Almost every organisation protects its infrastructure with basic measures, e.g. a firewall and anti-virus software. This keeps, where possible, potential hackers, and malware at bay. This approach worked when a network could still be compared to a castle, where the lord of the manor protected the access with a drawbridge and a moat. There was one access and it had to be protected against intruders.
Nowadays, networks can best be compared to cities. There are several entrances, several owners, and traffic is constantly going in and out. This way home-workers are facilitated, suppliers can approach services remotely, and the employees in the office should be able to reach all sorts of cloud services. This means that a bigger part of the network is made available, which makes it more difficult to protect. That is why it is important to look at vulnerabilities and to take action on the basis of it. In this respect we depart from the guiding principle: what if a hacker had direct access to this system?
Analysing vulnerabilities usually takes place in one of the following two ways:
- The performance of a penetration test
- The continuous scanning of a network on vulnerabilities
Where the penetration test (pen test) is performed business-specifically with a task, the scan is automated and more generic. The pen test simulates a hacker with a specific objective; the task is therefore often aimed at testing measures or systems. The scan simulates the more generic threats. Think about malicious parties who try to intrude wherever they can to, for instance, leave behind a bot-net / ransomware or other malware.
Both the generic threats and the hackers do, however, have the same point of departure, they scan the network (where available) on vulnerabilities and try to intrude via this route. By personally analysing these kinds of vulnerabilities, they can be resolved before they can be abused.
BDuring the management of detected vulnerabilities, the difference between a penetration test and the continuous scanning becomes bigger. The penetration test generates a report with recommendations but (basically) without history or further handling. This makes it a good methodology as part of non-recurring audits, e.g. the acceptance process during the delivery of new software (releases) or infrastructure. A good scanning tool is associated with tools that assist in obtaining control over the vulnerabilities that are detected. These tools should (at least) generate a prioritised action list and an audit trail.
The presentation of a prioritised action list on the basis of the scan results assists in the processing. Not every vulnerability represents an equally big risk. On the basis of the internationally applied Common Vulnerability Scoring System (CVSS), it is indicated how critical a vulnerability is. For instance, a vulnerability that can be abused remotely is more critical than one that cannot.
The other axis on the basis of which priority is determined is business context. The one system is more critical to the business operations than the other. By applying these two parameters as weighting factors, an overview of vulnerabilities changes into an action list that is specific to the relevant organisation.
Traceable actions should then be taken on the basis of detected vulnerabilities. These actions can consist of, inter alia, patching, phasing out, or system hardening. In this respect it is important that it is logged what actions are carried out and who provided for the said logging. If future actions are scheduled, e.g. the replacement of a system, then a notification can temporarily be suppressed, but this will also always be logged. This way, an audit trail is always available with performed and scheduled activities on vulnerabilities.
This traceability ensures that an organisation can demonstrate what actions it took, or has scheduled to take, in respect of what vulnerabilities, in order to increase the cyber-resilience. This makes you demonstrably in control; something that is required by various certifications (including ISO 27001 and NEN 7510).