Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

6/26/2020
10:00 AM
Yaniv Bar-Yadan
Yaniv Bar-Yadan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Good Cyber Hygiene in a Pandemic-Driven World Starts with Us

Three ways that security teams can improve processes and collaboration, all while creating the common ground needed to sustain them.

We've seen COVID-19 infection curves flatten when people are conscientious about recommended pandemic hygiene, such as social distancing and wearing a mask. As we start to re-emerge from quarantine, it serves as a powerful example of what can be accomplished if security and IT teams approach cyber hygiene with the same rigor and sense of urgency. Effective cyber hygiene requires a level of cross-team collaboration, which is rarely the norm. Here are three ways security teams can make effective improvements while creating the common ground needed to sustain them.

Seek to Understand and Empathize
Corporate IT teams remain surprisingly siloed, which makes fundamental yet essential cyber hygiene functions such as vulnerability and patch management difficult to do well. Reducing vulnerability-related IT risk isn't possible without contributions from both security and IT operations teams. Teamwork is hard, and even simple cyber hygiene workflows are easily complicated, often by the division of labor across different teams. 

Security teams are usually the ones that find vulnerabilities, while other IT teams (mainly IT operations and DevOps teams) are the ones that fix the issues. When those fixes don't work as planned, it can impede their ability to preserve the availability and reliability of infrastructure. The bottom line is that full-stack security isn't trivial and requires compromise and collaboration across all stakeholders. 

As the pandemic has reminded us, the simple act of connecting with another human being can have a profound impact on the personal and professional resilience of all parties. Take the initiative to reach out to colleagues on other teams. Ask what a successful day looks like for them, about the tools they use and love, the processes that work well and don't work at all. With normal processes and interpersonal communications upended, now's the time for security teams to connect with their counterparts on other teams and (re)forge the connections that lead to productive partnerships.

Intelligent Vulnerability Remediation Goes Beyond Patch Management
According to Imperva, there were more than 20,000 new vulnerabilities reported in 2019. Unfortunately, handling the influx of all these new security threats remains a largely manual and error-prone process. And we all know patches can easily break more things than they fix. But patching is not the only remedy for security vulnerabilities. Configuration-based remediation options such as closing down firewall ports can be used to close security gaps quickly, even if only used as a temporary stopgap until a more robust solution can be implemented. 

It's difficult for IT operations teams to source and compile the patches, workarounds, configuration changes, and compensating controls needed to remediate an avalanche of vulnerabilities every week. Using remediation repositories that store what can also be called remediation intelligence, the vulnerability management equivalent of threat intel, security teams can help to lighten their load. Instead of tossing a list of unprioritized vulnerabilities over the cubicle wall for the IT team to deal with, remediation intelligence enables security teams to take a more active and collaborative role in closing tickets.

From using Ansible playbooks or Chef recipes to patch a Linux server to preventing exploits by updating a firewall configuration, remediation intelligence enables security teams to help IT operations teams determine the best fix for their environment. Take this time to figure out how your security and IT teams can use remediation intelligence to streamline infrastructure security. 

Re-Evaluate Remediation KPIs to Ensure Relevancy 
Security operations teams often rely on industry-standard benchmarks to prioritize the execution of cyber hygiene workflows, but many of those metrics are outdated or have become dangerously misleading. For example, prioritizing remediation based solely on a vulnerability's Common Vulnerability Scoring System (CVSS) score is still a common but highly flawed practice. CVSS scores are essential for benchmarking the criticality of a vulnerability, but not how critical the threat is to the assets in a unique environment. 

So, what metrics should be used to guide and prioritize the efficient work of vulnerability remediation? Here are a few of my favorites. While these are metrics used by security teams, strong cross-team support leads to greater control over these benchmarks.

  • Coverage: Does the security team have sufficient vulnerability scanning in place for all business-critical systems and applications? Are there any blind spots? Coverage clarity across the full scope of risks, known and unknown, is necessary for comprehensive security.

  • Vulnerability dwell time: The time between vulnerability disclosure and published exploit of the vulnerability in the wild has contracted substantially over the last couple of years, from weeks to days. The longer the vulnerability dwell time, or the time the vulnerability is persistent in the environment, the greater chance it will be exploited.
     
  • SLA goals versus actual remediation results: By evaluating remediation results against goals outlined in service-level agreements with the business, you can gauge how well your team has met its stated operational and risk management goals, why or what not, and how to improve.
     
  • A commonsense risk model: Just because an Oracle vulnerability has a CVSS score of 10 doesn't mean it matters to your organization if you don't run any Oracle. But if significant components of your infrastructure run on Oracle, you'd want these vulnerabilities to be flashing red on the remediation list.

As Rahm Emanuel (via Winston Churchill) famously said, "Never let a good crisis go to waste." Change at scale is never easy, but the pandemic has created a once-in-a-career opportunity to make material improvements to cyber hygiene practices.

Related Content:

 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really bad day" in cybersecurity. Click for more information and to register for this On-Demand event. 
 

With over a decade of cybersecurity experience under his belt, Yaniv has spent years working with some of the largest companies in the world. With his "solutions, not problems" mindset, Yaniv had co-founded Vulcan Cyber in order to do just that - enable security teams to ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:48:15 PM
Learn
Never let a good crisis go to waste Good to remember. We can really learn from each crises
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:46:20 PM
Remediation
Using remediation repositories that store what can also be called remediation intelligence Lessons learned on remediation and building intelligence on every incident is critical.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:43:23 PM
Collaboration
now's the time for security teams to connect with their counterparts on other teams and (re)forge the connections that lead to productive partnerships. I agree, this collaboration would be critical for is to be successful in todays environment.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:41:00 PM
IT Teams
As the pandemic has reminded us, the simple act of connecting with another human being can have a profound impact on the personal and professional resilience of all parties IT teams should not be impacted with the pandemic, we should be able to connect while we are distant to each other.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
6/29/2020 | 9:39:07 PM
Everybody
The bottom line is that full-stack security isn't trivial and requires compromise and collaboration across all stakeholders. Security is everybodys responsibility, obviously full-stuck security is better way to go.
Dan@12345
50%
50%
[email protected],
User Rank: Apprentice
6/27/2020 | 7:12:34 PM
wow
Thank You for sharing this information
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...