Cybersecurity Practice #7: Vulnerability Management (medium/large)

Organizations use vulnerability management to proactively discover vulnerabilities. These processes enable the organization to classify, evaluate, prioritize, remediate, and mitigate the technical vulnerability footprint from the perspective of an attacker. The ability to mitigate vulnerabilities before a hacker discovers them gives the organization a competitive edge and time to address these vulnerabilities in a prioritized fashion.²⁶ 

There are multiple types of vulnerability scanning. The most well-known methods are scans against servers (or hosts) and against web applications. These two scan types focus on different considerations.

Sub-Practices for Medium-Sized Organizations

In this model, vulnerability scanners are leveraged to identify weaknesses in OS or third-party applications that reside on a server. There are two scan options: unauthenticated and authenticated.

In the unauthenticated model, the scanner has no extra sets of server privileges and queries the server based on ports that are active and present for network connectivity. Depending on the level of sophistication of the software scanner, each server is queried and checked for vulnerabilities. Scan results provide the perspective of an attacker who lacks server access. Vulnerabilities that rate high in this space should be mitigated first, as they are the most likely points at which a hacker could enter the server.

Authenticated scans are conducted by letting the vulnerability scanner log in to the server and query all running software with all running versions. The resulting vulnerability lists are usually compared against a database (maintained by the scanner’s vendor), and vulnerabilities are enumerated based on the known software version’s disclosed issues. While this type of scanning provides a much higher degree of accuracy in enumerating vulnerabilities, it does not necessarily provide context that describes how the vulnerabilities might be exploited. An advantage of this type of scan is that it will identify client-side vulnerabilities that exist on the server and that may otherwise be difficult to discover, such as vulnerable versions of Java.

Most scanning systems can categorize vulnerabilities against the MITRE Common Vulnerability Scoring System (CVSS). The CVSS system helps organizations prioritize identified vulnerabilities, which enables development of a prioritized response. Version 3 of the system considers the following three factors: base score, temporal score, and environmental score. These factors, along with their sub-factors, are used to calculate vulnerabilities on a scale ranging from 1 to 10. For more information, refer to the CVSS Specification Document, available online.²⁷

In this model, specialized vulnerability scanners interrogate a running web application to check for vulnerabilities in the application design. Most web applications run dynamic code, run atop a web server, interact with middleware, and connect to databases. If the web application is not coded securely, this architecture may enable unanticipated access to data or systems.

Common web application attack types include Structured Query Language injection, cross-site scripting, and security misconfigurations. In these cases, attackers can

• bypass web application security controls and pull data directly from the database;
• steal an already authenticated cookie on a vulnerable website to get access; or
• exploit misconfigurations that can permit properly formatted commands or scripts to execute privileged content on the webserver itself.

More information can be found on the Open Web Application Security Project’s Top 10 website.²⁸

In all cases, vulnerabilities to web applications with sensitive information represent a high risk to the organization. It is important to understand these vulnerabilities to conduct appropriate and prioritized remediation.

Organizations should apply Cybersecurity Practice #4: Data Protection and Loss Prevention and Cybersecurity Practice #5: IT Asset Management to understand IT assets and asset classifications. These cybersecurity practices answer the question, “How bad would it be if this asset were breached?”

It is important to understand the exposure of each system in your environment. Organizations should apply Cybersecurity Practice #6: Network Management to determine the likelihood that each this system can be compromised.

The level of risk related to vulnerabilities in your systems is directly related to the exposure of these systems and the types of data they contain.

All organizations should have a routine to patch security flaws in their servers, applications (including web applications), and third-party software. Although the patching process may vary, large organizations should use centralized systems to interrogate servers and determine which software updates should be implemented.

At least monthly, organizations should implement patches that are produced by the vendor community. IT operations should collect these patches, conduct appropriate regression tests to ensure that patches do not negatively impact the business, and schedule patch implementation during routine change windows. This process should be executed and measured using standard IT operations activities.

Not all vulnerabilities are created equal. Some are easier to exploit than others. The National Vulnerability Database (NVD) has produced the CVSS, a standard measurement across all industries that normalizes and ranks the severity of a vulnerability.²⁹

The more a vulnerability is exposed, the higher priority an organization will generally assign to mitigate it. Exposure may be a more critical variable than the potential impact to an asset, considering that hackers attempt to gain a foothold on organizational assets before conducting additional internal attacks. Another factor to consider is the level of active exploitability in the wild. A less-critical vulnerability may have an active threat against it. In such a case, an organization might want to consider proactively executing IR processes, organizing the response team, and quickly patching systems. The WannaCry exploit of 2017 was a classic example of organizations identifying an active threat and quickly implementing patches that were previously neglected³⁰.

If your systems are running end-of-life OS or software, associated vulnerabilities should be identified and steps taken to bring these systems back to a supported state. This may include decommissioning systems that run on unsupported OS, which may require additional investments. Once systems are unsupported, it is usually impossible to apply security patches, potentially increasing the organization’s risk posture.

Table 8 provides general guidelines for planning remediation efforts based on criticalities.

Table 8. Recommended Timeframes for Mitigating IT Vulnerabilities

The vulnerability scanning process is a quality check on the effectiveness of an organization’s patch management practice, otherwise referred to as a lagging metric. Organizations with a robust patch management practice are better positioned to mitigate residual vulnerabilities.

In addition to conducting routine patch management activities, organizations should ensure that proper security configuration management activities are in place. Common vulnerabilities can be introduced in systems with insecure configurations. Examples of insecure configurations include permitting a file transfer protocol (FTP) server to allow anonymous login, making that login credential accessible to the internet, or failing to change default account passwords on applications. Organizations that follow Cybersecurity Practice #2: Endpoint Protection Systems and expand those practices to their servers will be positioned to minimize these issues. 

