Terms, regulatory requirements and types of IT vulnerabilities
Early detection of vulnerabilities should be a top priority for all companies in the financial and insurance sector. Typical types of IT vulnerabilities are unpatched and outdated software versions, trivial passwords or open ports that are not explicitly required for communication. Organizational deficiencies can also be vulnerabilities. Attackers can exploit vulnerabilities to damage the institution or even impair its functionality for a certain period of time. To prevent the occurrence of such Worst Case-Scenarios effective vulnerability management can provide a solution
As already mentioned in the introduction, existing deficiencies in companies, for example of a process-related, systematic or personnel nature, are summarized under the term vulnerability (i.e. bug). In a worst-case scenario, their occurrence can prevent the company from meeting its objectives and therefore cause damage. Within this context, IT vulnerabilities are defects that affect IT in particular, that can also cause damage to the company and therefore require countermeasures, especially due to the importance of IT in the overall organization.
Regulatory requirements for vulnerability management
Typical examples of IT vulnerabilities are missing security patches, which are usually made available promptly by software manufacturers when a security gap/vulnerability is discovered. Such vulnerabilities allow attackers to penetrate confidential areas of a company where they can cause damage to the company itself and its customers. If the company operates a reliable patch management with sound risk assessment and short response times, hackers have very little time to exploit such vulnerabilities before they are closed. Such extremely quickly placed attacks are called “zero-day exploits”.
The supervisory authorities in Germany are responsible for the stability of the German economy and Germany as a financial center. It is therefore only logical that they require the supervised institutions to keep an eye on IT vulnerabilities and close them promptly.
Almost all of the threats listed in the BSI’s basic protection compendium can occur through the exploitation of vulnerabilities. However, a distinction can be made between more elementary threats such as fire and water (a data center located directly on a river has a significant vulnerability) and deliberate actions – for example, when a hacker extracts confidential data from a company after successfully exploiting a vulnerability. Here are some examples of threats from IT baseline protection that are related to vulnerabilities:
- G.0.9: Failure or disruption of communication networks: damage can be caused by exploiting a vulnerability on an unpatched switch.
- G.0.14.: Spying on information (spyware): By exploiting a vulnerability in an information system, an attacker can gain possession of confidential information.
- G.0.21/22.: Manipulation of hardware, software or information: Vulnerabilities allow illegal access to and manipulation of systems or information.
All of this in turn can lead to coercion, blackmail or corruption as well as the misuse of personal data and other threats.
The aim of every institution must therefore be to know its current weak points and to know what risks could arise from these weak points. This is a fundamental basis for effective risk management. A risk analysis can then be used to decide which vulnerabilities need to be eliminated and when, or whether the risk associated with a vulnerability can be accepted, at least for a certain period of time.
The “Three Lines of Defense Model” has the task of reducing complexity and creating clear responsibilities! Complexity already arises from the company itself; the organizational structure, the employees, the infrastructure, guidelines and (legal) regulations, quality controls, established security measures and risk minimization measures.
Schwachstellen sind immer auch ein zu bewertendes Risiko.
But attack vectors are also becoming more creative and complex – new technologies and processes can favor attackers. Every defensive measure creates possible new attack scenarios, and new attack strategies create new defensive measures.
The “Three Lines of Defense” model has been established and proven itself in practice in order to effectively and efficiently coordinate the numerous defensive and risk-minimizing measures and to clearly structure responsibilities. It is used to control communication during defensive measures and to make the best possible use of limited resources. Each subsequent line performs control tasks for the upstream lines, and therefore forms a “double base”. Useful for a successful defense are CERT notifications, vulnerability scans (and pentests) and manufacturer reports on any weaknesses that have occurred. In the company organization, a separation of functions between the three lines must be taken into account so that no conflicts of interest can arise in terms of the control measures.
First Line of Defense
The first line of defense is formed by the operating units, i.e. operations. They are responsible for ensuring that vulnerabilities are identified, evaluated and risk-minimizing measures are established, maintained and implemented in daily business operations. They are responsible for the respective vulnerabilities and risks in their area and should have an overview of these so that they can reliably prevent them from being exploited. To this end, these weaknesses must be identified, evaluated and then rectified (or accepted). It is important that on the Governance side, clear guidelines are created for dealing with and assessing weaknesses and risks in general. Based on this, operational management can implement appropriate measures. It makes sense to bundle the control of vulnerability management via the first line in a central unit, for example a Security Operation Center (SOC).
