They say that a business can be anything: a boat, a wave, a force of nature, a happy mistake. As far as I’m concerned, running a business is very much like jumping from a high building, praying that there’s a safety net underneath. Risk is something you’ll have to deal with whether you’re a wannabe Tony Stark or a tightrope walker. In cybersecurity, risk is part of your job requirements and knowing how to deal with it makes all the difference in the world. A least known fact about (cyber)security is that there’s no such thing as a bulletproof system. There’s always that small, overlooked detail that can (and will) be used against your company.
I remember reading somewhere that, as a business, being overtly transparent -posting details like names, email addresses, phone numbers, social media handles – can be detrimental to your cause. Furthermore, in the very same passage, the author mentioned something about being able to identify at least three business pain points by simply looking up the aforementioned business on Google maps. Unbelievable as it may sound, this ‘tiny’ detail may cost that cushy job of yours and perhaps snowball into a company-wide disaster with lawsuits and everything in between.
As a sysadmin, you will be required to conduct regular vulnerability risk assessments. Depending on your company’s policy, these evaluations can be monthly, biannual, or once every blue moon. Of course, it’s preferable to conduct a vulnerability risk assessment as frequently as possible, but this is a topic that I will touch upon in the next section of this article. Let’s get this show on the road.
What is (a) Vulnerability Risk Assessment?
According to a SANS Institute’s paper on IT risk evaluation, vulnerability management is the process through which security risks are identified and evaluated. Based on this appraisal, the management can decide to remove the identified risk or roll along with it. The latter decision should be accompanied by several recommendations on how to mitigate that risk. There’s a reason why I brought this paper to your attention – the assessment frequency conundrum. How often should these assessments be made? Well, in a pitch-perfect sysadmin world, the answer to this question would be “every (odd) month”. Why? Because as the time between detections decreases, the more time you have to address those issues and, of course, prevent others. If you were to perform fewer assessments (e.g. twice per year), your vulnerabilities would compound.
In practice, the vulnerability management process consists of five steps (or phases). They are as follows:
- Scanning for vulnerabilities.
- Defining problem-solving actions.
Preparation refers to how you define the purpose of this endeavor. Is it essential though? I would say that it is. There’s a lot of ground to cover, and by that, I meant that each device, piece of software, every bit of disclosed info can become a liability if not taken care of. So, to make things easy for yourself, start with a small network and work your way up from there. Determining what types of vulnerability scans to run is also part of the Preparation stage. On that note, you should be aware of the differences between internal and external scans.
Within or without; does it matter? Of course, it does. When performing an external scan, you assume the mantle of the attacker, trying to gain access to the company network. This type of cybersecurity posture allows you to probe perimeter-based defenses such as firewalls, IDS – IPSs (Intrusion Prevention System and Intrusion Prevention System), host-based security controls, and web app firewalls. As far as internal scans are concerned, the purpose of this action is to test out the system’s architecture and ascertain the security of each layer. In ethical hacking, this is called an in-depth defense analysis.
Another aspect you would do well to familiarize yourself with is the difference between authenticated and unauthenticated scans. In the case of the first, conducting a vulnerability scanning while logged in can help you gain access to some system functions that would otherwise be hidden. Naturally, this ability will undoubtedly help you stress-test the system. Keep this in mind when preparing your first vulnerability risk assessment.
At this point, the preparation phase is just about done. The only thing left to do is to notify the key system owners about the testing. In practice, this is done via an internal memo that should contain the date, estimated duration of each test, and, of course, the purpose of each scan and/or test.
To keep things neat and tidy, create a spreadsheet for this event. Use your favorite app. Populate the cells with the following info: IP range and subnet mask of a targeted system, the owner of the said key system, the parent department, the planned date, and some contact details (e.g. email address or phone number). Yes, I know it’s not the kind of thing that’s likely to pop out in a cybersecurity article, but keeping things organized will help you speed up things a little.
During the scanning phase, a tool or a set is used to narrow down vulnerabilities. You’ll find more info about vulnerability risk management tools in the second section of this article. After completing the preparation and scanning phases, you should look forward to the remediation phase. Remember the SANS Institute paper I mentioned earlier? Well, according to the same source, during the remediation phase, you will have to document all your findings and, of course, formulate solutions for the discovered vulnerabilities. The implementation and re-evaluation phases usually go hand in hand.
Now that we got the basics out of the way, let’s see about those vulnerability risk assessment lessons.
Exploring Corporate Vulnerability Risk Assessment
Vulnerability risk assessments should include your business partners
Cybersecurity isn’t just about securing your company’s assets. It should extend to your business partners as well. Upon drafting a new commercial partnership contract, include one or more security provisions. Why is this essential? Because what might be construed as a golden ticket for business growth, can easily transform into a liability. With the onboarding process over, your partner will obtain access to your company’s virtual and physical assets. Basically, you will have had inherited the security vulnerabilities of your partner. Now, to safeguard your assets and avoid future litigations, make it your point to talk to your business partner about their security issues. You can even enforce a contractual clause to avoid future mishaps.
Cost (cuts) may outweigh the benefits
There comes a time when you have to face the fact that your company’s not on the right track. Action must be taken and, in most cases, this translates into cuts and the dreaded outsourcing. Now, I’m not a big fan of either of those, but you’ve got to do what you’ve got to do even if that “to do” means letting go of some things. Re-thinking departments, reallocating resources, and outsourcing services are necessary, but not sound from a cybersecurity standpoint.
Budget cuts and other measures may prove harmful to your security. So is outsourcing for that matter; entrusting your precious assets to third-party is, if you will, an act of extreme courage. GDPR aside, keep in mind that the company you’re so willing to entrust your sensitive data may use different security standards, standards that may or may not be compatible with the ones you utilize.
