Consider you vulnerable assets over the long term…
When we refer to vulnerabilities and cybersecurity, we mean weaknesses in the system that allow attackers to compromise the confidentiality, integrity and availability of these systems and the information and services hosted. In other words, vulnerable assets.
Although it is not always the case, vulnerabilities can be attributed to defects in the design of the system that result in its development not being conducted in accordance with the best security-related practices. In other cases, they are the result of technological limitations, because, as we all know, there is no such thing as a 100% secure system.
We know that there is a lucrative market for sale of exploits for vulnerabilities to which we do not yet have a solution, but proper management of known vulnerabilities reduces the time of exposure to possible attacks and minimizes the risk of being attacked using known attack vectors.
Many of the best-known cases that have become public lately, and many others that have not, take advantage of these vulnerabilities that already have a solution available but that the organizations have not corrected.
In almost all situations, cyber attackers carry out their work in different phases:
- Reconnaissance: this is a phase in which the attacker seeks information about the target, usually relying on public sources.
- Preparation: in which the attacker prepares the artifact that it intends to distribute by utilizing certain tactics, techniques and procedures.
- Delivery: the attacker locates a vector for the attack, usually based on human error.
- Exploitation: usually based on exploiting a vulnerability or a suboptimal system configuration, which enables escalation of privileges within the compromised system.
- Installation: the main goal is establishing persistence and camouflaging itself to avoid being detected while moving laterally within the organization in order to compromise other systems that are more attractive for the attacker.
- Control: usually for the purpose of exfiltration, hijacking or destruction of information.
- Lastly demanding a ransom.
This is the reason that automation and early alert for vulnerable assets take on an essential role in cybersecurity management. Automation makes it possible to detect and respond to known threats in the most effective manner. It is the most effective way to reduce the total area of exposure.
… because it is perseverance that counts
Attackers use increasingly sophisticated methods and design new types of attacks that are difficult to detect. Furthermore, security systems process huge amounts of data with origin in numerous sources that human beings are not able to process.
The growing number of threats, added to a limited number of human resources dedicated to security, mean that at present it takes more than three months to detect a hidden threat in systems.
In spite of this, how can a security analyst or administrator make the correct decisions regarding an alert if all the necessary information is not available?
Analysts must rely on the context surrounding an alert to decide which actions to take, and the manual process of obtaining information on the entire infrastructure of an organization can take days, weeks or even months. Just one piece of information: in 2021, almost 22,000 vulnerabilities were published, more than 60 each day.
What if we could detect vulnerable assets and receive an alert in real time?
If we are able to break down the barrier between the ITAM world and cybersecurity, then we can achieve this.
Whereas producers of software and operating systems identify and version products without a standard criterion, in the cybersecurity field this has been resolved for several years. Standardization has already been accomplished for some time in the field of vulnerabilities, and MITRE was in charge of carrying out this task.
Analysis and correlation of all information in real time is the solution, but we know that it is not feasible to have available vulnerability scanners to analyze all our assets on a continuous basis. For technological and financial reasons, it is very complicated for an organization to be willing to deploy and maintain this entire infrastructure. Moreover, from the strategic standpoint and the standpoint of provision of services, it is not feasible to expose our systems to a potential loss of performance 0, or even trigger a shutdown of the business.
At present, the solution lies in working with information that is continuously compiled and updated without having to interact with systems in operation.
Based on the knowledge that can be provided by discovery and correct management of assets, namely, the entire inventory of devices, operating systems, products, their correspondence with common platform enumeration (CPE) and the broadest possible database of vulnerabilities and products, it is possible to obtain a very advanced vision of the status of security in any organization.
Once we know what vulnerability affects our information systems, we will be in a position to manage them, making decisions in keeping with the level of our appetite for risk that we are willing to assume.
YES, YES, YES... we are going to Paris.
I hope that you enjoy it, and farewell
Jesús Castellanos
Consulting and Compliance Manager in the ICA Group