Cyberattacks caused by IT vulnerabilities can affect any institution. As the security report “Modern Bank Heists ”, published by VMware Carbon Black, shows, cyberattacks on banks, insurance companies and financial service providers have skyrocketed. Reason enough to have a closer look at the topic of vulnerability management. There are various individual measures to detect weak points reliably and, above all, at an early stage.
Vulnerability scans
Vulnerability scans are suitable for gaining an initial and subsequently continuous insight into the state of your own IT security and its weaknesses. By regularly checking the infrastructure for gaps, vulnerabilities can be identified at an early stage and (if necessary/possible) closed. In this way, the security level of the infrastructure is kept high in the long term and permanently.
A scan is carried out using appropriate software (vulnerability scanner) such as nmap, Nessus, Qualys, OpenVAS or Greenbone. etc. There are commercial and open source solutions. Firstly, the optimal points in the network must be identified in order to place the scanners correctly. Ideally, a scanner should reach as many networks as possible without having to pass through firewalls. Depending on the complexity of the network, this can be a very time-consuming implementation step. The possible scan targets or IP addresses in the target networks are then determined as part of a topology scan. The scanner then scans the ports and active services on the target systems for each IP address. In doing so, the scanner finds old patch versions of systems or software, trivial passwords and also misconfigurations. This method is known as a network scan.
Vulnerability scans work more thoroughly with agents on the target systems that scrutinize the target addresses from the inside. However, this type of scan requires a high level of transparency in the infrastructure and a well-maintained CMDB. However, once the company has reached this level of maturity, this method can also be used for compliance scans, which can be used to prove that predefined target configurations are being adhered to on the systems. A further stage after the vulnerability scan is the vulnerability assessment (a special form of penetration test). Here, human intelligence is also added to the scan. Newer or more creative vulnerabilities are actively searched for, and individual software can also be examined.
Penetration test
The penetration test or pentest differs from a vulnerability scan or vulnerability assessment in that a worst-case scenario is played out on a specific target. This could be, for example, gaining administrative rights to a system. It is therefore much more in-depth than broad. The manual effort is significantly higher, which entails correspondingly higher costs. Typically, a pentester uses a mix of tool-based scans and their own attack scenarios to check whether systems are well secured. Pentests are generally intended to demonstrate the effectiveness of implemented measures or the need for IT security-related improvements or investments.
As it is too time-consuming to subject every system to a regular pentest, the objectives are defined in a risk-oriented manner as part of audit management. Each pentest is individual and will be thoroughly discussed in advance between the client and contractor. A plan of what, how and when to attack must be drawn up so that it is clear that a detected attack (e.g. detected by a SIEM) is or is not part of a pentest! It is conceivable to make this plan transparent to only part of the organization in advance, for example to test the effectiveness of the security organization under real conditions. In addition, companies should process manufacturer reports on security vulnerabilities and security updates as well as relevant press releases such as those from the Heise ticker using the same methodology.
CERT
CERT stands for Computer Emergency and Response Team and describes groups of IT security experts who report and advise on relevant IT security problems. They shed light on attack vectors and give advice on how to minimize the identified risks. They also provide support in responding to security incidents.
In Germany, the CERT of the University of Stuttgart, mcert and the CERT of the German Research Network are available to small and medium-sized companies. Larger companies operate their own CERT teams in order to assess the threat situation on a group-specific basis and derive appropriate measures. One example of this is the S-CERT in the Sparkassen-Finanzgruppe. The Forum of Incident Response and Security Systems (FIRST) acts as an umbrella organization for CERTs. You can subscribe to CERT messages. Depending on the subscription, the reports, which are rated according to severity, are then sent electronically and can be processed. Normally, tickets are generated and processed and closed as part of patch management.
CMDB as the most important measure for detecting and eliminating vulnerabilities
A complete CMDB (Configuration Management Database) is essential to ensure that vulnerabilities and security risks are detected reliably and promptly in your institution. This enables you to obtain transparency about the status and dependencies of your own IT systems.
A CMDB provides a central overview and management of scattered configuration elements of the IT infrastructure. In the context of vulnerability management, the CMDB helps to identify the dependencies of IT systems and is one of the first places to check for vulnerabilities in the form of incorrect or inadequate configurations in the IT infrastructure. It is the basis for a large-scale comparison with known or new vulnerabilities. It also enables efficient patch planning to eliminate vulnerabilities. The generally applicable ITIL process framework also requires the use of a CMDB in the IT infrastructure, as all ITIL processes and service management depend on it. The quality of the CMDB (or the quality of the data) is therefore crucial for successful incident and problem management, and therefore also for vulnerability management.
The CMDB also plays a key role in providing an overview of the entire range of configurations. In the event of a security incident, the CMDB can be used to quickly gain an overview of the situation and any other threatened systems.
With the help of a CMDB, IT systems can also be assigned to business processes, making it possible to determine which data can be collected, processed and stored where. This makes it possible to identify the necessary protection requirements and carry out a risk assessment. With the help of the protection requirements and the risk assessment, a clear picture emerges of the measures required to create or minimize protection.
