by Josh Paape
More than 20 years ago, the NSA conducted an exercise named Operation Eligible Receiver 97. The purpose of the exercise was to test the response capabilities of critical Department of Defense information systems in the case of a breach. The exercise concluded with startling results. Utilizing only publicly available hacking techniques, the NSA was able to completely infiltrate the dod network and gained superuser access into high-priority devices. This was done primarily through the use of exploiting common vulnerabilities.
Following a two year review of the exercise, the importance of patching vulnerabilities was made clear. Though best practices were not formally codified, security frameworks and practices were developed to help protect organizations from vulnerabilities. These include NIST 800-53, The Common Vulnerability Scoring System (CVSS), and The National Vulnerability Database.
Operation Eligible Receiver 97 served as the birthplace of risk management knowledge for security teams. The dangers of exploitable vulnerabilities were demonstrated and documented. Today, more than 20 years after the exercise, many organizations continue to struggle with risk management.
Current Struggles With Vulnerabilities
In order for an organization to administer its vulnerability management process, they must first understand what assets they have. Many times organizations rely on DHCP servers and IP leases to conduct an asset inventory, but this leads to inaccurate records and exploitable vulnerabilities. Security teams need a reliable record of all software to properly apply patches. An accurate asset inventory gives organizations direction towards where to focus or apply patches.
In addition to an accurate asset inventory, organizations need a method of continuously tracking what machines did or did not receive patches and if they are still vulnerable. Most networks have measures in place for automatic patching. However, installing additional applications and user-made changes will lead to anomalies.
These anomalies can be patched through group policies, but this can be difficult for organizations to organize and there is no guarantee of success. For example, machines that were turned off when group policies were pushed will not receive patches and will remain vulnerable.
Security frameworks incorporating risk management practices are a great starting point for any organization struggling with risk management. When vulnerabilities are audited, members from both security teams and management discover answers to questions such as “who applied this patch?” Or “why was this vulnerability accepted?”
Regulations and Standards
Following the results of Operation Eligible Receiver 97, a number of frameworks and standards such as NIST 800-53, The Common Vulnerability Scoring System, and The National Vulnerability Database were put into place to ensure organizations can document compliance with tracking vulnerabilities.
NIST 800-53 is a publication of security and privacy controls for information systems and organizations from which a majority of industry-specific frameworks (such as HIPAA, FFIEC, PCI DSS) are derived. This publication offers a guideline for improving security posture and emphasizes the importance of continuously monitoring networks for the latest vulnerabilities.
NIST 800-53, along with other security frameworks, call for organizations to assess risks through the use of the Common Vulnerability Scoring System (CVSS).
The CVSS offers a method of capturing the characteristics of vulnerability and producing a numerical score reflecting its severity.6 This scoring system brings direction to the vulnerability management process by differentiating risks that need immediate attention and risks that are much less dangerous. Vulnerability assessments typically return large amounts of risks for organizations, many of which are false positives.
The CVSS and The National Vulnerability Database are great resources for organizations attempting to mitigate risk efficiently.
Continuously Monitoring Vulnerabilities
Trying to manage risks without the proper tools can take large amounts of time that security professionals do not have. Continuous monitoring solutions streamline the vulnerability management process while improving security posture at the same time.
For example, if an employee decides to violate an organization’s acceptable use policy and download a program such as Flash, new vulnerabilities will be introduced.
A continuous monitoring solution will detect these new risks the moment they appear and alert the appropriate personnel of the new risk via email. This allows security professionals to act quickly to remediate risk and also view usable security metrics such as what the vulnerability is, who introduced it, and when did it enter the network.
(The Risk Enumeration Dashboard in aristotleinsight® displays a summary of your current vulnerability risk; either for a specific group or for your entire enterprise. The dashboard shows metrics based on NIST standards in addition to other metrics like CVSS, vulnerability distribution, Vulnerability Risk Cluster graph, and general statistics on the number of devices and software currently impacted by vulnerabilities.)
One example of a solution is aristotleinsight®, which identifies risks as they enter the network through one of the three vulnerability gateways: Critical caves, Cyber Hygiene or End of Life Software and allows security professionals to document the remediation process in detail.
(The Enumeration Management Report in aristotleinsight utilizes several tabs for the process of identification, remediation, audit, and assessment of vulnerabilities and vulnerable software on your network.)
Managing Vulnerabilities With aristotleinsight
Aristotleinsight was developed to meet the needs identified by Operation Eligible Receiver 97. The system continuously identifies risk, directs remediation, and documents results from security functions such as Vulnerabilities, Configurations, Privileged User Management, Asset Inventory, and Threat Analytics.
Utilizing the revolutionary UDAPE® technology, aristotleinsight collects reliable data from the process level across all devices on an organization’s network.
A unique Bayesian Inference Engine sorts through the kernel level data highlighting actionable items to help security teams identify risk, direct the remediation process, and document results. This helps security teams save time and better manage cybersecurity posture.
Aristotleinsight is the perfect solution for an organization attempting to build their security process. For organizations with a mature cybersecurity process in place, aristotleinsight is an effective hunt tool.
About the Author
Josh Paape is an Online Marketing Specialist at Sergeant Laboratories, a leader in security and compliance solutions that allow businesses, governments, and healthcare institutions to comply with regulations and stay a step ahead of criminals. As a graduate of the University of Wisconsin – La Crosse, Josh has experience marketing products from a variety of industries. As a contributor to CDM, he hopes to spark new thought and discussion topics in the information security community. Connect with Sergeant Laboratories: https://www.sgtlabs.com Sergeant Laboratories Blog: https://www.aristotleinsight.com
Linkedin: https://www.linkedin.com/company/sergeant-laboratories-inc Twitter:@Sergeant_Labs