Feeling Vulnerable? ft. Bryon Singh, RailWorks Corporation

Feeling Vulnerable? ft. Bryon Singh, RailWorks Corporation

By Steve Gold
Posted in Security
On November 15, 2023

Always! I was going to continue to use movie or television references to highlight the importance of this CIS Safeguard but realistically, there isn’t one. There are plenty of examples where the lack of an effective Vulnerability Management Process caused a breach. Here are just a few:

  1. Equifax (2017): One of the most notable breaches in recent history. Equifax, a major credit reporting agency, suffered a data breach that exposed the personal information of 147 million people. The breach occurred due to an unpatched vulnerability in the Apache Struts web application framework even though a patch was available two months before the breach.
  2. WannaCry Ransomware Attack (2017): This attack affected organizations across 150 countries, including the UK's National Health Service (NHS). The malware exploited an unpatched vulnerability in Microsoft's Windows operating system. While Microsoft had released a patch a month prior to the outbreak, many organizations hadn't applied it.
  3. Heartbleed (2014): This was a critical vulnerability in the OpenSSL cryptographic software library. It allowed attackers to read the memory of the systems using vulnerable versions of OpenSSL, thereby compromising secret keys, passwords, and other sensitive data. Many organizations were affected, and while it's hard to pinpoint specific breaches directly to Heartbleed, its discovery led to a rush to patch systems globally.
  4. The US Office of Personnel Management (OPM) breach (2015): Attackers gained access to the personal data of over 22 million current, former, and prospective federal employees and contractors. The breach was linked to an unpatched vulnerability in the software that OPM was using.

Vulnerabilities emerge at the speed of innovation. Whether you run a business out of your home, work at a small startup, or a massive corporation, being proactive to these vulnerabilities is crucial to ensuring operational trust.

Vulnerability management is a systematic and ongoing process that involves the identification, evaluation, treatment, and reporting of vulnerabilities. It's like a health check-up for your company's digital assets, ensuring that any weaknesses that might be exploited by malicious actors are discovered and addressed in a timely manner.

By establishing and maintaining a thorough, documented process, enterprises can better protect their assets and maintain trust with their stakeholders.

One principle remains indisputable: proactivity is the best defense. Addressing vulnerabilities before they can be exploited is essential, and this brings us to a cornerstone of cyber defense CIS Safeguard 7.1: Establishing and maintaining a robust vulnerability management process. At its core, CIS Safeguard 7.1 emphasizes the creation and maintenance of a documented vulnerability management process for all enterprise assets. But it's not just about having a process in place; it's about regularly reviewing and updating this process, especially after significant organizational changes or annually.

A Step-by-Step Guide to Implementing CIS Safeguard 7.1:

  1. Start with an Inventory: Before you can defend your assets, you need to know what they are. Document every piece of hardware, software, and data, including their versions and configurations.
  2. Define the Scope: Clearly state which assets are covered by the vulnerability management process and which aren’t.
  3. Automate Vulnerability Scanning: Use automated tools to regularly scan for known vulnerabilities in your systems, applications, and network infrastructure.
  4. Prioritize Vulnerabilities: Not all vulnerabilities are equal. Rank them based on potential impact, exploitability, and importance of the asset.
  5. Patch Management: Develop a clear process for testing and deploying patches. In some cases, immediate patching might not be possible; identify temporary measures to mitigate the risk.
  6. Review and Test: Regularly test the vulnerability management process, making use of both automated tools and human expertise, like red teaming or penetration testing.
  7. Document Everything: Keep records of all vulnerability scans, identified vulnerabilities, remediation efforts, and any breaches or incidents related to vulnerabilities.
  8. Stay Updated: Participate in industry forums, subscribe to vulnerability databases, and maintain relationships with vendors to stay updated on new vulnerabilities and threats.
  9. Regular Review: At least annually, review the entire process. Update it to address changes in the organization, technology landscape, and threat environment. Document the changes and reasons for them.
  10. Feedback Loop: Encourage all staff to report potential vulnerabilities and provide feedback on the vulnerability management process.

Here’s a link to the Vulnerability Management Policy Template provided free of charge from the fine folks at the Center for Internet Security: https://www.cisecurity.org/insights/white-papers/vulnerability-management-policy-template-for-cis-control-7

Here are some details on this specific Control/Safeguard. If you want more detail, DM me.

CIS Control 7 – Continuous Vulnerability Management

Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

Implementation Group 1

CIS Safeguard 7.1 - Establish and Maintain a Vulnerability Management Process

Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Steve Gold

Steve Gold

Steve Gold is the Cybersecurity Practice Director at Gotham Technology Group (Gotham). He is responsible for providing the vision and thought leadership to expand Gotham’s legacy of success and build a world-class cybersecurity practice. He works closely with Gotham’s customers, industry partners, and subject matter experts to develop relevant solutions for Gotham’s clients and prospects.

Prior to joining Gotham, Steve worked with the Center for Internet Security (CIS), where he expanded the global reach, revenue, and impact of the CIS Benchmarks, CIS Controls, and CIS Hardened Images. He led the efforts to promote the CIS portfolio of low-cost and no-cost cybersecurity products and services that help private and public organizations stay secure in the connected world. He grew a team of security specialists from 12 to over 40 to assist organizations with implementing security best practices in their continual journey of cybersecurity maturity.

During his more than 20-year career, Steve led teams responsible for developing and implementing technology solutions at some of the industry’s most recognized companies such as Varonis, VMware, Dell & Wyse Technology

Steve is a frequent speaker/moderator at industry conferences and webinars, covering a wide array of information security topics. He resides and works remotely in Baltimore, MD.