Lastly, consideration needs to be given to changes made to systems, servers, and networks, along with the vulnerabilities that may be exposed as a result. A testing plan should be part of the change management process. It should include a vulnerability scan of new network connectivity (such as a firewall change) or a new system function or service. This scan should be conducted during the test phase of the change process, before the change is implemented into the production environment. Such a process enables the identification and mitigation of security exposures.

Sub-Practices for Large Organizations

In addition to vulnerability scanning, it is also important to consider conducting penetration tests. These types of tests are sometimes called red teaming; the goal is to actively exploit your own environment before malicious actors do. 

Penetration tests involve more than simply conducting vulnerability scans and attempting to exploit the findings. A proper penetration test should mimic the same attack methodologies that are deployed by the adversaries. Per SANS Critical Control #20, penetration testing involves mimicking the actions of computer attackers to identify vulnerabilities in a target organization, and exploiting them to determine what kind of access an attacker can gain. Penetration tests typically provide a deeper analysis of security flaws than a vulnerability assessment.³¹

Penetration tests should blend client-based, internet-based, web application–based, and wireless-based attacks. When selecting a testing method, consider the types of attacks that might occur most frequently against your organization. With these scenarios, you can test the resiliency of your cybersecurity program.

Penetration tests can be run internally by qualified individuals, or they can be run by external partners. No matter who will conduct the test, proper authority to perform the test must be documented, clearly defining the scope of the assets that may be tested, the methods that may be deployed, and the timing for conducting the tests. Assets and methods not permitted should be clearly articulated. This documentation is especially important if internal staff will conduct the test, and documentation may be necessary to comply with legal and HR obligations.

Multiple variations of penetration tests that can be conducted. Outlined in Table 9 are a few options for consideration. Review each of the factors in the table below and select what works best for your organization.

Table 9. Factors for Consideration in Penetration Test Planning

It is important to classify and prioritize vulnerabilities that remain after completion of standard patch management practices. Typically, these remaining vulnerabilities are issues that cannot be mitigated with a patch. They may require system configuration changes, code updates, or perhaps even a full- blown version upgrade. The process of resolving these vulnerabilities tends to be more time-consuming and complex.

Like risk management activities, remediation efforts should be prioritized to resolve identified vulnerabilities. The most common practice is to first patch identified vulnerabilities and then rescan the system to validate that those vulnerabilities are closed. Most vulnerability scanning systems can track the opening, closure, and reopening of vulnerabilities over time. It is highly encouraged to track these metrics.

Mitigation of some vulnerabilities requires far more effort than a simple patch. In these cases, it is best to develop structured remediation plans that include the following elements:

• Remediation owner: The single individual accountable for ensuring that the vulnerabilities are addressed. It is important to assign remediation plans to a single owner, otherwise they are likely to stall due to lack of leadership.
• Plan: A full description of the remediation plan to be completed. The remediation plan owner and the information security office should develop this plan. Once the plan is approved, execution tasks can be started.
• Stakeholders: The individuals responsible for completing tasks in the remediation plan, or organizing other individuals who will complete tasks. Stakeholders may include individuals who need to be informed of remediation activities as well as those who complete the work.
• Dates: Major milestone dates and remediation plan due dates must be captured on the remediation plan. The remediation plan owner must commit to these dates.
• Status: Periodically, the plan should be updated to remain current. Updating generally occurs between once per week and once per month. The remediation plan owner may be accountable for providing status updates.

After a remediation plan is completed, the organization’s information security office should implement a monitoring process. This monitoring process may include all remediation plans in progress and current activities. The security office may provide support to activities that are behind schedule. Consider engaging in such a monitoring process once per week to maintain momentum.

Threats Mitigated

1. Ransomware attacks
2. Insider, accidental or intentional data loss
3. Attacks against connected medical devices that may affect patient safety

Suggested Metrics

• Stacked aggregate of vulnerabilities in DMZ trended by month, with vulnerabilities categorized using CVSS categories (Critical, High, Medium, Low, None) and plotted as a simple stacked bar. The goal is to mitigate the most severe vulnerabilities first, through patching and configuration management. Of the remaining vulnerabilities, the most critical should be mitigated within 30 days. The total number of vulnerabilities should be reduced over time.
• Stacked aggregate of vulnerabilities in data center trended by month, with vulnerabilities categorized using CVSS scores and plotted as a simple stacked bar. The goal is to mitigate the most severe vulnerabilities first, through patching and configuration management. The total number of vulnerabilities should be reduced over time.
• Number of unmitigated new vulnerabilities introduced into the environment trended by week. The goal is to keep the number of new vulnerabilities as low as possible, defined by your organization’s level of risk tolerance.

27. “Common Vulnerability Scoring System v3.0: Specification Document,” FIRST, accessed September 24, 2018, https://www.first.org/cvss/specification-document.

28. OWASP Top 10 - 2017: Ten Most Critical Web Application Security Risks, OWASP, 2017, https://www.owasp.org/images/7/72/OWASP_Top_10_2017_%28en%29.pdf.pdf.

29. “CVSS,” NIST National Vulnerability Database, accessed September 24, 2018, https://nvd.nist.gov/vuln-metrics/cvss.

30. “Report. The IT Response to WannaCry,” accessed September 30, 2018, https://www.techrepublic.com/article/report-the-it-response-to-wannacry/.

31. “CIS Control 20. Penetration Tests and Red Team Exercises,” Center for Internet Security, accessed September 24, 2018, https://www.cisecurity.org/controls/penetration-tests-and-red-team-exercises/.