Why businesses need to take vulnerability and risk management seriously [Q&A]
As businesses rely more on the cloud and virtual infrastructure, so the potential for both configuration errors and cyberattacks increases.
The pandemic has only made the problem worse and in many cases led to a loosening of security policy. What do organizations need to do to address the issue and protect their systems? We spoke to Tal Morgenstern, Vulcan Cyber CPO and co-founder, to find out.
BN: The risk of ransomware attack for all types of businesses is increasing, what are the key components of a pre-breach risk plan that can lessen the blow?
TM: Having a pre-breach remediation program in place is crucial in order to put IT security teams in a position to fix vulnerabilities and issues before they have a chance to be exploited. Businesses, and the entire security community for that matter, can't stay ahead of the fast-changing cybercriminal landscape without a detailed, actionable and measurable plan that actually mitigates risk instead of only responding to it.
On a technical level, the tools security teams employ must be able to identify and prioritize vulnerabilities and correlate them to the best remedies, such as patches, workarounds and/or configuration changes. The tools that prioritize vulnerabilities should correlate threat intelligence, asset impact and technical severity scores (such as CVSS). The main question security teams should be asking themselves is, 'Can we quickly prioritize and identify the risk posed to our business by prioritized vulnerabilities?'
Prioritization is the first step, and although it is absolutely necessary, it also shouldn’t be the last. The rest of the remediation effort is based on this prioritization. A remediation playbook, or campaign, must also provide coverage for the full spectrum of IT surfaces including application, cloud and technology, and network infrastructure including Linux and Windows operating environments.
Taking a step back, one of the most important components of a proactive remediation program is visibility and collaboration across the organization from security to application teams and everyone in between. A lot of frustration and wasted resources can result from unorganized teams that aren't collaborating efficiently throughout the entire process. Is the lifecycle of vulnerability and asset statuses tracked in a central source of truth? Or are certain vulnerabilities and assets slipping through innumerable cracks along the way?
BN: What types of vulnerabilities are most seen in business today, and how have they changed in the last five years?
TM: In a survey of 200 enterprise IT security executives conducted in July of this year, 76 percent of respondents indicated that IT vulnerabilities had impacted their business in the last year. When asked which IT assets their security teams are scanning for vulnerabilities, 90 percent answered IT infrastructure and 52 percent answered corporate networks and workstations. The reality is that network vulnerability assessment has never been more difficult. Instead of securing a handful of networks, network security teams are now worried about a remote workforce and the hundreds and thousands of network-based attack vectors that are tricky to control. Network security teams must have a way to assess, prioritize and mitigate the potential threat of distributed vulnerabilities, and it needs to look a lot different than it did five years ago when remote work wasn't the norm and we were operating at reduced scale. If company data and IP is traversing these distributed networks, the responsibility for securing vulnerable networks lands on the corporate security and network management teams, as the focus should be on the entire datapath for a company’s digital assets.
Zero-day attacks are more prevalent today than ever simply because they offer the path of least resistance for hackers. As IT security teams have improved their methods of protecting businesses from threat actors in the past year, cyber threats are now moving to engaging in increasingly subtle ways of sneak attacking, or engineering, sensitive access to businesses. It truly only takes just one vulnerability for cyber threat actors to compromise an entire organization. Zero-days give the attackers the upper hand, and leave developers scrambling in the dark to patch after the fact. Security professionals, both new and experienced, should prioritize plans for new exploits because they are the most challenging to protect against. The most-dangerous cyber threats are the ones you don't see coming.
BN: Which industries are most at risk of data breaches and ransomware attacks, and why is that?
TM: 2020 revealed to us which industries and businesses were prepared for digital transformation and which were not. Many enterprise technology startups had banner years in 2020 and that prosperity is expected to continue. Technology providers that can drive efficiencies, service delivery or provide new operational value will have numerous opportunities for growth.
On the other hand, businesses in highly regulated industries that didn't adopt digital-first strategies were hit hard. One notorious example is the attack on Colonial Pipeline, which resulted in fuel shortages across the Eastern United States. Utilities, healthcare and government organizations are three sectors most at risk of data breaches and ransomware attacks due to slow transitions to some of the newer approaches to digital business and cybersecurity.
