Posted on April 13, 2016 by lexi
As a continuation of our series on vulnerability management, I had a chance to sit down with Bennett Gogarty, one of our information security analysts at TraceSecurity.
Bennett is a vulnerability management expert and has worked with a wide variety of our clients during his time here. During the course of our discussion we covered the much-publicized knowledge gap, common errors, and vulnerability management suggestions for low-budget organizations.
Let’s get right into it.
Bennett, thanks for taking the time to be here today. Could you give us a brief overview of your background?
Sure, I’ve been at TraceSecurity for just over three years now.
My time at TraceSecurity has allowed me to get heavily involved with vulnerability management. I had a technical background beforehand but have spent the last three years delivering information security services, including those that relate to vulnerability management, exploiting said vulnerabilities, writing up vulnerability reports, and so on.
Moving right into it, then, how important is vulnerability management now? And how has that changed over the past few years?
Well, it’s important to realize that the specifics of vulnerability management are always changing. Some vulnerabilities will go away, at least so long as the right patches are applied, but for every one that goes away another will pop up to replace it.
Five years ago you might have been using SSL v.3, which encrypts data travelling between your browser and the server, and it would have been considered perfectly safe and good to use. Now, it’s completely redundant. As soon as one group of vulnerabilities goes away, another group will pop up within six or eight months, and it becomes a whole new ballgame.
Also, in the last five years a lot of new industries, including banking and credit card, healthcare, and others, have started to go completely online. This has led to vulnerability management becoming more important, simply because the potential costs are so great.
We’re in a digital age – Nothing is on paper anymore, everything is online, and that’s only going to increase the importance of solid vulnerability management.
That makes sense. So how do you see the vulnerability landscape evolving in the years to come? Will it become more complex?
It’s definitely not going to get any easier!
I’d say it’s going to become exponentially more and more complex as we go along, particularly as systems become increasingly integrated. We’re going to reach the stage where everybody’s data will effectively be on the Internet. It might be well guarded, but ultimately if it’s out there people are going to try to get hold of it, and that’s why vulnerability management will have to keep up.
Some of the simpler exploits are gradually going away, and we’ll probably see them drop off completely once organizations start taking vulnerability management more seriously. But as that happens, new vulnerabilities become more and more complex and difficult to stop. It’s an ever-evolving process, and it’s only going to get harder, unfortunately, and more important.
So since it’s going to be increasingly important, what do you think is the most important step for organizations starting out?
They really want to make sure they have a platform (like TraceCSO) that can schedule and perform vulnerability scans, so they can start seeing what’s out there. Once they’ve done that, if they do have vulnerabilities, they’ll want to go ahead and get them remediated. There are many tools available, and they’ll quickly tell you where your problems are and how to resolve them.
If this is an organization that’s currently building a network piece by piece, I’d say they really need to run their vulnerability scanner multiple times before they go live, so they have the opportunity to remediate a majority of their vulnerabilities in advance. If there are some that are still valid, they can either accept them or plan to remediate them in the future, but my recommendation would be to make the network as secure as possible before posting customer information.
OK, so on the flip side of that, when you look at the customers you work with, what’s the one thing you see most of them doing wrong?
Across the board I’d say that while they’re running their vulnerability scans, they may not be fully investing their time into going through the results, prioritizing them, and actually making an effort to remediate the vulnerabilities.
A lot of the time it seems like organizations run these scans just so they can fill in reports for their management teams, like a KPI of sorts. It makes it look as though they’re doing something, but ultimately it’s useless.
Some clients do follow through with remediation, but most of the time if I’m dong an assessment and they have six or seven high-level vulnerabilities, the chances are those aren’t false positives, they’re genuine vulnerabilities. They might have a bunch of reasons why those vulnerabilities haven’t been remediated, like they’re busy or they have other priorities, but ultimately they’re kidding themselves.
The vulnerabilities are often just ignored, and in the end that’s going to lead to disaster.
That sounds like an issue of the knowledge gap?
Absolutely. I have seen it first hand quite a number of times.
I’ll be working with a client, perhaps a network admin, someone very technical, but they’re at the mercy of someone else. An executive, a board member, someone who usually isn’t technical at all, and isn’t up to speed on the need for vulnerability management. Quite often they’re from the ‘old school’ way of thinking and really don’t know anything about computers at all.
