teams should consider when evaluating which vulnerabilities represent the greatest risk to a specific environment:
- Does it allow for remote code execution?
Remote code execution enables an attacker to access a computing device from anywhere in the world to make damaging changes, so it’s no surprise that remote code execution tops the wish list of hackers everywhere. Having established a way to run their code on a remote system, hackers then have the ability to inflict all kinds of chaos, including establishing bot networks, stealing data, or infiltrating networks.
2. Does it have an exploit published in a widely-used toolkit?
Unfortunately, the same Metasploit security teams use to pen test their organisation’s defences and identify weaknesses has become the de facto standard for exploit development. When hackers use Metasploit, they’re not just creating tests, they’re creating real attacks. So whenever modules appear in Metasploit, it’s a given that attackers are, or soon will be, leveraging these to exploit vulnerabilities.
For that reason, any vulnerability identified with a Metasploit module should be at the top of an enterprise’s list of vulnerabilities to patch or mitigate. Regular patching, running applications or processes with least privileges, and limiting network access to only trusted hosts, can all play a pivotal role in limiting a hacker’s ability to leverage Metasploit.
Security teams are also well-advised to consider blackhat exploit kits. Despite having a much lower proliferation rate than Metasploit, their intent is much clearer. In other words, using an exploit from a blackhat kit is almost always for malicious intent and for this reason should be incorporated into the remediation decision-making process accordingly.
3. Does it have network accessibility?
Network accessibility plays a major role when determining the severity of a security threat and the likelihood of a vulnerability’s exploitation. Today’s attackers will leverage automation to execute attacks at scale and are on the lookout for network-accessibility vulnerabilities that can form the basis of botnets as well as command-and-control communications.
Cross-site scripting, missing function-level access controls or patterns of excessive use also serve as common examples of network accessibility vulnerabilities that should be prioritised for management.
4. Is it included in the Exploit Database?
The Exploit Database is a comprehensive repository of exploits and proof-of-concept attacks. Unfortunately, just like Metasploit, the Exploit Database is an invaluable resource for security teams and attackers alike. Attackers use it to find an exploit that will help compromise a known vulnerability within a target system.
Until a vulnerability appears in the Exploit Database, it remains less likely to emerge as a significant broad-based threat for organisations. However, as soon as a vulnerability appears, organisations will need to take action fast to remediate it.
Distinguishing between hype and risk
Today’s enterprise security teams have tens of thousands of vulnerabilities to remediate. The reality is that most vulnerabilities are likely to be exploited within 40-60 days, yet it can take security teams up to 120 days to put remediation in place. So the pressure is on for security teams to identify those vulnerabilities that pose the biggest risk of exploitation for their organisation and get to work with fixing these first.
As we’ve seen, while keeping up-to-date with security news is a great way of staying abreast with how the threat landscape is evolving, a vulnerability doesn’t need to be new or buzzworthy to pose a serious threat to the enterprise. All too often, headlines can serve to distract security teams from remediating quickly and efficiently those risks that haven’t made it into the hall of fame. What organisations need to remember is that the most important factor to consider is where a vulnerability sits within their ecosystem. For example, a high-risk vulnerability sitting in a low-risk environment poses less of a threat than a medium-risk vulnerability in a highly-accessible environment. Ultimately, visibility and context are everything. Media headlines and ranking on the Common Vulnerabilities Scoring System (CVSS) database can have little bearing. What matters is the risk that the vulnerability poses on the individual organisation.
At the end of the day, effective vulnerability management requires a risk-based approach to prioritising remediation efforts, so that the right vulnerabilities are addressed at the right time. That means streamlining and accelerating efforts by evaluating a vulnerability’s most critical aspects to figure out how much danger a vulnerability really poses. In this way, the limited time and resources of the security team can best be focused on addressing those vulnerabilities that actually pose the most risk to the organisation.Click below to share this article