Vulnerability scans and pentests based on the CMDB can be used to define the current status of your own IT and uncover any existing vulnerabilities on a large scale. For the efficient elimination of vulnerabilities and the optimization of IT systems and dependencies, a TARGET state is required, which results from various requirements for good IT security. Suitable sources for this are best practice IT security solutions and configurations, as well as threat analyses.
Without a well-maintained CMDB, effective vulnerability management is not possible, as the impact of a vulnerability can never be fully or partially assessed. The CMDB therefore forms the “population” of a company’s IT – a term that is a key issue in regulatory audits.
Classification and subdivision into immediate measures and longer-term measures
The findings obtained from vulnerability scans and pentests should now be divided into immediate measures and longer-term measures. The immediate measures must be implemented as quickly as possible, as they pose a significant risk to the IT infrastructure. The less critical findings can be implemented and documented in a coordinated manner as part of patch management or in an IT project.
A typical scenario that requires a project-based approach usually occurs when a company that primarily operates legacy IT scans its IT systems for the first time. For various reasons, so-called EOL (“End of Life”) vulnerabilities are then usually found, i.e. patch versions that are no longer supported by the manufacturers and therefore represent a considerable risk in many respects. However, rectifying these vulnerabilities usually involves considerable effort in terms of adapting the applications, which is why larger projects have to be initiated.
Vulnerability Management | Security Management
The basis created after the initial vulnerability remediation can be used to define the appropriate IT security strategy within an IT strategy. This includes IT governance, information risk management, information security management, user authorization management, IT operations and data backup, outsourcing and external procurement of IT services and consideration of the critical IT infrastructure.
The extensive description of these measures deserves its own article. They will therefore not be discussed further here. In terms of vulnerability management, the following key questions should be answered within risk management:
Are vulnerability scans or pentests carried out regularly? What is the frequency and effort involved? How are vulnerabilities dealt with within IT governance? What risks are associated with what effort to mitigate them? How “risk-hungry” is the organization? What is the process for rectifying measures or findings from pentests or scans? Is the handling and status of vulnerabilities regularly reviewed by management? How are potential vulnerabilities handled by IT service providers? How is the CMDB maintained and kept up to date? How are new findings about vulnerabilities that are published by IT security companies, for example, dealt with?
Standardized processing of vulnerabilities through automation
So far, the focus has been more on the quality of the CMDB and how to deal with initial findings. However, this approach should be further optimized over time: In advanced vulnerability management, vulnerabilities found should be consolidated and processed uniformly. The aim here is to achieve the most comprehensive automation possible, for which the various products offer different solutions. A simple scan report generates a comprehensive log, and each vulnerability found receives an assessment of its severity. Unfortunately, most providers have developed their own schemes here. The evaluation is also not initially intelligent enough to recognize that the same vulnerability has just been found 300 times on different IPs. The aim should therefore be to consolidate the vulnerabilities found and to evaluate them uniformly. For consolidation and evaluation, an automated system should be written that evaluates the scan logs and generates only one ticket for a vulnerability on many target systems. The CERT scheme, with which the CERT messages are evaluated in a risk-oriented manner, is recommended as a standardized evaluation scheme. Unfortunately, a mapping matrix of the manufacturer schemas into the CERT schema must then be developed and evaluated. The various scanner suppliers offer different tools for automating the evaluation. These include configuration options for the scans and the preparation of the scan results, but also different output formats such as pdf. or xml. The evaluation scheme developed can then also be used for pentests, manufacturer reports and press releases.
Each known vulnerability is assigned a globally unique vulnerability number and vulnerability name, which can be found in the list of “Common Vulnerabilities and Exposures” or CVE. This enables clear referencing and tracking. In advanced vulnerability management, this can be linked to a CPE (Common Platform Enumeration), as each platform software version also has a unique number. However, this level of maturity again requires an excellently maintained CMDB…
n such a system, a new critical vulnerability can be referenced to all affected assets within minutes, making the planning of corresponding patches as an emergency or as part of the regular procedure simple and transparent.
Conclusion
Cyberattacks that exploit vulnerabilities to gain access to confidential data or cause other damage are on the rise. Effective vulnerability management is therefore a must for every company today.
However, it is a long way – from initiation to an efficient and effective process – before the exploitation of vulnerabilities for fraudulent activities becomes difficult or almost impossible.
As a minimum, CERT notifications should be subscribed to and processed, and manufacturer notifications of security vulnerabilities should also be promptly taken into account. A functioning patch management system is essential for every company.
However, the effective and efficient handling of vulnerabilities requires a well-maintained CMDB in order to be able to appropriately assess the risk of vulnerabilities found and derive suitable measures.
The aim must be to be able to process all vulnerabilities from different sources uniformly and to close critical vulnerabilities promptly, as this is the only way to mitigate the increased risk of zero-day exploits.
The entire procedure should be implemented and reviewed in several stages: patch management is checked by vulnerability scans, the effectiveness of which is in turn validated as part of penetration tests. The entire process is monitored by the audit department.
