Patch and Vulnerability Management

Unpatched vulnerabilities are one of the easiest ways for attackers to enter an environment. According to a new ServiceNow study conducted by the Ponemon Institute, an alarming 57% of cyberattack victims report that their breaches could have been prevented by installing an available patch. And 34% of those respondents were already aware of the vulnerability before they were attacked. The lessons from Equifax breach, which compromised the PII of half of Americans, the one which could easily have been prevented and was warned about by US-CERT a couple of days before for the vulnerabilities were exploited by the hackers, should not be forgotten. Hackers are out there; the question is how prepared the organizations are, and if they aren't a low hanging fruit waiting to be easily picked?

Any organization with a digital footprint is vulnerable in today's world, including pretty much every organization. To start, an understanding of vulnerabilities is important. Vulnerabilities are loopholes in applications/software that allow unwanted access to an attacker or lead to unintended external entities' disclosure of information. Vulnerabilities vary in severity from the low impact, which may lead to some information disclosure (not severe) to critical vulnerabilities, allowing remote code execution and a complete system compromise. An excellent place to understand the scoring of vulnerabilities would be CVSS. With this basic understanding of vulnerabilities, patch and vulnerability management will be looked into.

Various phases of vulnerability management include:

• Scoping
• Identification
• Classification
• Remediation
• Confirmation of remediation

Scoping: To begin with vulnerability management, understanding one's environment is important. Knowing what hardware and software are being used in the organization. Any hardware or software, not known about and that exists in an environment, is a blind spot and a big risk from a vulnerability management perspective, considering something not known can't be remediated and can easily be attacked. A proper inventory of assets and software used in an organization helps run a vulnerability management program smoothly. Also, as part of a vulnerability management program, an updated inventory of assets must be maintained and integrate asset discovery as part of vulnerability management.

Identification: This phase includes identifying the vulnerabilities of the assets of an organization. For this, vulnerability scanners such as Qualys, Nessus, or Rapid7 can be used. Using the scanner's misconfigurations and missing patches on an asset can be identified. Vulnerability scans must be authenticated(if possible) as it provides better results and confirmed vulnerabilities with less false positives. The vulnerabilities may belong to the software or OS installed on the asset. Web applications also need to be looked into for which web scanners from various vendors can be leveraged. The source code needs to be audited to integrate security from the start. Also, static and dynamic analysis can be done to check for vulnerabilities in the applications developed by an organization.

Classification: Not all the vulnerabilities identified have an equal impact. Vulnerabilities with higher severity need to be prioritized due to the higher impact they may have if exploited. For classification, CVSS scoring may be followed. It is important to note that each organization has a unique environment, and sticking to the CVSS may just not be enough. Consider a situation where a medium severity vulnerability is discovered on a server with PII (Personal Identifiable Information) data of customers. Due to the nature of data on the server, if exploited, the impact will be critical. Thus, proper classification is based not only on the severity of the vulnerability but also on the asset's criticality. A proper risk framework must be in place, which classifies risk posed by a vulnerability based on these important factors.

Remediation: It is the trickiest part of vulnerability management. It is not easy, rather close to impossible, to remediate all the vulnerabilities and say that the organization is free of vulnerabilities. Thus, the need is to prioritize remediation based on the risk created by a vulnerability. The critical assets must be patched as soon as reasonably possible. An external-facing asset is a critical asset. Also, there is always a risk of patching a system, resulting in system crash and loss of data. Thus, it's better to always have a dry run in a test environment to check how patching will impact a system's stability. Stability can't be compromised for security as it would cast the vulnerability management program as a roadblock (security should always be an enabler). If vulnerabilities per IP are seen and tried to remediate, a long list would be obtained, which can't be checked off completely with reasonable efforts. Remediation should start from the vulnerabilities which have the highest impact in reducing the risk. A simple Registry change or ticking a checkbox may reduce many vulnerabilities and should be considered and prioritized. Sometimes it often happens that a vulnerability can't be patched either due to patch not being available or patches impacting the systems' stability. In such cases compensating controls should be introduced to mitigate the risk due to the vulnerability.

Confirmation of remediation: Just patching a vulnerability without confirming remediation isn't enough. Often vulnerabilities need configuration changes in addition to patching to close the gap. These types of vulnerabilities are often missed in the first go. Thus the remediation should be followed by a rescan to confirm the mitigation. Ticketing systems like ServiceNow and Jira can be used for creating tickets and tracking vulnerabilities to closure.

Patch management is a part of vulnerability management, but not the whole thing. It specifically deals with how and when patches are applied to the vulnerable OS or software when identified. It is important to keep track of the patches when released for the software and firmware used in the environment. There should be a defined plan for patching based on the release cycle of patches. It makes the patching process efficient. Various patching tools like Shavlik can be used for making the patching efficient.

A good vulnerability management program identifies and tracks all the possible vulnerabilities in an environment. The vulnerabilities are remediated based on priority defined by the risk framework adopted by the organization. Not all vulnerabilities need to be remediated if it is aligned with the risk appetite of an organization. Vulnerability management is a continuous process. With appropriate reporting mechanisms and driven by efficient leadership, it is bound to succeed. If done properly, it helps an organization greatly in managing the risks and reducing the attack surface. With the integration of cyber threat intelligence, the process can be matured over time and prioritize vulnerabilities. Feeds from US-CERT and NCSC can be used to add value to the vulnerability management program. An important point that is often missed in a vulnerability management program is checking vulnerabilities on the recovery sites' assets. If possible, efforts should be made to minimize the software footprint in an environment as it helps minimize the remediation and maintenance efforts. Cloud technologies offer a challenge to vulnerability management, and the ownership of the vulnerabilities arising from the service subscribed to should be clear.