How Vulnerability Management Can HelpEffective vulnerability management involves targeting the riskiest vulnerabilities in your environment first. This sounds simple and, with the right tools, it is. However, well-known and entirely preventable vulnerabilities continue to be the main point of entry in most documented breaches. Even if the initial access was via a phishing attack, it was only to deliver malware that exploited one of these vulnerabilities. In 2016, the Data Breach Investigation Report (DBIR) from Verizon highlighted vulnerabilities known since as far back as 1998 being used in attacks. This clearly shows that we aren’t doing something right and that PIR Bank, while not doing everything they could, are far from being unique. Vulnerabilities are measured a number of ways, most commonly using the CVSS (Common Vulnerability Scoring System) which provides a number from 0 (lowest) to 10 (most severe) developed from a number of criteria. For those interested in exploring the CVSS mechanism, I recommend the Wikipedia page. Each vulnerability commonly carries a severity, one of the following: High, Medium, Low, Informational. This gives you an indication of the potential impact of the exploit of the vulnerability. It’s common to start with the vulnerabilities scoring highly on the CVSS scale or with high severity vulnerabilities, but this approach misses something fundamental, something fully exploited (pun intended) by the MoneyTakers – the vulnerabilities with known exploits. What does this mean? We are talking about the vulnerabilities for which someone has worked out how to take advantage of them… and published that information in a public forum. Tools like Metasploit (and many, many dark/deep web toolkits) take that published exploit and turn it into a fully automated tool. The hacker only needs to identify that your system has the vulnerability and then point the exploit tool at it and, in many cases, they have access. Your environment is compromised in minutes. Where CVSS and vulnerability severity falls down is that there are many vulnerabilities ranked low on one or both schemes that will provide a foothold into your environment for a hacker. Once they are in, they can look around for other vulnerabilities that have been missed and can provide them with the privileged credentials they need to move across your network stealing your most precious data as they go.
PIR Bank Highlights for Us the Importance of Targeting Those Well-Known Exploits First and ForemostSolutions like Retina CS Enterprise Vulnerability Management enable you to target and address those vulnerabilities first. This removes the “low hanging fruit” that groups like MoneyTakers are dependent on and stops you from being a soft target. You will find far fewer vulnerabilities with known exploits than in any severity category in your system and by mitigating each will deliver the maximum return on investment as well as maximum risk reduction. If you only make one change in your cybersecurity strategy this year, make it prioritizing vulnerabilities with known exploits. For a personalized strategy session, contact us today.
Brian Chappell, Director, Product Management
Brian has more than 25 years of IT and cybersecurity experience in a career that has spanned niche system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian leads the Product Management of the flagship Password Safe product globally, ensuring the delivery of a world-class, industry-leading Privileged Password and Session Management solution. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.