The expansion of the attack surface has become one of the main trends in risk management and cybersecurity. The search for and prioritization of vulnerabilities in an information system are, in turn, major concerns. The aim of vulnerability management is to identify, prioritize and correct security flaws before they are exploited by malicious actors.
How can you identify and correct vulnerabilities in your information system? What steps should you take to integrate vulnerability management into your IT security policy? Let's take a closer look with François Devienne, Head of Operational Security at OverSOC.
What is a computer vulnerability?
Common types of vulnerabilities
A "vulnerability" is a security flaw in an information system. It may originate in a network, a service, a hardware component or software. The most common vulnerabilities are "Zero-Day" vulnerabilities (vulnerabilities in an operating system or software that have not yet been discovered or corrected) and configuration flaws.
While some vulnerabilities, such as the "Zero-Day" flaws, can be attributed to solution vendors (who are responsible for making patches available and publishing notices or alerts), other vulnerabilities can originate from a company itself, for example in the case of a misconfiguration.
The consequences of unaddressed vulnerabilities
"An unpatched vulnerability is an entry point into an information system and a potential attack vector, even more so if the machines are exposed on the Internet," explains François Devienne.
Code ingestion, for example, makes it possible to take control of a machine and then create a pivot to connect elsewhere in the IS, culminating in a successful elevation of privileges.
Step 1: Identify vulnerabilities
The importance of IT security intelligence
"Identifying vulnerabilities relies on regular monitoring," notes François Devienne.
This stage requires proactive information gathering, via CERT publications or security bulletins issued by software publishers, for example, in order to keep abreast of updates available for the operating systems and software used. " Listing the various OSs and tools in use on an information system map will facilitate monitoring," he adds.
Using vulnerability scans
In addition to monitoring, the use of vulnerability scanners enables you to test your various assets and reveal potential vulnerabilities in certain operating systems, modules or applications, based on scripts. The use of these tools (open source or proprietary) "industrializes" the search for vulnerabilities and provides good visibility on the state of the installed base.
Step 2: Vulnerability assessment
Vulnerability classification criteria
Severity
With an ever-growing attack surface, companies don't necessarily have the means to correct all the vulnerabilities they detect. How do you sort them out? Firstly, by assessing the severity of vulnerabilities using the CVSS(Common Vulnerability Scoring System) standard.
"CVSS 3.0 assigns each vulnerability a number from 0 to 10 . A vulnerability is considered critical when it displays a score between 8 and 10," details François Devienne.
Operability
Severity is not the only metric to consider. It is also necessary to know whether the vulnerability in question is "exploitable" and "exploited " (information often mentioned in the security bulletin). The exploitability index or EPSS(Exploit Prediction Scoring System) indicates the probability of a vulnerability being exploited.
Use of vulnerability databases
New vulnerabilities are revealed every day, and are freely available on the Internet via vulnerability databases. The cve.mitre.org site (CVE stands for "Common Vulnerabilities and Exposures") has become the benchmark for vulnerabilities, but there are many other sources of information on vulnerabilities and the scores assigned to them.
Step 3: Prioritizing vulnerabilities
Vulnerability prioritization methodologies: assessing criticality
The process of prioritizing vulnerabilities must also take into account the criticality of the assets concerned. A critical and exploitable vulnerability linked to assets exposed on the Internet must be corrected as quickly as possible, all the more so if the assets are linked to sensitive or business-critical data (financial data, for example).
Conversely, a server that has a vulnerability but is not exposed on the Internet and is accessible to very few people will not be considered critical. The vulnerability will not be treated as a priority.
The importance of risk management: prioritizing according to impact and probability
One of the major trends in vulnerability prioritization is the development of a risk-based approach. "In concrete terms, this means that organizations must take into account the likelihood of vulnerabilities being exploited by malicious actors, as well as the impacts (operational, financial, etc.) of successful exploitation," explains François Devienne. The aim of this approach is to prioritize vulnerabilities according to the risks they represent for the organization.
