Recently, the FBI and US Department of Homeland Security published their report on the most damaging issues around cyber security for 2016 to 2019, as well as providing a list of issues that are the most pressing for 2020. The 2020 list includes specific issues in software through to general challenges for security brought on by new ways of working and by the COVID-19 pandemic response.
So how can your IT security team use this report to your advantage? What steps should you be taking, and what changes should you make in practice? How can you prioritise your resources best given the additional impact and strain your security is likely facing?
Understanding the value chain
Look at the problem from the perspective of the attacker. The first thing to understand is that attackers have a strategy that is grounded on a value chain. Just like any normal business, they want to get the largest return for their effort over time. This means that attackers typically use business efficiency as a value instead of technical sophistication. In practice, this involves using existing older vulnerabilities that have been weaponised with exploits rather than investing time and skilled resources in building new exploits, unless there are very specific reasons.
Hence, a good vulnerability prioritisation and remediation strategy is crucial for your security team, especially given the current environment and what are most likely scarce resources. It is important to focus on the biggest impact areas that can be targeted, as this can greatly mitigate any potential exposure to older, well-known vulnerabilities. To be effective, this approach needs to have excellent visibility across all your IT assets and cover the entire IT landscape. It also needs to provide a continuous detection capability with a high level of accuracy. This helps your team avoid being overwhelmed by false positives that lower your prioritisation process efficiency. Alongside this, a good vulnerability lifecycle management program should be to cover from initial discovery of any new issue through to remediation.
In order to reduce risks, taking out simple issues like enforcing patching and ensuring that applications are up to date should be in place. These steps can remove some of those simple risks that criminals look to exploit at scale, and makes the act of cyber crime less profitable. Make sure that you are fixing the issue at the source, the further downstream you address an issue the more expensive it becomes form a resource perspective.
Getting used to a new definition of vulnerability
The move to mass remote working - whether it is temporary or the "new normality" - has exposed attack vectors that were less considered previously, such as weaknesses in VPN systems or an increased proliferation of mis-configured or non-compliant systems. When these services were only available to select employees, they were low down the list of priorities. Today, they have become critical infrastructure to carry on working. In the rush to support this, it’s easy to see why things might have been overlooked or not configured correctly.
The recent diffusion of smart working has enormously increased the adoption of SaaS solutions for office productivity, customer service, financial administration, and other processes. In the past you may have restricted access to limited locations but now those limitations just aren’t possible. Similarly, many employees that now have to work remotely have been forced to use their own devices for professional purposes, maybe even sharing them with other people during the day for a school remote video lesson or a remote conference call with friends. The perimeter just doesn’t exist in the same way if at all for many companies. This opens up risks as well.
In the report, there is a suggestion that the vulnerabilities that should be prioritised in 2020 have changed. Rather than holes in software alone, the biggest risks now included mis-configuration of cloud services or the mis-use or theft of application credentials. With the majority of companies shifting their employees to remote working conditions, the potential attack surface has evolved. For your security team, this means that relying on traditional vulnerability management approaches won’t be enough. Instead, the definition of what a vulnerability is should be amended, and new approaches considered to detect those oversights.
In order to cope with this, new workflows and processes are required. Alongside software scanning, it’s important to consider your cloud security posture too. To achieve this, you can track your compliance with CIS benchmarks for best practices around cloud security. Similarly, you can check that you are enforcing best practices on cloud applications like multi-factor authentication, and managing the account lifecycle to restrict access and stop old accounts from being used.
The FBI report provides a good overview of the biggest issues that security teams have faced over the past few years, as well as highlighting the next risks that teams will have to manage. There is room for improvement across all organisations when it comes to managing vulnerabilities in the future. To achieve this will require re-examining what properly orchestrated security programs look like and making sure that they can address everything across both the newest digital landscapes and more traditional IT.
Author: Benjamin Carr, Chief Information Security Officer, Qualys