Our Views:
Continuous Vulnerability Management
Continuous Vulnerability Management exemplifies why cyber security governance is most effective when treated as an ongoing business process rather than goal to set and achieve. In the modern business IT landscape, we rely on a wide variety of different devices and tools to get work done.
While these tools enable incredible productive gains, they also pose a risk. Attackers and security researchers are constantly on the search for vulnerabilities in operating systems, applications, and protocols. Many of the vulnerabilities found are critical and enable some level of unauthorised access to your IT environment. Once discovered, attackers rush to develop methodologies to leverage these vulnerabilities and achieve their malicious goals, getting their hands on your money. The end goal of their malicious access is a broad swath of attacks, including ransomware, business email compromise, data theft, and cryptocurrency mining among others.
According to research from Tenable, last year there were around 20,000 Common Vulnerabilities and Exposures (CVE), which is a compilation of publicly disclosed information security issues.
There have been a number of examples of critical vulnerabilities causing global impact. For example, in January 2021, vulnerabilities were found in the common email server software Microsoft Exchange. These vulnerabilities could be leveraged to give attackers administrator privileges on the device hosting the email server and access to connected devices on the network. Estimates suggest around 250,000 Exchange servers world-wide were accessed by attackers. This access was leveraged primarily for ransomware and data exfiltration. Fallout from these included services being disabled, expensive IT infrastructure rebuilds and confidential data being leaked to the dark web.
As it was a “zero-day” attack, many organisations were hit before the vulnerability became public knowledge. For the others, the following days became a test of their Vulnerability Management procedures. Some organisations were monitoring intelligence feeds, identified the issues, sought best practice guidance, and remediated the issues promptly enough to avoid falling victim. Others lagged behind. Over the following two weeks, those who had failed to remediate the issue often became victims.
It’s not just zero-day vulnerabilities that have a large impact. Attackers also utilise information provided by security researchers and relevant software vendors to design attacks. While these attacks may not work against patched systems, those slow to implement the patches are juicy targets. Research has shown that over the last 10 years, attackers have become faster and faster at turning known vulnerabilities into full attack procedures. This means the window you have between a patch being released and your unpatched systems becoming compromised is shortening.
Having an effective vulnerability management program enables you to keep ahead of the attackers and keep your IT systems safe. You will need to balance how you keep your systems up to date, between using a cheaper ‘manual’ method, or subscribing to ‘automated’ software. Ultimately, either option will improve your security if you are currently managing your vulnerabilities on an ad-hoc manner.
If you operate in the public sector, you will also need to consider the requirements set out in the New Zealand Information Security Manual, published by the Government Communications and Security Bureau. According to the latest release from September 2022, agencies must ensure security patches are applied in a timely fashion to manage software and firmware corrections, vulnerabilities and performance risks, covering both evaluated and non-evaluated software and IT equipment.
The Australian Cyber Security Centre go one step further in recommending time frames for how often to check for patches and when they should be applied, e.g:
- For advanced cyber threats, check internet-facing services daily, commonly targeted applications weekly and other applications fortnightly.
- For internet-facing services: apply patches within two weeks, or within 48 hours if an exploit exists.
- For commonly targeted applications: apply patches within one month.
Something as simple as five minutes spent updating a piece of software could save your organisation weeks of downtime and millions of dollars in response and recovery costs. When a critical security patch was released months ago and widely publicised, failing to patch becomes inexcusable.
We recommend following the CIS Controls Continuous Vulnerability Management safeguards. The first four safeguards should be a starting point for any organisation, large or small, to manage their vulnerabilities:
- Establish and Maintain a Vulnerability Management Process
- Establish and Maintain a Remediation Process
- Perform Automated Operating System Patch Management
- Perform Automated Application Patch Management
About the Bulletin:
The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 