Many security teams engage in preventive activities to reduce the number of security incidents incurred by their organizations. For example, they deploy firewalls and intrusion detection systems, assess systems for vulnerabilities, and audit them for misconfigurations. These preventive actions eliminate many security weaknesses and undoubtedly reduce the number of incidents. However, significant weaknesses can still be found in many organizations. These security weaknesses are often caused by weak policies or processes, including:
- Limiting vulnerability assessments to scanning servers while omitting applications, network devices, and endpoints;
- Hardening server operating systems but not middleware, databases, or enterprise applications such as email;
- Lacking a comprehensive inventory of all Internet-facing systems and not ensuring that all are managed;
- Configuration-management and change-management processes reintroducing old weaknesses when deploying new systems, especially virtual machines.
Remove Security Weaknesses By Building Strength
As with removing weakness from our physical bodies, removing security weaknesses is best accomplished by focusing on building strength. And it is best to start gradually with a balanced program and take a long-term view.
Strengthen your core: Institute a program that includes vulnerability assessment and configuration auditing and integrate it with patch and configuration-management processes. Many of the core muscles in your pelvis, lower back, hips, and abdomen are overlooked because they are hidden beneath exterior muscles (and flab). Likewise, it is easy for vulnerability assessment and configuration auditing to overlook network devices, middleware, databases, and applications’ mobile endpoints. These should all be included as part of the security core and must be included in a basic program, even if special effort is required to locate and strengthen them.
Many organizations’ networks include IoT (Internet of Things) devices such as medical equipment or industrial control systems that cannot be actively scanned. Fortunately, passive vulnerability scanners are available to identify the devices and their associated vulnerabilities based on monitoring network traffic.
Be consistent: Sporadic physical exercise has limited value, and it often makes you ache. In security, “be consistent” translates into “be continuous.” Performing vulnerability assessment and configuration audits infrequently exposes potential weaknesses caused by new vulnerabilities, new (and possibly unmanaged) assets on the network, and changes to existing assets. Strong security includes continuous network monitoring to detect and remove weaknesses as soon as they arise.
An important by-product of continuous monitoring is that remediation and mitigation workloads are smoothed out and can more easily be incorporated into ongoing work routines without creating major disruptions.
Identify and strengthen specific weaknesses: Even with insight into vulnerabilities and their severity, exploitability, the existence of a corresponding exploit, and misconfigurations, a network will likely have specific weaknesses that must be identified, prioritized, and removed. Attack-path analysis is analogous to a personal trainer who points out specific weaknesses that should be strengthened. It identifies the specific vulnerable and exploitable systems that can be used as stepping stones by an adversary to gain access to high-value resources. Attack-path analysis provides insight to inform remediation and mitigation-strengthening efforts.
Monitor your activity: As evidenced by the success of Fitbit® wearable activity trackers, monitoring activity levels can provide insight into our overall health. Despite mature vulnerability management, configuration management, and patch management, it is still possible for adversaries to look for and exploit weaknesses to gain access to enterprise data. Therefore, security practitioners need to look for weaknesses on the network that may indicate potential paths that are being tested by adversaries or that may have been exploited by malware. These paths may include Internet facing services that are known to be exploitable, or internal applications that trust exploitable clients that also connect to the Internet.
Watch for warning signs: Just as an increase in body temperature indicates a potential illness, increases or changes in network activity may indicate a weakness that is being or has been exploited. Detecting anomalous behavior assumes that normal behavior is known. Trusted connections, traffic volume (by each hour of the day), and user activity must be profiled so significant deviations from normal behavior will be noticed if and when they occur.
Preventing problems by strengthening security is often more effective and less expensive than reacting to breaches after they occur. However, both prevention and detection are necessary. When breaches occur, it is important to incorporate lessons learned into preventive measures to strengthen your security posture to prevent similar incidents in the future.
Please join Tenable’s upcoming webcast, 10 Weaknesses You May Not Know About, for more insights.