Vulnerability management is known for being a foundational cybersecurity practice. While open-source VM solutions have perhaps provided an introduction to the benefits of VM, the modern threat landscape makes it so organizations need more advanced and reliable tools to stay secure. Here’s why enterprise grade VM solutions are more essential now than ever. 

Beating complexity with technology 

Enterprise vulnerability management tools feature a variety of technologies that enable them to keep pace with the complexities of modern organizations.  

Because these tools need to be immediately available for enterprise-level consumption, they are more frequently updated by developers focused on the tool. Open-source platforms may or may not receive the same amount of scrutiny or consistent attention.  

Additionally, enterprise VM offers more sophisticated scanning options, reaching across on-premises, cloud, and hybrid architectures. Coupled with better data manipulation and API availability, this results in better, more robust capabilities that can match today’s complicated threat onslaught. Enterprise VM can: 

• Scan local systems 
• Scan the entire global network 
• Correlate data on dynamic assets 
• Integrate with other enterprise-level tools 
• Cut resource costs by being user-friendly and easy to deploy 
• Infuse risk context for accurate, personalized remediation prioritization 

Additional technical considerations of an enterprise VM solution include: 

1. Automated and On-Demand Scanning | Automated scanning relieves the everyday security burden for busy teams and allows companies to respond immediately to developing issues.
2. Data Management | After scans are run, the best enterprise VM will make sense of the data, not leave teams to distill it themselves. From customized reports to being able to query against all scanned assets, data management capabilities increase the value of scanned data. 
3. Asset Correlation | Enterprise VM solutions ensure scan results are accurate and actionable by reducing false positives. In the best systems, built-in technology automatically tracks a device through the network and any changes, reducing confusion and inefficiencies as part of asset data correlation.  
4. Intuitive Platform Interface | A pre-built, intuitive interface takes the load off new employees and creates reliability in scan creation, even with turnover, staff shortages, and internal changes. 
5. API Availability | Solutions that are available via API can spread their benefit throughout the broader ecosystem. Through APIs, VM data can enrich SOAR, SIEM, NAC and more.  

Superior documentation 

Advanced documentation enables organizations to sidestep inefficiencies, pass compliance audits, and avoid wasted time. 

As companies continue to grapple with the cybersecurity skills gap, it becomes essential to have thorough documentation to bring users up to speed quickly. As vulnerabilities are patched and controls are put in place, enterprise-level documentation can save companies months of effort and re-work.  

Better reporting also means better audits. Vulnerability management solutions are essential to compliance audits and enterprise grade scanners typically come with detailed reporting capabilities built in. The best VM solutions offer segmented and customized reporting so companies can tailor them to their specific vulnerability, configuration, and compliance needs. 

Additionally, interactive and visual reporting platforms enable organizations to get the most out of their data. With the help of a central dashboard, users can search, visualize, and analyze their data via interactive, non-static reports.  

Ultimately, the C-suite needs to be made aware of the results of vulnerability management scans. Superior documentation leads to cleaner communication. If an executive has a specific question, practitioners who utilize enterprise VM have the ability to draw specific answers out of a customized, malleable report.  

Continuous support 

Organizations today are too busy for constant questions and troubleshooting. Enterprise VM solutions come with continuous support for teams that want to spend more time on critical security issues.  

Expert support keeps things moving. Teams can offload the burden of the learning curve, platform problems, and administrative tasks to enterprise VM experts who can provide simple ways forward. Leverage the expertise of practitioners who know the product, understand your vulnerability management needs, and can help you meet them with minimal downtime. 

Enterprise VM solutions like Frontline Vulnerability Manager can provide 24/7 live US-based customer support. A Personal Security Analyst is available to provide personalized on-demand support, and a team of platform experts can offer unparalleled expertise to help companies get the most out of their enterprise VM. 

Conclusion 

Enterprise vulnerability management enables organizations to overcome the security challenges native to shifting and expanding environments.  

Frequently updated technologies make possible the advanced scanning, data management, and analysis capabilities needed to combat modern threat complexity. Better documentation saves time and resources while delivering streamlined reporting to executives and practitioners who need it most. And the constant level of support guaranteed with the best enterprise VM platforms pays for itself in time saved, overhead, and the cost of training. 

While all vulnerability management programs are a step in the right direction, not all can keep up. Digital ecosystems are expanding and as data explodes, open-source tools managed by in-house teams struggle to maintain the peoplepower or updated technologies needed to fight threats at scale. Frontline VM optimizes small teams and reduces inefficiencies, saving resources, and enabling organizations to keep up – not catch up – with vulnerability management demands. 