These highly regulated, traditional industries, including traditional retail and financial services, are further at risk because they host sensitive data cyberattackers are looking for -- SSNs, credit card numbers, PII, and more. Those businesses -- big or small -- are at a correspondingly higher risk of a data breach, and have a responsibility to ensure secure stewardship of that information by prioritizing and remediating threat vectors before they’re exploited.
BN: What myths and mistakes are most common in risk remediation? What practical tips can be used to overcome these mistakes?
TM: Ransomware gangs depend on bad cyber hygiene to launch their attacks. One mistake businesses make is neglecting cyber security training and investment among the workforce. A recent Abnormal Security report unpacked a trend among ransomware gangs, such as DemonWare, where they are recruiting and paying employees to launch ransomware against their own company. Social engineering and phishing tactics are evolving and being utilized to fuel the access hackers need to access corporate networks. Some of the most harmful attacks can come as a result of social engineering tactics combined with unmitigated vulnerabilities and neglect of fundamental security practices. It's never too late to implement or improve an effective internal cybersecurity training program. By covering all your bases and preparing for attacks, businesses can provide a real defense against these threats.
BN: What challenges are present within cloud native infrastructures? Do you think organizations are doing all they can to implement cloud native security, and if not, what key areas are they lacking?
TM: Hackers are opportunistic and have adapted quickly to the increased reliance on cloud native infrastructures, as we've seen from the recent surge in exploits of zero-day vulnerabilities. Cloud environments are not immune to these and zero days can give bad actors the opening they need.
According to Gartner, by 2025, 99 percent of cloud breaches will have a root cause of customer misconfigurations or mistakes. With the complexity and scale inherent to enterprise cloud deployments there will be breaches due to human error. This is no fault of the cloud provider and, unfortunately, misconfiguration is just one type of risk-inducing vulnerability and cloud is just one attack vector that needs to be addressed. Specifically, cloud vulnerabilities usually arise in three forms. First are cloud service components with known vulnerabilities that haven't been addressed by the cloud service provider. Second is a misconfigured service that is usually caused by user error. Third are assets that have been left exposed to the public web and weak user access controls.
One way organizations can address these cloud security challenges is to implement a consolidated view of risk across multi-cloud application environments just like they would for a traditional IT infrastructure. This is not an easy job, but it is absolutely possible if security teams can understand and prioritize risk created by cloud vulnerabilities. Cloud security is no longer someone else’s problem.
BN: How can organizations implement a collaborative framework to drive security outcomes?
TM: Start with the top leadership. CISOs and engineering leaders need to focus on shifting vulnerability detection left in the software development process and bake security into application engineering workflows from the beginning. Security and software engineering teams should also share a firm understanding of CI/CD processes and should integrate security tools that will support continuous application security.
Reflecting on the experience of the mass shift to remote working that happened almost overnight, organizations must build task forces for the most critical vulnerabilities within enterprise infrastructures. Security and IT teams can't do it alone. Automating some of the simple security-related tasks, such as detection and prioritization, can remove a heavy load off the shoulders of both IT and security professionals.
Coordinated teams need to invest in collaboration platforms that will bring teams together, rather than relying on an ineffective array of spreadsheets and communication channels. Established KPIs must be clear and should be accessible to all involved teams. The efficiency and strength of an organization’s collaboration and the clarity of communication will be the key to success in today’s remote reality.
BN: Lastly, can you share some practical tips that security teams can start implementing right away?
TM: It is fundamental to proper cyber hygiene to make sure that software is patched and updated regularly, that configuration changes can be automated at scale, and that workarounds and compensating controls are used to speed mitigating actions when patches and configuration changes aren’t reasonable. Address only the CVEs that matter. 99 percent of exploited vulnerabilities are known. If organizations, and consumers, can maintain good cyber hygiene they can significantly reduce the risk of breach.
It's also important to recognize that every business has a unique risk tolerance and unique digital assets. When creating and executing vulnerability remediation programs, consider your unique risk profile. Not all CVEs with a 9+ CVSS are created equal. Prioritize vulnerabilities based on the severity of risk and the specific threat to business assets. Then fix what matters most.