Cyber attacks are dominating the headlines. The fact that this is just the tip of the iceberg has long since ceased to be a secret. That is why it is important to identify weaknesses – and to do it better than the attackers. Vulnerabilities have to be eliminated before damage occurs. In this blog post, we show you the life cycle of a weakness and why you should be making vulnerability management a priority.
Phase 1: Origin
In April 2014, the CVE-2014-0160 vulnerability, better known by the name “Heartbleed bug”, caused quite a stir. The origin of this vulnerability was a programming error which was inadvertently inserted into the OpenSSL open source library code, allowing personal data to be read from clients and servers via encrypted TLS connections. The source code with the bug was introduced into the OpenSSL Git repository on 31 December 2011 and was first published on 14 March 2012 in OpenSSL version 1.0.1. Heartbleed affected OpenSSL versions 1.0.1 to 1.0.1f and was fixed in version 1.0.1g on 7 April 2014.
Phase 2: Discovery
Thus, the security vulnerability existed for over two years before it was discovered and fixed. A lot of companies were troubled by this – particularly those who, until that point, had barely given vulnerability management a thought. Are my systems affected? Where could a cyber criminal have caused damage? All questions asked by companies (unfortunately often too late).
Manufacturers of vulnerability management solutions (vulnerability scanners) offered help. The latter responded quickly and implemented suitable detection methods within their tools. Now, it just remained for the companies to act – although it was not quite that simple.
Phase 3: Response
The question now was: How to proceed? What in particular do I need to look out for? Let’s play through the scenario using a fictitious company, TrustCompany. TrustCompany responded immediately and had their systems analysed for vulnerabilities just one day after the weakness was discovered. The result: Over 100 systems had been affected by the problem. Although it sounds alarming, it was no rarity.
It became immediately apparent to TrustCompany’s two system administrators that it would not be possible to fix the vulnerability on all systems in such a short period of time. So, which systems had to be fixed the most urgently? To work this out, they performed a criticality assessment to prioritise the systems. The analysis included whether or not the system could be accessed via the internet and what damage a successful attack could cause.
By proceeding in this way, TrustCompany was undoubtedly one step ahead of many other companies. It could have saved a lot of – and most important, valuable – time however if this assessment had already been done earlier.
Phase 4: Remedy
After the prioritisation, the two administrators were able to get to work on fixing the vulnerability. It turned out that the weaknesses could be fixed on the various systems using different methods. In the best case scenario, only the software needed updating, in the worst though even the application had to be reprogrammed. In some cases, a quick fix was not possible because the software manufacturer had not responded to the vulnerability.
On top of this was a problem familiar to many: the administrators were more involved in coordination than in the technical elimination of the vulnerability. They also had to report to senior management regarding current progress on a regular basis. So, it is no wonder that it took over 3 weeks for the most critical TrustCompany systems to be updated. And the rest? In progress...
Vulnerability Management: Lessons learned
What should TrustCompany have done differently? And this also applies to so many others: prevention is better than cure. In other words, TrustCompany would have been better off performing vulnerability management activities beforehand.
Such activities would include for example:
- Use of a tool for the systematic detection of vulnerabilities
- Prior classification of the systems to be prioritised
- Defined and established processes for efficient and effective vulnerability rectification
- Predefined reporting
A study conducted in 2017 shows that TrustCompany is not alone. This showed that even three years after the vulnerability was announced, hundreds of thousands of systems publicly accessible via the internet are still vulnerable to the Heartbleed OpenSSL weakness. Isn’t that shocking?
What you should take from this for your own vulnerability management
Vulnerability management does not just consist of a tool, a person or a process. Vulnerability management can only be fully effective when all three of these areas are covered and are working in harmony with each other. For this very reason, implementing effective vulnerability management is complex, time-consuming and requires a great deal of know-how. Many companies, like TrustCompany, simply lack the time and human resources.
The solution? Get external help! Our experts will help you with your individual issues and guide you through all of the steps – from design to implementation. Alternatively, you can outsource the activity to our experts as a managed service from the Cyber Defence Center (CDC) in Baar. Have questions or want to find out more? You will find the detailed brochure here along with the contact form.