At Contextual Security Solutions we are continuously looking for ways in which we can better serve our customers. It has been a primary focus from day one, almost ten years ago. Whether it’s through the creation of our illumino Compliance Portal designed to give our clients visibility into the progress of our compliance audits, our Remote Location Audit Reports (healthcare, utility, banking, and retail) that have given our clients visibility into their satellite locations, or our Perigon 360 Assessment platform that provides a dynamic 360 degree view into our security assessments, we are always searching for ways to help our clients and partners within the security and compliance landscape.
Perigon 360 Dashboard / illumino Compliance Portal
To kick off this first edition of our #ExpectMore series, we are going to do a quick dive into Security Debt. Contextual Security Solutions created this metric, and we believe it is often disregarded or overlooked but can shed light on process deficiencies that can stifle improvements of the organization’s security posture despite best efforts by those responsible for protecting it. Identifying and remediating process deficiencies prioritizes fixing the root cause rather than the individual vulnerability. By doing so, organizations may be able to more effectively reduce their overall risk and vulnerability remediation burden through the improvement of a small number of critical processes. In short, I’ll credit our own Slade Griffin, Director of Security Assessments, with articulating this concept with the following words:
So, lets dive in on Security Debt and first define what it is. In a nutshell, our definition of Security Debt is the age of the vulnerability(s) present within the organization.
SECURITY DEBT EXAMPLE (MS08-067)
As an example, consider an old favorite like the vulnerability addressed in Microsoft Security Bulletin MS08-067 (which thankfully we don’t see as often anymore). Microsoft Security Bulletin MS08-067 was published on October 23, 2008. Nessus, a popular vulnerability scanner, published two (2) plugins to search for this vulnerability on the same day that the Security Bulletin was released with an additional plugin released on November 21, 2008.
MS08-067 Plugin Search (Source: https://tenable.com/plugins)
If you happened to be defending a Windows-based environment thirteen (13) years ago, hopefully someone saved you some Halloween candy and a little Thanksgiving turkey since you were no doubt beginning a three-month roller coaster of trying to patch and/or remediate systems affected by this vulnerability.
With respect to Security Debt, the vulnerability would have been roughly a month old.
Thirty-five (35) days, based on the criticality of the vulnerability (CVSSv2 10.0, CVSSv3 9.8), seems too long, but not excessive when considering that the organization may not have scanned for it immediately, that once identified testing would need to be done before rolling the patch out, and that the previous maintenance window could have recently passed requiring the vulnerability management team to either wait for the next one or request an emergency window. Lastly, as it relates this timeframe, if held to requirement 6.2 of current version 3.2.1 of the PCI DSS, which is one of very few security standards that explicitly states patch timeframes, thirty-five (35) days would be slightly outside the one-month installation window for critical vulnerabilities. Based on this information, recommendations as it relates to vulnerability management would primarily be limited to ensuring processes support the installation of critical patches within a month of their release.
Now consider that the same vulnerability was identified again on several of the same hosts during a subsequent scan on Valentine’s Day the following year (February 14th, 2009).
At this point, additional areas of concern can be inferred. Specifically, the organization would need to review their patch management processes and any technologies (e.g. software) that are used to support them (Software Upgrades).
Finally, let’s consider this same vulnerability was identified today on several hosts within organizations network this past Halloween.
Based on the data at this stage, further insight is available. Most notably, in addition to the patch management processes concerns mentioned in the previous paragraph, issues with configuration management and hardening may now exist (Configuration Management). This could be further substantiated if any of the hosts in question have been deployed after the Microsoft Security Bulletin was released as it would indicate that gold images for new system deployments may not be up to date and/or sufficiently hardened. If new systems are introduced to the production network with old vulnerabilities, it becomes exceedingly more difficult to defend the enterprise.
Security Debt is a great metric for dialing in on the root cause of the issues found during routine scans. Once the root cause is identified, the organization can better budget the capital and operational expenses needed to remediation. Configuration Management remediation activities typically require human interactions and hours to reduce the Security Debt. Although products can assist here, researching, testing, and implementing configuration changes can be labor intensive. Conversely, Security Debt related to Software Upgrades is generally a result of a backlog in the application of patches, updates and vendor supplied fixes to operating systems, applications, and network devices. In many cases the use of third-party applications can assist organizations in reducing their Security Debt related to Software Upgrades.
The example above highlights how Security Debt, even when considering only a single vulnerability, can provide additional context data and ultimately assist in forming more effective and impactful remediation plans. With that said, we’ve only scratched the surface on Security Debt in this blog post. If you’d like to learn more about our Security Debt insights included in every one of our Security Assessments, or any of the other metrics and analysis we provide, please reach out to us at email@example.com to schedule a call.