Partner Perspectives  Connecting marketers to our tech communities.
9/10/2015
11:13 AM
Ted Gary
Ted Gary
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Get Fit: Remove Security Weaknesses

Preventing problems by strengthening security is often more effective and less expensive than reacting to breaches after they occur.

Many security teams engage in preventive activities to reduce the number of security incidents incurred by their organizations. For example, they deploy firewalls and intrusion detection systems, assess systems for vulnerabilities, and audit them for misconfigurations. These preventive actions eliminate many security weaknesses and undoubtedly reduce the number of incidents. However, significant weaknesses can still be found in many organizations. These security weaknesses are often caused by weak policies or processes, including:

  • Limiting vulnerability assessments to scanning servers while omitting applications, network devices, and endpoints;
  • Hardening server operating systems but not middleware, databases, or enterprise applications such as email;
  • Lacking a comprehensive inventory of all Internet-facing systems and not ensuring that all are managed;
  • Configuration-management and change-management processes reintroducing old weaknesses when deploying new systems, especially virtual machines.

Remove Security Weaknesses By Building Strength

As with removing weakness from our physical bodies, removing security weaknesses is best accomplished by focusing on building strength. And it is best to start gradually with a balanced program and take a long-term view.

Strengthen your core: Institute a program that includes vulnerability assessment and configuration auditing and integrate it with patch and configuration-management processes. Many of the core muscles in your pelvis, lower back, hips, and abdomen are overlooked because they are hidden beneath exterior muscles (and flab). Likewise, it is easy for vulnerability assessment and configuration auditing to overlook network devices, middleware, databases, and applications’ mobile endpoints. These should all be included as part of the security core and must be included in a basic program, even if special effort is required to locate and strengthen them.

Many organizations’ networks include IoT (Internet of Things) devices such as medical equipment or industrial control systems that cannot be actively scanned. Fortunately, passive vulnerability scanners are available to identify the devices and their associated vulnerabilities based on monitoring network traffic.

Be consistent: Sporadic physical exercise has limited value, and it often makes you ache. In security, “be consistent” translates into “be continuous.” Performing vulnerability assessment and configuration audits infrequently exposes potential weaknesses caused by new vulnerabilities, new (and possibly unmanaged) assets on the network, and changes to existing assets. Strong security includes continuous network monitoring to detect and remove weaknesses as soon as they arise.

An important by-product of continuous monitoring is that remediation and mitigation workloads are smoothed out and can more easily be incorporated into ongoing work routines without creating major disruptions.

Identify and strengthen specific weaknesses: Even with insight into vulnerabilities and their severity, exploitability, the existence of a corresponding exploit, and misconfigurations, a network will likely have specific weaknesses that must be identified, prioritized, and removed. Attack-path analysis is analogous to a personal trainer who points out specific weaknesses that should be strengthened. It identifies the specific vulnerable and exploitable systems that can be used as stepping stones by an adversary to gain access to high-value resources. Attack-path analysis provides insight to inform remediation and mitigation-strengthening efforts.

Monitor your activity: As evidenced by the success of Fitbit® wearable activity trackers, monitoring activity levels can provide insight into our overall health. Despite mature vulnerability management, configuration management, and patch management, it is still possible for adversaries to look for and exploit weaknesses to gain access to enterprise data. Therefore, security practitioners need to look for weaknesses on the network that may indicate potential paths that are being tested by adversaries or that may have been exploited by malware. These paths may include Internet facing services that are known to be exploitable, or internal applications that trust exploitable clients that also connect to the Internet.

Watch for warning signs: Just as an increase in body temperature indicates a potential illness, increases or changes in network activity may indicate a weakness that is being or has been exploited. Detecting anomalous behavior assumes that normal behavior is known. Trusted connections, traffic volume (by each hour of the day), and user activity must be profiled so significant deviations from normal behavior will be noticed if and when they occur.

Preventing problems by strengthening security is often more effective and less expensive than reacting to breaches after they occur. However, both prevention and detection are necessary. When breaches occur, it is important to incorporate lessons learned into preventive measures to strengthen your security posture to prevent similar incidents in the future.

Please join Tenable’s upcoming webcast, 10 Weaknesses You May Not Know About, for more insights.

Ted Gary is Tenable's Sr. Product Marketing Manager for Tenable's SecurityCenter Continuous View product. He is responsible for translating the rich features of SecurityCenter into solutions for compelling problems faced by information security professionals. Ted has nearly ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Tenable Network Security provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Its family of products includes SecurityCenter Continuous View™, which provides the most comprehensive and integrated view of network health, and Nessus®, the global standard in detecting and assessing network data. Tenable identifies all types of risk on the network — including missing patches, malware and intruders, missing configurations and missing monitoring — so customers can make informed decisions about where they are exposed. Its products reach across cloud, virtual, mobile and traditional IT systems and measure attack vectors in each of these domains. Tenable’s continuous network monitoring solution measures organizations’ compliance in real-time. This ensures that gaps in security coverage and lapses in security programs get detected and prioritized immediately. Tenable is relied upon by many of the world’s largest corporations, not-for-profit organizations and public sector agencies, including the entire U.S. Department of Defense.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11505
PUBLISHED: 2018-05-26
The Werewolf Online application 0.8.8 for Android allows attackers to discover the Firebase token by reading logcat output.
CVE-2018-6409
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. The module in charge of serving stored files gets the path from the database. Modifying the name of the file to serve on the corresponding ap_form table leads to a path traversal vulnerability via the download.php q parameter.
CVE-2018-6410
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. There is a download.php SQL injection via the q parameter.
CVE-2018-6411
PUBLISHED: 2018-05-26
An issue was discovered in Appnitro MachForm before 4.2.3. When the form is set to filter a blacklist, it automatically adds dangerous extensions to the filters. If the filter is set to a whitelist, the dangerous extensions can be bypassed through ap_form_elements SQL Injection.
CVE-2018-11500
PUBLISHED: 2018-05-26
An issue was discovered in PublicCMS V4.0.20180210. There is a CSRF vulnerability in "admin/sysUser/save.do?callbackType=closeCurrent&navTabId=sysUser/list" that can add an admin account.