Step 4: Action plan
Drawing up a remediation plan
Once vulnerabilities have been prioritized, the next step is to set up an organization and processes dedicated to implementing security patches and improving patch management. These elements are formalized in a remediation plan, often led by the CISO or RSO.
The remediation plan lists all the actions to be taken to deal with the vulnerabilities, according to the priorities assigned to them. In concrete terms, this may involve applying a security patch, placing a command on a server, implementing a countermeasure to prevent a vulnerability from being exploited (modifying network architecture, implementing specific filtering or additional access control, etc.).
Allocating resources to correct vulnerabilities
While vendors themselves take charge of patch management for cloud services, vulnerabilities linked to on-premises services have to be patched by the organizations using these services.
The point of formalizing all the actions to be carried out within a remediation plan is precisely to list the various players involved and their roles, so as to facilitate governance and monitoring of vulnerabilities.
"The application of certain security patches can have an impact on service, for example when a server has to be restarted. Teams also need to check backups carefully before installing patches," notes François Devienne.
Tracking and managing security patches
Vulnerability management is a long-term process, which involves checking that security patches have been applied, and regularly rescanning for vulnerabilities. Mapping your information system provides a clear overview of vulnerability management and remediation plan implementation. Mapping the results of vulnerability scans (as OverSOC does) highlights the gap between the vulnerabilities actually corrected and the actions to be taken.
The most exploited vulnerabilities
Here are some of the most widely known and exploited vulnerabilities:
- Heartbleed (CVE-2014-0160): A vulnerability in the OpenSSL library that allowed attackers to steal sensitive information, such as private keys, from web servers.
- Shellshock (CVE-2014-6271): A vulnerability in Bash, a Unix shell, which allowed attackers to execute malicious commands on vulnerable systems.
- WannaCry (CVE-2017-0144): A ransomware that exploited a vulnerability in unpatched Windows systems, causing havoc worldwide.
- Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715): Two major vulnerabilities discovered in modern processors that allowed attackers to access sensitive data.
- Equifax (CVE-2017-5638): a security flaw in Apache Struts was exploited to compromise the data of over 143 million Equifax customers.
- Petya/NotPetya/ExPetr (2017): A ransomware that used a variety of methods to spread, including a vulnerability in Windows called EternalBlue.
- KRACK (Key Reinstallation Attacks): A vulnerability in the WPA2 protocol, used to secure Wi-Fi networks, allowing an attacker to decrypt wireless traffic.
- Apache Log4j (CVE-2021-44228): A recently discovered vulnerability in the Log4j logging library, which has had a major impact on many applications and systems.
- Heartbleed (CVE-2014-0160): A vulnerability in the OpenSSL library that allowed attackers to steal sensitive information, such as private keys, from web servers.
- SQL Injection: A common attack technique where attackers insert malicious SQL code into the data entries of a web application to gain access to the database.
It's important to note that the list of vulnerabilities is constantly evolving as new threats and security holes are discovered. To guard against this, it's essential to keep your operating system and software up to date, and implement security measures to protect your information system from known and unknown vulnerabilities.
Additional resources and tools for vulnerability management
- ANSSI "Vulnerability manager" guide
- Pentests
- Security bulletins from publishers
- Common Vulnerability Scoring System (CVSS)
- Exploit Prediction Scoring System (EPSS)
- Common Vulnerabilities and Exposures (CVE)
The role of Cyber Threat Intelligence
Cyber Threat Intelligence (CTI) is a complementary approach to vulnerability scans, as it enriches the data gathered from other sources. Solutions are now available that enable companies to discover any data leaks on the darknet (customer accounts, e-mail accounts, etc.), so that they can put in place the necessary security patches.
Vulnerability management and prioritization are increasingly becoming key elements of an effective IT security policy. Identifying vulnerabilities is the first step in this process. It enables organizations to gain visibility of the weaknesses in their IS, but it is not sufficient to help them prioritize security patches.
The second step is to assess the severity of the vulnerabilities. Vulnerabilities are then prioritized. The most appropriate security patches can then be deployed. To be fully effective, vulnerability prioritization must now be based on a risk analysis approach.