Re-evaluate and update your emergency plans.
Vulnerability risk assessment isn’t limited to your virtual assets. Better said, VRS applies to all the aspects of your business continuity plan. In case of any emergency, the results of your vulnerability risk assessment sessions will help you define actionable plans. What’s this about VRS encompassing extra-virtual assets? Fire is a risk and a very big one. Of course, it has nothing to do with malware or hackers or cybersecurity – unless the building’s on fire and hacker taps into your system and disables the sprinklers. And yes, your vulnerability risk assessment should include fire and other types of hazards, including cybersecurity. The emergency procedures based on the results of the VRS should be kept fresh and include newer threats.
Employee cyber-awareness, Least Privilege, and the Zero Trust model.
When everything else fails, blame the human. According to a study by NMS Consulting, over 95% of successful data breaches can be traced back to human error. And how do we prevent that? With continuous education, of course. Periodical cybersecurity drills conducted by your CTO or security officer will undoubtedly curb your employees’ itchy trigger finger, significantly decreasing the risk associated with human error. If all else fails, check out the Principle of Least Privilege and the Zero Trust Model.
Remediation solutions to secure all fronts.
Keep in mind that VRS is a cross-departmental and trans-company effort. In other words, from a cybersecurity standpoint, the company should be secured on all fronts. Your endeavor should include the following:
- Pay attention when documenting your system architecture and your WAN and LAN networks.
- Don’t forget to log in when investigating your firewalls and/or routers. The results will undoubtedly surprise you.
- Priority matters. Critical systems first, followed by IDS and perimeter solutions.
- Disgruntled employees are a liability (Cybersecurity 101).
- Pen-testing. To be performed on a regular basis. Things to investigate: access controls, encryption, background services, system processes, email filtering, and AV solutions.
- Cyber-awareness programs should be a top priority. Consider making them mandatory.
- Audit vs. assessment. Audits should be conducted at least once per year and, preferably by an external security officer. Assessments are, more or less, administrative tasks, conducted in preparation for the audits.
Open-source Vulnerability Risk Assessment and Remediation Tools
Up next, I’m going to show you some of my favorite open-source vulnerability risk assessment (and remediation) tools.
1. Nikto v.2.0
A nifty open-source webs server scanner that allows you to perform various tests on your public-facing web servers. Though it’s free, Nikto 2.0 can pick up close to 7,000 malicious files and/or programs, check app versioning, do some logging, and of course, help you draft VRS reports.
Not exactly open-source, but the 30-day trial is more than enough to help you secure your systems – and to decide if it’s worth the long-term commitment or not. Intruder performs over 9,000 tests and checks, helps you identify missing patches, CMS issues, application bugs, and configuration issues.
3. NSP (Node Security Project)
Based on NPM dependencies and Node.js modules, Node Security Project’s open-source scanning tool will help you identify common and uncommon vulnerabilities. Its database is powered by NIST’s National Vulnerability Database.
4. Retina CS Community
Community-based VRS tool that can aid you in identifying unpatched applications, configuration mishaps, and more. Available on all major platforms.
5. Nexpose Community
Similar to Retina CS, Nexpose is also powered by the community – GitHub this time. Nexpose Community is a go-to solution for a lot of people looking to research system vulnerabilities without the need to purchase these solutions.
One last lesson….
Don’t forget that remediation is a vital part of vulnerability risk assessment. And because preventing is a whole lot better – and easier – than fixing stuff, here are a couple of recommendations from Heimdal™ Security, your friendly neighborhood cybersecurity vendor.
With the emphasis being on continuous patching and updating, Thor Foresight Enterprise might be the right choice for your business. X-Ploit Resilience, our auto-patching engine, will ensure that your favorite apps (i.e. Windows, 3rd party, and proprietary) are up-to-date and risk-free. Thor Foresight Enterprise also packs the most advanced DNS traffic-filtering technology on the market. No malware escapes Foresight’s watchful gaze.
Antivirus is no longer enough to keep an organization’s systems secure.
Thor Foresight Enterprise
Is our next gen proactive shield that stops unknown threats
before they reach your system.
- Machine learning powered scans for all incoming online traffic;
- Stops data breaches before sensitive info can be exposed to the outside;
- Automatic patches for your software and apps with no interruptions;
- Protection against data leakage, APTs, ransomware and exploits;
Securing your accounts is easy with Thor AdminPrivilege™, the only PAM solution on the market that automatically de-escalates admin right and kills processes on threat detection.
System admins waste 30% of their time manually managing user rights or installations.
is the automatic Privileged Access Management (PAM) solution
which frees up huge chunks of sys-admin time.
- Automate the elevation of admin rights on request;
- Approve or reject escalations with one click;
- Provide a full audit trail into user behavior;
- Automatically de-escalate on infection;
With Forseti, you gain granular control over your BYODs and network perimeter – a huge boost to your IOAs and IOCs.
Increasingly, hackers target organizations at network or DNS traffic level.
FORSETI IS THE ADVANCED INTRUSION PREVENTION SYSTEM THAT ALLOWS
YOU TO PREVENT, DETECT AND RESPOND TO NETWORK-BASED THREATS
- Full DNS protection and full network logging.
- Uses Machine Learning on device to infrastructure communication for a strong HIPS/HIDS and
IOA/IOC add-on to your network.
- An easy way to add network threat prevention, detection and blocking.
Lesson learned or more question marks? As always, it’s for you to decide. The only true take-away here is that vulnerability risk assessment should become a part of your IT department’s duties. Does your company conduct VRS sessions? If so, head to the comments section and let me know.