Managing Your Vulnerability Management
By Ben Hunter, III, CPA, CITP, CISA, CRISC, CFE
Our IT environments are in constant flux. We are installing new laptops, desktops, endpoints, printers, etc. on almost a weekly basis. Not to mention the “bring your own devices” (BYOD) that connect to our WIFI. We have no control over those software and app updates. It seems every week there are new vulnerabilities announced.
Vulnerability assessments help ensure that the policies and procedures are being followed, that patches are being installed within the time frame expected, and that configurations are being maintained. A vulnerability management process or procedure should be documented and followed. Not having a consistent vulnerability and patch management process could result in critical security vulnerabilities existing in the IT environment that could be exploited by external or internal threat agents. Those responsible for governance may assume that patches are being installed timely, correctly, and consistently, only to find out with a breach that the patch had not yet been installed.
The vulnerability scan really provides its greatest value to decision makers on the second round of scans. The first scan provides a baseline at a point in time. The second scan provides a context and measurement for improvement. It will show how serious the IT department is on vulnerability management. The second scan will be analyzed and compared to the first scan to show if the vulnerability numbers are going up or down and how many vulnerabilities from the first scan have been remediated.
There should also be a formal remediation process. The vulnerability assessment results need to be reviewed, analyzed, and then acted upon, based on the risk tolerance of the company. It is recommended that all urgent and critical vulnerabilities be remediated, as well as all exploitable vulnerabilities, regardless of severity. The issues must be logged and a remediation plan must be created and tracked to completion. Accountability should be assigned to senior management. A formal tracking of vulnerability remediation provides those charged with governance the assurance that security is an ongoing management supported process, not just a one-time analysis that was enlightening.
There are lessons that can be learned from breaches that have been made public. The Equifax breach happened because a zero-day vulnerability in a software used on websites was not patched fast enough. Apache announced the vulnerability in March 2017. At the same time, they provided the patch and advised organizations to patch IMMEDIATELY. The Equifax breach took place in May and was discovered on July 29, 2017. The lesson we can learn is that when security patches are issued by a vendor, you cannot wait to install the patch, especially when there are high risk vulnerabilities such as the Microsoft wormable Remote Code Execution vulnerabilities in Remote Desktop Services that were announced in May and August 2019. These vulnerabilities were so dangerous that Microsoft issued patches for unsupported operating systems (something that company almost never does). I hope all readers have installed those patches. If you are not sure, please reach out to BRC.
There is a story written in “CISO Compass” by Todd Fitzgerald that applies not just to vulnerability management, but to many aspects of running a business:
“On January 28, 1986, the space shuttle Challenger exploded, killing seven astronauts due to the ‘O’ rings failing while experiencing low temperatures, permitting the hot gas to blow by and destroy the spaceship. The engineers were in a heated discussion the day before with the leadership team, with the engineers arguing it was too cold to launch. In a book by Dr. Diane Vaughn entitled, ‘The Challenger Launch Decision,’ she created a phrase ‘The normalization of deviation’; in other words, where over time, organizations deviate from safe practices so regularly that they become the new normal. Whether or not this was the case in the Equifax breach has not been publicly communicated; however, what can be learned is that the patch was not applied in a timely manner and the issue could have been avoided with prompt patching. We can learn from our own organizations that we should not be accepting a ‘normalization of deviation,’ whereby we so regularly put off patches that it become the new norm.”
When the board of directors or upper management receive the report on a vulnerability scan they should make sure they get a plan with actual timelines for remediation. They should also follow up and verify that the remediation has actually taken place. Too often the installing of patches and the remediation of vulnerabilities falls further down the list of priorities for IT departments. Patching and remediation is not “sexy,” and it does not impact the user experience (at least not until there is a breach). IT departments are very focused on the user experience, helping the users get access to their data and emails as fast and efficiently as possible. Those charged with governance (the Board, owners, upper management) should help the IT department establish performance metrics for patching and vulnerability remediation to ensure this vital task does not end up perpetually on “tomorrow’s” to do list.
Vulnerability assessments should not be a one and done activity. New vulnerabilities and changes to the IT environment are taking place constantly. The organization is exposing itself to more risk than necessary if a vulnerability scan is not performed at least once a year, with most organizations needing to perform scans 2 to 4 times a year.
Vulnerability management is a process that is never complete. The process needs to be documented, reported on, and followed up on. Vulnerability management is one of the foundational cybersecurity risk management practices every organization needs to have in place.
Ben Hunter, III CISO, Advisory Services Senior Manager, CPA/CITP, CFE, CISA, CRISC, CISM
Ben is the Chief Information Security Officer for BRC and is a Senior Manager in our firm’s Risk Advisory Services Practice. He specializes in Cybersecurity and Information Technology Audits and Assessments. Ben began his cybersecurity career in the US Marine Corps. After becoming a Certified Public Accountant, he continued his cybersecurity and IT Audit […]