Get a Grip on Your Vulnerabilities - Understanding the history of vulnerabilities & Common mistakes every organization makes + how to avoid them

Author: Steven Yousef | Cybersecurity Professional, Professor of Cybersecurity Engineering & Owner of SOY Global Security Advisors | 6 minute read

Vulnerabilities You Say?

If you've heard anyone mention cybersecurity or seen a large data breach in the news, it is very likely that the word "vulnerability" is mentioned. Vulnerabilities are deeply ingrained in the industry and are not only an essential focus of cybersecurity professionals worldwide but can also be their biggest nightmare. Vulnerabilities are arguably the one thing that ensures security professionals keep their jobs but also what leaves organizations scrambling. Let's take a deep dive and learn exactly what vulnerabilities are, what we are seeing today, and what we, as security-conscious organizations, can do about them.

What Exactly Are Vulnerabilities?

A vulnerability, in a nutshell, is a weakness or flaw that exists in a machine, network, or computer process that can be used to compromise the confidentiality, integrity, or availability of employees, systems, and/or data. To truly understand what vulnerabilities are, let's take a trip back in time and learn about their origins. In the 1970s, when computers started becoming mainstream in corporate environments and PCs were becoming a thing, threat actors began finding mistakes that these early computer companies made. One of the first mistakes early computer hackers found was that they were able to gain access to these machines and place self-replicating viruses such as "the creeper". The Creeper was one of the first computer viruses but didn't cause any harm other than displaying the message "I'M THE CREEPER". This proved that others could gain unauthorized access to your machine.

Over time, computers evolved and became more complex:

1980s - GUI's, PC's in homes, and Network Communication

1990s - World Wide Web, Faster processors, and E-Commerce

2000s - Laptops, Smartphones, More Portable Devices, and THE CLOUD!!

2010s - Smart Devices, Big Data, and AI

As technology advanced and grew exponentially over the years, it brought some issues. Allow me to provide you a simple equation for this below:

More advanced technology = a greater attack surface = increased possibility for vulnerabilities = increased chance for a compromise of C,I, and/or A (not the secret intelligence agency rather confidentiality, integrity, and availability).

Why is this you might ask? Taking a simple example of the PC in the 1980s, it had limited capabilities, meaning the attack surface was small. With this ability, the attack surface for a threat actor is to compromise some of the data within that input/output system; they cannot possibly perform a network attack nor a SQL database attack nor a web application attack since none of those attack surfaces exist. Fast forward to 30 years later, corporate environments have a vast array of attack surfaces and technologies, making them harder to secure.

To put this in simpler terms, let's look at an analogy to simplify this idea. In the old days, a castle had a big, strong wall with a few gates. Attackers only had a few ways in. That's like the early days of computers. Now, imagine that castle has grown into a sprawling city with thousands of buildings, connected by roads and bridges. There are countless entry points: doors, windows, garages, and even underground tunnels. That's like today's technology. The more complex and interconnected the system, the more opportunities there are for someone to find a way in. So, while technology has made our lives easier and more connected, it's also created more potential targets for cyberattacks.

Enter Sandma... I mean MITRE

MITRE is a non-profit and federally funded research and development center (FFRDC) founded in 1958 mainly dealing with systems engineering back in the day but having a large influence in the cybersecurity industry today. As vulnerabilities and threats grew in the 1990s, MITRE conceptualized the idea of Common Vulnerabilities and Exposures (CVE) given that there was a need for a way to track all of these vulnerabilities. MITRE now develops and manages these. This is useful because when you want to keep track of a vulnerability, its history, and all its information so that you are able to properly resolve them, you reference a CVE which MITRE has in its large database.

What do I do!?!?

Now that we understand vulnerabilities, what can we do about them? It's critical to manage vulnerabilities in your organization to avoid them becoming a nightmare. Although vulnerabilities don't suggest an immediate risk, they wait for a threat to come by, creating risk. One fundamental equation in cybersecurity states that Risk = Threat x Vulnerability.

Now assuming you have risk and you need to resolve your vulnerabilities, it is critical that you are able to have the following fundamental approach:

1. Know all of your ASSETS - Whether this be your most critical devices handled by the CEO or the phone that the intern uses to check their email, ensuring you have all of your assets within your vision is of utmost importance. You can't secure what you don't know and if you don't know, there is a chance you may have a machine in your environment running Windows 4.

2. Perform Vulnerability SCANNING - Probably the most obvious, but clearly, to have a grip on your vulnerabilities, you need to scan for them. Not only that but ensure that all devices are being scanned daily to weekly if possible. New vulnerabilities show up all the time, devices go out of date, software becomes end of life; again, remember that technology is advanced, the attack surface landscape is vast and therefore there is something new. every. single. day.

3. PATCH Management - Now that you know all of your assets and their respective vulnerabilities, you have to do something about them right!? Most of the time, patches are released by vendors of the software or OS, however, you have a few of those edge cases where you need a seasoned IT veteran to modify your network configuration or your Windows registry files. Regardless, it is critical that there is an approach and method that works best for you and your organization to patching assets and software.

4. Stay up to DATE - Sometimes, there will be vulnerabilities but your scanners won't pick up on them and that is where the cybersecurity engineers and analysts will come in. It is critical to be in the know of those edge cases that only show up in the news such as the 2020 SolarWinds attack and the Log4j vulnerability in 2021. In those cases, it is dire that your organization take these seriously and take precautious measures, follow vendor advisories, and ensure your environment is still operating safely and securely.

Mistakes in the industry

Among all possible mistakes that can be done with respect to vulnerabilities, the worst is apathy and lack of time dedicated toward resolving these because as mentioned earlier, they are ticking time bombs just waiting for the right threat actor to come strolling by. Some tick slowly, some are very fast hence the need to label them by criticality. Some of the biggest mistakes (and solutions) that organizations often make with vulnerabilities include:

1. Focusing Solely on Patch Management - yes, patching is good, however, only focusing on patches without searching for the vulnerabilities is like someone who frantically patches every leak in the roof without inspecting it for the underlying problem. You may be able to resolve problems immediately as they come up, but you're always going to be chasing mice as opposed to just placing a mouse trap.

   1. Solution: Have a solidified vulnerability and patch management process in place. For example, machines will be scanned daily, all vulnerabilities will be reviewed and tracked on Mondays, patches will be deployed on Wednesdays.

2. Neglecting Asset Discovery and Inventory - This is very straight forward. You can't secure what you don't know. It is crucial to ensure everything that accesses and connects to your network is within your vision.

   1. Solution: Meet with your IT team, ensure there is a methodical process and proper tooling being used for identifying and inventorying assets. When scanning devices, software agents are good, however, scanning your subnets will always ensure you have everything under the IP's you own.

3. Insufficient Communication and Collaboration - Oftentimes, teams have their security analysts, the hands on IT members, and their developers. Security wants things secure. IT wants things efficient. Developers want things very efficient. It is foreseeable how things can go wrong. Communication and collaboration between the security and IT + security and development teams will ensure that everyone is on board for the same mission and that there is a standard procedure for tracking, reporting, and patching vulnerabilities.

   1. Solution: Security, IT, and Development teams need to find their synergy and what works best for them and your organization. Every team operates differently but the one thing that is certain is that there needs to be a standardized process for multiple teams working together.
      

By addressing these issues and implementing a comprehensive vulnerability and patch management strategy, organizations can better protect their assets and data from potential threats.