Second Line of Defense
The second line of defense is risk management and compliance/governance. This is where the CISO (Chief Information Security Officer) and his team are typically positioned. This is where specifications, framework conditions and guidelines are developed and implemented in the first line. The risk management evaluates the measures implemented and determines the company’s assumed risk appetite or “risk appetite”. It also develops a framework that standardizes the assessment and handling of vulnerabilities and risks.
The second line of defence is responsible for identifying and assessing new vulnerabilities that arise for the organization at a strategic level and continuously improving vulnerability management on this basis. Training and advice for the first line are also assigned here.
In order to demonstrate the effectiveness of the established measures and to identify unsuitable measures, controls or processes, regular checks, including penetration tests, are essential. First line processes in particular are regularly checked in relation to vulnerability management. In this way, vulnerabilities can be closed or at least made known, and an optimal response can be made in the event of exploitation.
Third Line of Defense
The third line of defense consists of internal auditing. The internal audit department should be as independent as possible from IT management and report directly to the management. This avoids possible dependencies in the first and second lines. According to recognized standards, the task of internal auditing is to carry out internal audits in order to gain an overview of all risks and measures, as well as to give the Governance side This means that not only the implemented measures are reviewed, but also the framework conditions, guidelines and processes set by the second line are put to the test. The management receives the results and can use them to implement measures to improve weak point and risk management or the Governance
Types of IT vulnerabilities
As mentioned at the beginning, there are numerous types of IT vulnerabilities. In the following, we will introduce you to the most common ones in more detail. If you keep an eye on these and set up your vulnerability management in such a way that they are eliminated as quickly as possible once they occur, you will have already taken an important step towards increasing your institution’s IT security.
Outdated patch versions
Every new system is usually set up according to the latest state of the art and with the latest software versions. In legacy environments in particular, it often requires considerable effort to optimally orchestrate the entire software stack, from the operating system and middleware right up to the application. This results in considerable dependencies between the components. However, software versions quickly become obsolete and new ones are added. Patch management in combination with a CMDB (Configuration Management Database) provides an overview of which patch versions are available on which components and where new patch versions should be installed. However, outdated patch versions are often overlooked or the current application version (which would be very time-consuming to upgrade due to extensive customizing) is not compatible with a new patch version at operating system or middleware level. As a result, outdated patch versions often run for much longer than they should, without those responsible even realizing it.
Companies that have migrated their IT or parts of it to the cloud have a clear advantage here, as cloud-compatible applications are based on standardized interfaces/APIs, which greatly reduces or eliminates direct dependencies in the entire software stack.
IoT - Internet of Things
IoT (Internet of Things) technology, So the webcam and the smart fridge can be a common source of vulnerabilities. Economically, the markets for these products are highly competitive and margins are low. As a result, the implemented security solutions often suffer and are considered irrelevant. However, as these devices can often communicate indirectly or even directly to the internet, the hijacking of IoT devices is a serious risk. Almost every webcam has a publicly accessible IP address and operating system. Unlike PCs, however, the webcam rarely has virus protection or an up-to-date patch level.
It This is an invitation for any attacker! It is not unlikely that the computing power of a webcam or a smart fridge has been involved in DDoS attacks.
Default Password
The passwords set by the manufacturers are often not changed after installation or configuration. It is easy for attackers to find out the common standard passwords for hardware and software on the Internet (usually in the operating instructions available online) and then access the device. This is the most common, simplest and most promising type of “brute force attack”. Changing these default passwords is therefore essential, even on inconspicuous-looking devices such as printers.
Phishing
“The problem sits in front of the monitor” is unfortunately also true in the context of vulnerability management. Many attacks still succeed through phishing attempts. Dubious phone calls, fake emails, links to competitions where you have won an iPad or even copying entire websites with login fields in order to intercept access data. The creativity is high, the quality of the attempts varies greatly. Nevertheless, it remains a constant problem. An effective defense consists of regular Awareness training combined with effective spam and virus protection and e-mail filtering.
