From a penetration tester’s perspective, there are a few things that quickly indicate an organization’s maturity (and the likelihood our team will be able to exploit their environment). If any of these exist, the chance we will be able to successfully breach their environment increases:
Indicators a Hacker Can Breach Your Systems
One of the first things we do in a penetration test engagement is take an inventory of systems. This inventory helps our team perform system specific research into potential vulnerabilities we may be able to use to breach the system. Many older systems are no longer supported by the manufacturer or simply aren’t well maintained by the company. As result, there are more vulnerabilities available in which hackers can use to exploit the system.
Flat networks (subnetting is not segmentation)
If your network is not segmented (e.g., there are walls between systems) a penetration tester can more easily access more of your systems. The more systems and data available to the hacker – the more systems we can attempt to exploit and steal data (e.g., Our ability to pivot and escalate privileges.) This is similar to a burgular that breaks into a house. If everything is right inside the front door – it can be taken without much effort. If every door in the house is locked and your valuables are stored in a safe – then the thief has to work harder to access your possessions.
No technology is perfect and without ongoing maintenance it becomes vulnerable to hackers. As result, your organization must have a process to patch systems on an ongoing basis. If your organization doesn’t have a disciplined patch management program it virtually guarantees a well-known vulnerability is present somewhere in the environment. Since vendors almost always release patches for serious technical vulnerabilities, not applying them makes a hacker’s job easier.
Here are a few examples of critical vulnerabilities that have been resolved by patches: Heartbleed (CVE-2014-0160), EternalBlue (CVE-2017-0144), Intel AMT Auth Bypass (CVE-2017-5689)
Penetration Testing is a Good Start, But Won’t Solve Your Problems
Penetration testing is a highly effective method to prompt organizational change. If an expert successfully breaks into your network it is proof positive that a legitimate threat would be able to exploit vulnerabilities. This is strong motivation for leadership to dedicate time and resources to information security maturity. Penetration testing is also an excellent opportunity to consider your overall security architecture and work with a professional to build solutions that fit your organization’s goals.
While penetration testing is a vital component of an information security program, the downside is that many organizations operation under the false premise that if they fix all of the results of a penetration test their assets are secure. Penetration testing provides visibility for the point in time the test was performed, against the systems that were tested, and the techniques that were leveraged by the penetration tester. Even if the penetration tester was through, there could be other paths into your network. Additionally, even if you solve all of the identified issues new vulnerabilities are discovered daily.
Continuous Vulnerability Management is a Better Security Solution
Because your environment is constantly changing (e.g., New Vulnerabilities are discovered, new systems are added to your environment), security must be a continuously evolving element within your business. One of the best solutions is to continuously assess and mature your environment.
Continuous vulnerability management programs consist of three key elements: Policy, Scanning Engine, and Corrective Actions
Vulnerability Management Policy
The vulnerability management policy defines leadership’s expectations for identifying and correcting vulnerabilities. This includes the frequency of scans, the speed in which they must correct the issues, and how they should report results to management
There are a variety of tools that exist that will automatically scan your environment (typically daily) to identify issues and report them to management.
When issues are identified during scanning, the issues must be resolved in a timely manner (per the policy). This is often when things break down. In many environments there are dozens (or hundreds) of issues to correct, numerous systems to track, multiple business units, and dozens of users tracking issues. If processes and tools do not exist to help the team assign and track issues to final remediation – the program will fail.
Phalanx – risk3sixty’s Vulnerability Management Platform
If you are considering implementing a continuous vulnerability management program, we can help. Phalanx combines vulnerability management policy, scanning, and project management tools in a single platform to make continuous vulnerability management achievable for any organization. If you would like to learn more about our platform – Contact Us.