Our clients may be aware of certain high-level vulnerabilities, but there’s really nothing they can do about it because in order to get them remediated they’ll need new policies, new systems, or other resources. They’ll need to get approval from somebody, and that somebody really isn’t interested because of their lack of understanding.
It’s so common to come across executives who really don’t understand the first thing about vulnerability management and assume it isn’t important, but it really is. This is one of the most important functions of IT right now, given the sensitive nature of the information most organizations are holding.
We have many bank and credit union clients, so you can imagine the sorts of things they hold on their networks. This is very sensitive client data, and they really need to be on top of their security game, but sometimes we come across organizations that just aren’t ready to commit.
Sounds like a familiar story! So who do you think is responsible for fixing the knowledge gap? Executives? IT guys?
A combination of both, really.
It’s going to fall back on the technical individuals; they’re really going to have to push. They need to explain to these non-technical executives exactly why vulnerability management is important, what it achieves, and what could go wrong without it.
Depending on whom they’re working with this could be a real challenge, but it has to be done.
If I’m a network admin, and I feel like my job may be on the line, I’m going to go ahead and explain to them that this is hugely important, and here’s why. We have critical information that could be lost or stolen. There are vulnerabilities that could be easily remediated, but unless we commit to this process as an organization we’re going to be seriously at risk.
The knowledge gap is a huge barrier to IT in general, but it’s particularly damaging to IT security measures.
Makes sense! Moving on from that, do you have any tips for organizations with lower budgets on getting the best vulnerability management bang for their buck?
Sure. What they have to do is to look at their vulnerability report, the output from their scanner, and see what they can do to resolve identified risks. A lot of the time remediating a vulnerability is no more complicated than downloading a patch or applying an update. This usually won’t cost much money, it’s just a question of time.
Make sure the scans are run regularly, and remediate everything that can be done for nothing or low cost, which will be most of it. Anything that’s just a matter of applying a patch or hotfix that can be done very easily. Once that’s done, they can start turning to the executives and higher-ups to explain what’s vulnerable and why they shouldn’t be cutting corners.
It also helps if you have a tool, like TraceCSO, that allows your scanner to communicate with systems throughout your organization, so you don’t need to have someone on every site running scans. You can have all your vulnerabilities listed in the same report and handle remediation centrally, which makes the process much easier to manage and obviously means you need far less manpower to get the job done.
And do you think organizations can rely purely on their scanners to find vulnerabilities? Is there any mileage in conducting manual hunting efforts?
A scanner will definitely identify the main vulnerabilities. If we do have a bigger client who chooses to go through and do some of their own manual intervention that’s great, but the vast majority of the time a scanner will give you a solid idea of what’s out there.
If you wanted to go further I’d really recommend a penetration test, whether that’s done internally or by an external vendor, because that will be much more thorough.
How do you feel vulnerability management fits into a rounded approach to cybersecurity?
I definitely feel it’s a big aspect of cybersecurity.
There are others, of course. You need to have security awareness training, you need to have security protocols, and firewalls. Ultimately, though, if a malicious person is trying to get access to your network they’re going to look for vulnerabilities to exploit.
They’ll try to get hold of your IP information, and they can even run vulnerability scans against your external IPs to pick up possible entry routes. Nine out of ten times, if there’s a compromise of any kind it’s because there was some system or asset that had a vulnerability that was exploited.
Of course there could be phishing attacks that gain access to your network, but even then a lot of the time those phishing attacks rely on vulnerabilities somewhere down the line. Clicking on a malicious link is one thing, but there are other barriers standing in the way of what these people want, and if you run a tight ship, you can still make life very difficult for them.
There are vulnerabilities out there that can be exploited to gain remote access to your systems. You definitely don’t want the wrong people getting that access, so vulnerability management should be a really high priority.
Any final words?
Stick to the basics. Run your scans, check your reports thoroughly, and do everything you can to remediate vulnerabilities in a timely fashion. You don’t really have to get complicated most of the time.
If you can consistently execute the basics of vulnerability management, you’ll be in better shape than the majority of organizations worldwide.
Check out other posts in this series:
Want to detect vulnerabilities within your network right away? Take a test drive of the vulnerability management capabilities within the TraceCSO platform with our free 30-day trial offer. See first-hand how TraceCSO’s built-in scanner facilitates unlimited management of your organization’s internal and external vulnerabilities.
Posted in Vulnerability Management