Popular entertainment would have us believe that hackers are all sophisticated attackers ready to strike the latest vulnerabilities. That is sometimes true, but it’s become increasingly apparent that whether it’s the latest zero-day bug or something that was discovered the same year Apple released the iPad, hackers are equal-opportunity offenders.    

“Classic” Vulnerabilities

Cybersecurity professionals know the list of common vulnerabilities and exposures (CVE) seems never ending. While conscientious organizations may work to stay on top of the latest vulnerabilities, it’s easy to forget that some of the biggest threats have been around for a long time, and cyber attackers are not above going back to the classics.  Companies that haven’t always addressed CVEs in a timely manner may be surprised to learn that they’ve left some older issues unaddressed even though solutions are known and readily available. In fact, of the top most exploited CVEs, according to the US Cybersecurity and Infrastructure Agency (CISA), seven are from 2019 or earlier.  Here are a few examples:

CVE-2019-11510

Pulse Connect Secure and Pulse Policy Secure VPNs (now owned by Ivanti) contain vulnerabilities that allow an attacker to bypass authentication and access files and directories on an exposed system. It has been used in high-profile ransomware attacks, including those using Sodinokibi (aka Sodin or REvil) malware.   

Learn more about CVE-2019-11510.

Common Vulnerability Scoring System (CVSS) rating – 10, critical  

CVE-2018-13379

Fortinet FortiOS and FortiProxy can be exploited to allow a remote, unauthenticated user to execute a directory transversal attack by accessing plaintext user credentials stored in the system. Hackers used the credentials of domain administrators where multi-factor authentication wasn’t in use and gained complete access to the SSL VPN. Because the fix for this vulnerability required a password reset, which many end users neglected, organizations remain unprotected even though IT teams undertook remediation. It also highlights the importance of asset inventory and forced reboots.

Learn more about CVE-2018-13379.

CVSS rating – 9.8, critical 

CVE-2019-19781

A vulnerability in Citrix Application Delivery Controller (ADC), formerly known as NetScaler ADC, and Citrix Gateway, formerly known as NetScaler Gateway, can allow an attacker to scan the system for vulnerable servers and perform arbitrary code execution. Hackers can access configuration and other crucial files. 

Learn more about CVE-2019-19781.

CVSS rating – 9.8, critical

CVE-2019-18935

Telerik UI for ASP.NET AJAX, a set of tools for creating web apps, contains an insecure deserialization vulnerability within RadAsyncUpload. By exploiting prior vulnerabilities CVE-2017-11317 and CVE-2017-11357, attackers obtain encryption keys to exploit this bug for remote code execution. 

Learn more about CVE-2019-18935.

CVSS rating – 9.8, critical

CVE-2018-0171

A bug in Cisco IOS software’s Smart Install could allow a remote attacker to execute arbitrary code or cause a reload and, consequently, a DoS. System reboots of affected systems leads to network outages.   

Learn more about CVE-2018-0171.

CVSS rating – 9.8, critical

CVE-2017-11882

Known as the Microsoft Office Memory Corruption Vulnerability, this CVE affects Microsoft Office 2007 Service Pack 3, 2010 Service Pack 2, 2013 Service Pack 1, and Microsoft Office 2016. It’s a memory corruption problem in a part of Office that handles object linking embedding (OLE). Once the user opens a malicious document, the attacker can execute remote code. Homeland Security and the FBI say this vulnerability, which has been around since 2000, is still one of the most frequently used by hackers in China, Russia, and North Korea. 

Learn more about CVE-2017-11882.

CVSS rating – 7.8, high

CVE-2017-0199

Another Microsoft bug, affecting Office SP3, 2010 SP2, 2013 SP1, 2016, Vista SP2, Server 2008 SP2, Windows 7 SP1,  and Windows 8.1, allows attackers to take over an infected system. The vulnerability relates to the way Microsoft Office and WordPad parse specially crafted files. 

Learn more about CVE-2017-0199.

CVSS rating – 7.8, high

Not on the list of most exploited CVEs, but still worth a mention because it illustrates just how long some problems can remain unaddressed is CVE-2014-0160, aka Heartbleed. This flaw was first discovered and documented in 2014 and is still being exploited today. It has a CVSS rating of 7.5, or high.   

Potential Risks

All of these CVEs are at least three years old yet they are still among the currently exploited vulnerabilities cataloged by CISA and private cybersecurity firms. That illustrates the fact that, old or not, these CVEs are still threats to the security of systems large and small. Many of the vulnerabilities listed here can result in compromised accounts that are offered by criminals in access-as-a-service schemes. 

In its 2023 Threat Report, cybersecurity firm Sophos noted that ransomware no longer focuses almost exclusively on Windows. Mac, Linux, and mobile platforms are increasingly in the crosshairs. Attackers are also using new methods of exploitation, including leveraging data from leak sites.  

The number of CVEs cataloged each year has grown steadily since 2010. That trend is likely to continue along with increasing financial ramifications. One of the primary motivations of maliciously targeting a system is financial gain, usually achieved by ransomware attacks for ransom payment or confidential data exfiltration and sale. Many of the CVEs listed above can be used for this type of exploit. Ransomware costs American businesses $1.4 million on average per occurrence with 90% of organizations saying the attack impacted their ability to operate, according to Sophos. And Forbes reports that even after paying the ransom, businesses were only able to restore 65% of their data. Furthermore, it’s illegal to pay a ransom so even with 100% data recovery, companies can still face legal problems and lawsuits from customers and other affected parties. 

Why Old Vulnerabilities Persist

The reason these CVEs, old and new, are still exploitable is simply because systems haven’t been patched. But the why behind that can vary. In some organizations, IT staff is overwhelmed with an ever increasing workload and not enough people. Sometimes the vulnerability is so old, the staff isn’t even aware of it or may think it’s already been addressed. And as newer issues come along, grabbing headlines and attention, they may be prioritized over older CVEs that don’t seem to pose as much of a threat. Unfortunately, attackers are aware of all this. With all the attention on newer vulnerabilities, it’s often easier for hackers to slip through by exploiting older CVEs that cybersecurity teams have forgotten about or assigned a low priority. 

The bottom line is that IT teams need to be given the resources to conduct thorough assessment, testing, and remediation for the most critical threats. Additionally, cooperation of other parts of the business will make or break successful patching efforts. Employees need to follow reboot, password reset, and other instructions from security teams. Even C-level personnel, who may feel too busy to reboot, must be persuaded to take steps necessary to secure the company’s systems. In fact, IT teams may want to prioritize those machines, with their extremely sensitive data, for security audits. 

What to Do About It

While it can seem overwhelming to contend with new threats as well as old ones, it doesn’t have to be. It’s not the age, but more the risk that matters. Teams that prioritize as such can speed up time-to-remediation for vulnerabilities that are the most likely to be exploited.

Risk-based vulnerability management (VM) allows each company to examine which CVEs are most likely to impact the business and handle those issues first. Penetration testing not only identifies weaknesses, but also verifies the exploitability of vulnerabilities discovered during scans. Combining proactive security measures like VM and penetration testing help security teams pinpoint high-risk weaknesses before attacker exploits can them.

This article was originally published on TechAeris on May 08, 2020.

What do you do if a small infected minority is threatening to infect the rest? By now, there probably isn’t a human being on the planet that doesn’t know the answer to this question: you place the infected in quarantine, separating them from the healthy. Collectively, throughout the world, we are distancing ourselves from the threat of the infected and hoping for the best possible outcome to survive the great pandemic. This concept of quarantine is not unique just to mankind but is also a vital security practice within our technological world as well.

In the enterprise security world, we face a similar problem. Most of the machines in the enterprise network are healthy and safe, but some are weak and if as little as a single machine gets infected, this may affect the entire network. We used to put guards – in the form of firewalls – to separate the network between secure enterprise machines and insecure devices. But as people work from home or bring their own devices to work, the chances of a single machine compromising the entire enterprise network rise significantly. Most of the security concepts we grapple with today date back to the 70s: passwords and access control; malicious code; software bugs leading to privilege escalation attacks – those seemingly remain the chessboard that is used to play the permanent arms-race game between the “white hats” and the “black hats”.

The solution, as mentioned, is isolation – or to use today’s terminology: forced-quarantine. Fortunately, we do not need to re-invent the wheel. The technology to do all of this already exists, although it may need minor re-purposing. Also, most enterprises will not need to buy any new products to get this done, they just need to ask their current vendors to work together and integrate. Testing tools already exist in the form of Vulnerability Assessment and Management. Isolation tools also exist and are widely popular – Network Access Control devices.

To explain how the process needs to work as soon as a problematic device is identified the Network Access Control product can easily cut that device off the network and place it in quarantine. The key, as we know from the physical world, is testing, and as mentioned we already have that – Vulnerability Scanning products can instantly detect a weak or infected device on the network. The missing piece is the integration between those two technologies, which often exists but is overlooked: many Vulnerability Assessment tools and Network Access Control products are happy to work together. This gives the outcome we were looking for: identify weak or infected devices using Vulnerability Assessment, and via integration with the Network Access Control product you get instant detection and quarantine.

The IT security world has borrowed concepts and ideas from the physical world since the days of the first computer Virus through the recent days of ransomware. Let us learn some defense from common-sense defense mechanisms in the real world; we cannot teach computers to socially-distance, but we can teach them to test, detect, and automatically quarantine. Having Vulnerability Assessment vendors collaborating with Network Access Control products is a must, to provide testing and force-quarantining in the enterprise environment, all this can be done automatically, instantly, and with zero additional spending – using already prevalent technologies in the Enterprise.

This article was originally published on HelpNetSecurity on April 16, 2020.

Finding security holes in information systems is as old as the first commercially available computer. Back when a “computer” was something that sat in a computer room, users would try to bypass restrictions, sometimes simply by trying to guess the administrator’s password.

Later when Bulletin Board Systems (the primitive version of the Internet) became popular, BBS users searched for ways to gain further access in order to view private files and invented the first phishing attack – familiar to many 21st century computer users as the method that was successfully used to hack into the DNC’s computers just before the 2016 elections.

The origin of the network virus

Back in 1988, when the entire “Internet” was merely 60,000 computers, the first network virus was unleashed. Of course, computer viruses themselves date back to the early days of the personal computer, first invented by an IT shop in Pakistan who wanted to earn money fixing computers – which possibly makes the Farooq Alvi brothers the very first black-hat IT security vendor.

Most of the security concepts we grapple with today date back to the 70s: passwords and access control; malicious code; software bugs leading to privilege escalation attacks.

That would make you think that “nothing is new under the sun” when it comes to Internet security. But just the contrary: while the game stayed the same, the rules have changed.

Information security in the 2010s

From the first security bugs until the recent past, security was a game with a clear winner and loser. If the attacker gets in, the bad guy wins, and the good guy loses.

Our job as information security experts and presumed good guys was to find those security vulnerabilities and help fix them. The premise being that security could be achieved – i.e., that there was a process you could follow to be reasonably secure and be safe from most attackers. This also meant that a security attack was a failure – a catastrophic one.

But the 2010s changed all that: security breaches are still a failure, but no longer catastrophic. A security breach is now one of those bad things that happen in corporate life that you try to prevent but also accept as a possibility. In other words: information security is a part of a mature corporate life.

Hacking contests and The Matrix

It wasn’t always so. Back in the 1980s, I had a notebook where I wrote the details of all the viruses in existence with instructions on how to remove them. It wasn’t a thick notebook.

Around that same time, John McAfee, who later founded the company that still bears his name, would drive around in a van and manually scan computers for viruses (I guess he must have had a notebook similar to mine).

In those days, a computer was either infected by a virus or it wasn’t; if it was, there were a series of steps you could take to make the computer clean again. Like every other aspect of computing, security was a binary state.

We had a similar view with access control (some passwords were safe, some weren’t), encryption, network services, network protocols and more. Some things were “safe” and some were not. Either one or zero.

When viruses gave way to security vulnerabilities as the main worry for IT staff, we started along a similar route – a set of predefined tests that would indicate if a computer was vulnerable.

When vulnerability scanners were first introduced, there were hundreds of security vulnerabilities you needed to check for. It was too many to write in a notebook, but it stood to reason that if you ran a vulnerability scanner and did not find any security vulnerabilities, you were safe.

As recent as the early 2000s, my company ran public “hacking contests” that were a sucker’s bet: we challenged attackers to try and attack a public system on the Internet that was checked for security vulnerabilities and found clean.

We knew that unless they had access to NSA-level tools, a potential attacker wouldn’t be able to break in. Life was still pretty binary and we didn’t expect it to change. The Matrix sequel movie showed Trinity, the brilliant hacker from the future, attacking the villains back in 2003 using a security hole that was known and easily fixable; we all chuckled at how hapless the futuristic Matrix villains were for falling in this easily avoidable trap.

A game we can win

The 2010s came and changed the way we security professionals see the world. First the speed at which security holes were discovered rapidly increased: while some 1,000 security holes were discovered and made public in the year 2000; in 2018 that number was over 16,000 (more than 40 new security holes discovered per day).

Our definition of “computer” also changed: phones, smart TVs, thermostats, light bulbs and cars are all computers with potential security vulnerabilities. The explosion happened on both axes: the number of vulnerabilities multiplied by the number of computer assets means that an average organization no longer hopes to fix all security holes but merely to manage them. In other words: the best we can do is limit our exposure.

This may sound like we’ve hit the tipping point: did we lose the arms race to the black hats? If every organization has a security hole, we are all vulnerable, all the time. Why even play the game if you’re destined to lose? Some self-proclaimed high priests of information security, usually remnants of the 20th century or echoing its old wisdom, will tell you “no system is secure”. But that’s only true if your world is binary, and ours isn’t.

In fact, for the exact reason a security breach is now a real possibility, it is also no longer the apocalyptic scenario it was back in the early 2000s. Also, the development of information security testing and protection systems helps us cope with security breaches: multiple layers of security, the ability to alert, log and block attacks means that the attacking and defending sides both have costs associated to with both attacking and defending: instead of a chess game with a winning and losing side, this is more like a perpetual tug-of-war where as long as a constant effort is applied by both sides it’s quite possible no one will score a definite win.

And that’s a good thing.

The high priests of security

Good and bad as definite concepts belong in the religious realm. Back in the old days security advocates were, in many ways, priests of an evangelistic religion.

We spent our days trying to convince agnostic managers to believe in something they couldn’t always see: the need for security in computing systems. There were many apocalyptic prophecies on what the non-believers will suffer if the proper rituals aren’t followed; many of us believed that computer breaches happened to those who “deserved” to be punished. Those non-believers were not committed enough, or they didn’t follow the recipe for salvation.

But that was then. In this day and age no half-competent manager really believes information security is not important – our evangelism is no longer necessary. Information security is now in the corporate mainstream.

In the corporate mainstream, risk is ever-present. It was famously said that “The Limited Liability Company is the most important invention since the wheel” – and this is because companies take risks all the time.

Apple is worth over a trillion dollars but can go bankrupt tomorrow at a non-zero probability; all Apple can do is limit their corporate risk and keep doing business.

Finally, decades after the first computer virus, information security reached a similar maturity: we can no longer guarantee a zero-risk, but we don’t have to.

Information security is no longer an external component that is measured by its budget or headcount. It is finally a component in the entire corporate governance structure like finance, legal and HR.

In the age of technology and data, information security is certainly a critical component, but still just a component. Managers should pay attention and mindshare to securing their infrastructure and data, but knowing that not every mistake warrants capital punishment, we moved away from the binary “safe or unsafe” to a more nuanced model of risk management and reduction. In that, we are less the religious priests and more corporate professionals, and just in time for the new roaring 20s.

This article was originally published on EIN Presswire on October 07, 2019.

SACRAMENTO, CALIFORNIA, UNITED STATES, October 7, 2019 /EINPresswire/ — To mark the month of October being Cyber Security Awareness Month, Beyond Security, a leading provider of automated security testing solutions, is providing 5 effective and easy to follow tips for protecting against Internet security threats that can cause both financial and emotional damages. While the future remains uncertain when it comes to sophisticated cyber-attacks, it’s important to be prepared and safe guard vital and confidential data against any kind of security breach.

1. Update Your Software

Security is an arms-race, but thankfully the good guys aren’t resting. Make sure to use an up-to-date and supported operating system, browser and other software. Windows 10 has built-in protective measures that obstruct many forms of ransomware, and all leading browsers are continuously updated to combat the latest threats and attacks. The update is often simple and automated but the responsibility is on the user to make sure the updates are taking place. Don’t wait – check and make sure today that all software you are using is the latest version.

2. Deploy Preventative Tools

Don’t be reactive, be proactive. Deploy preventive tools like vulnerability assessment tools – those can accurately identify close to 100% of common vulnerabilities that are exploited by attackers. A simple, and regular vulnerability assessment for your systems will identify potential weak points and suggest proper remediation actions such as patch management that will stop a would-be attacker in its tracks.

3. Test Your Software

Most companies are unable to develop all the necessary software in-house and use independent software vendors (ISVs) to build the required software. The problem is that these applications are not always built with security in mind. Make sure your ISVs are using the accepted standard for security testing, including static code analysis (white box testing) and dynamic code analysis (black box testing or fuzzing) which drastically reduce the attack surface of applications. Having the ISV perform these tests during development will save you money in the long run compared to having to fix a security hole when the software is deployed.

4. Backup Critical Data

Make sure you have redundancy. Backing up your critical data regularly reduces the impact of a potentially successful Ransomware attack. It goes without saying that data storage must be coupled with other hardening measures such as encryption and strong authentication.

5. Buy Security Insurance

Buy insurance. Even with taking all the above measures, there is a chance that an attacker may get through since full security is never guaranteed. No one can achieve perfect security, and security risk needs to be managed just like every other business risk. There are options to buy cybersecurity insurance policies that will protect you in rare cases that an attack is successful.