There are two things that just about every CISO in the world has today: First, a vulnerability management program. In addition to being one of the top SANS Critical Security Controls and part of numerous other compliance frameworks, vulnerability management is generally accepted as basic security hygiene today for corporate networks.
Second: They worry about how advanced persistent threats (APTs) may impact their business. More than just on the mind of the CISO, APTs are now front-page news. Unfortunately, there is no silver bullet solution to protect against APTs, but are there ways to adjust and tailor the products and programs already in place to raise the bar against this new breed of more sophisticated attackers? The answer for vulnerability management is undoubtedly yes.
Attackers are finding vulnerabilities faster, and so should you
When I talk to people about how often they’re scanning as part of their vulnerability management programs, weekly or monthly is a much more frequent response than hourly or daily. But an attacker that has already gotten to a ‘soft’ target inside the network today is using techniques to lock-in and attack core targets far more frequently than that. The techniques themselves are not new.
I gave a demonstration in 2004 on how a sophisticated attacker can watch corporate networks for new servers. Once powered on, the servers are remotely exploited before an administrator even gets the first prompt to login to the system, much less apply the first set of updates. It was theoretical a decade ago – today it is reality.
It is not practical or actionable to scan every device every hour across a large network, but it is certainly possible to increase the frequency of scanning on the most critical assets within a network and identify new critical security risks quickly after they first appear. Ask the question: how can we scan the most important assets more frequently and take action on critical issues that are found?
Exploit your own advantage against attackers – credentials
It can feel like a losing battle trying to stay ahead of attackers who are armed with more sophisticated tools for breaking into the network than we have for protecting it. So you had better exploit every advantage you have. An attacker would love to be able to log right into your servers and see what they might attack, but they have to start on the outside and work their way in. You don’t!
The days of effective non-credentialed scanning is winding down for vulnerability management if it is not already dead. There are simply too many client-side and local vulnerabilities, and it is dramatically more effective, efficient, and comprehensive to scan a device from the inside than take a purely external view. If you do not already have credentialed access to your critical assets as part of your vulnerability management program, it’s time to get that done.
Take a fresh look at scope
Attackers with APT are looking for the softest, easiest way into the network. All too often, it turns out these are places that ended up “out of scope” of vulnerability management programs in the past. The old network view of desktops, servers, and network devices isn’t cutting it in 2014. Remote offices, cloud servers, mobile devices, and homes are all vectors of attack.
Take homes for example; it is easy enough to ignore them completely, and quite frankly most companies do. But does it make sense to think about the risks here? Would an attacker think about them? While you certainly do not want to treat an employee’s home network the same way you would the most critical corporate servers, it may be time to stop ignoring those networks completely.
Will adapting your vulnerability management program with these 3 ideas totally secure your network from APTs? Absolutely not. Be wary of any vendor that claims it has a miracle solution. Will making some incremental improvements to vulnerability management this year further reduce risk and maybe make it just a little bit harder for a sophisticated attacker to succeed with an attack?
- Attacking the ROI of Advanced Persistent Threats
- Governance: Understanding Where You Are and What is Important
- 4 Clues to Get Executive Support for Information Security
- Dealing With Unrealistic Security Expectations from the Executive Office
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock