Vulnerability assessment, the first step towards improving security within the whole organisation

Vulnerability assessment, the first step towards improving security within the whole organisation

Software vulnerabilities are currently one of the most significant security risks to which organisations are exposed. Every day, security researchers and software and hardware vendors identify tens of such problems that they make public. However, many companies only become aware of the threats to which they are exposed after a security incident; and the damage caused and the remedy actions necessary are always more expensive than any preventive actions.

A textbook example

To understand the specific risks generated by any vulnerability, the best example is the WannaCry cyber-attack of May 2017, which also affected Romanian private companies and public institutions.

WannaCry exploited a level 9 software vulnerability (according to the CVSS classification) in the Windows SMB protocol, for which Microsoft had published a patch (CVE-2017-0144) since March. Few companies had, however, applied it in those two months, and we could see the consequences. According to Europol, the attack affected more than 10,000 organisations in 150 countries (about 400,000 computers were infected) and caused an estimated total damage of over 3.5 billion Euros.

When damages exceed direct loss

The problem is that victims don’t just have losses as a result of the disruption of their employees’ work (as it happened to Dacia-Mioveni factory in the WannaCry case), but they are also exposed to the risk of substantial penalties. The latest example in this respect is that of the US giant Equifax, which in September 2017 was the victim of a cyber attack that exploited a software vulnerability of the Apache servers.

However, at the time of that cyber attack a patch had already been published, and the commission that investigated the security incident which led to the personal data of more than 148 million US citizens being compromised concluded that the incident could have been prevented entirely. Therefore, the final verdict given this July by the Federal Trade Commission and the Consumer Financial Protection Bureau was to fine Equifax USD 700 million.

GDPR complicates things

Such examples had begun to multiply considerably in the past year and in Europe, which led to the coming into force of the new General Data Protection Regulation. According to the data collected at EU level, in the first year after GDPR there have been about 90,000 notices of breaches of personal data security.

As of this July, Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP – the National Supervisory Authority for Personal Data Processing) has begun to impose fines in Romania as well, e.g. in August, they imposed their fourth fine of this kind.

It is true that, among the causes of the fines imposed by ANSPDCP, there aren’t – yet – any security breaches as a result of software vulnerability exploits. However, it is a matter of time until this happens, because of the high probability of occurrence of this type of risks. According to the Tripwire 2019 Vulnerability Management Survey, last year one in three European companies was faced with a breach as a result of certain unremedied vulnerabilities. And their number continues to increase, as cyber attacks are obviously aimed at the most used software systems. According to the annual report issued by Recorded Future, Microsoft held 8 positions on the list of top 10 most exploited vulnerabilities in 2018.

Dangerous confusions

Although vulnerabilities are quasi-unavoidable because the cause of most vulnerabilities are manufacturers’ coding errors or customer configuration mistakes, this doesn’t, however, mean that vulnerabilities can’t also be prevented.

Practice has shown that the most efficient detection and remedy action is carrying out an iterative process of “Vulnerability Assessment”.

Nevertheless, some organisations confuse the assessment process with the “Vulnerability Scan”. This is an explicable mistake considering the fact that the assessment involves indeed one or more instruments for scanning hardware and software, the network, etc. Such confusion can, however, cause problems, particularly when any company with minimum technical abilities can purchase, install, and use a vulnerability scanner, thus acquiring a list of problems prioritised depending on the classification system. However, the interpretation of the result requires advanced abilities in the field of cyber security, because without calling on a specialist it is like taking an X-ray and trying to interpret it yourself in order to establish your treatment.

Another common confusion is when the concept of “Vulnerability Assessment” is understood as a synonym for the so-called “Penetration Testing” or "Pentest". Indeed, the purpose of both processes is to identify weaknesses in the infrastructure of any organisation. However, a “Vulnerability Assessment” is aimed at detecting and determining the severity of vulnerabilities for an in-depth assessment of an organisation’s security level and for establishing the necessary remedy and/or risk mitigation actions. Unlike this, a "Pentest" has less to do with discovering vulnerabilities and it is rather focused on the simulation of a cyber attack which is as real as possible, in order to examine the effectiveness of the existing protective measures and to map the potential pathways that an attacker might use. Penetration Testing practically indicates the means by which an attacker is able to get past security systems, and less the specific vulnerabilities he/she is using. Therefore, when performing a Pentest without conducting a full vulnerability assessment – and implementing the necessary remedy actions – it is like testing whether the foundation of a house is waterproof without first installing the waterproofing.

The specialist, an essential "ingredient"

Calling on the abilities of a specialised company – such as ECKO – to carry out a “Vulnerability Assessment” is necessary, first of all, because identifying vulnerabilities is not a synonym for their elimination, and then the “treatment” varies on a case by case basis.

In optimal conditions, vulnerabilities can be remedied by applying patches and/or reconfigurations. However, there are situations when this thing can’t be done – e.g. if a patch hasn’t been published yet – and then actions must be taken to reduce their impact and/or probability. Determining the scale of their impact and the potentially affected systems and services is, however, another delicate problem that not many companies manage to resolve correctly.

Sometimes, it is required to accept that vulnerability – a justified action when the risk is low, and the remedy cost is substantially higher than any potential damage that its exploitation might cause. Also, there are cases when the recommended remedy actions don’t constitute feasible and/or immediately applicable solutions. Such is the case of replacing an end-of-life critical business application for which the vendor no longer provides support, or the case of upgrading an expensive piece of equipment that requires elaborate configurations.

Moreover, just like any security tool, vulnerability scanners aren’t perfect either and have a false positive detection rate that must be taken into account and corrected actively, and this again requires actual experience in this field.

The application of patches and particularly configuration changes may, in turn, generate compatibility problems, and multivendor capabilities and system integrator abilities are essential in order to prevent such situations.

These are common challenges that exceed the possibilities of many organisations, which is why it is preferable to call on the services of a company specialising in “Vulnerability Assessment”; especially when, in order to achieve its objectives, the assessment process must be resumed periodically: on the one hand, because vulnerabilities continue to occur (up until this post, National Vulnerability Database has counted over 1000 this September only) and, on the other hand, because any organisation needs to know the security level improvements attained.

Or, as shown by market reality, few companies have the necessary resources and/or can afford to train and allocate people for performing “Vulnerability Assessment” processes. If you find yourself in such a situation, ECKO can help you because we have specialists and actual experience in this field. Therefore, if you want to have a correct assessment of your risk level and to proactively approach the vulnerability issue, you can call on our services.