Three Simple Questions in Vulnerability Management

Strive for continuous improvement, instead of perfection

— Kim Collins


The Dragonfly Team attended the Gartner Security and Risk Management Summit held in Sydney 20-21 August 2018 and brought back some excellent forward thinking from the Gartner team on topics of Security and Risk. Among many of the ideas floated, ideas debated, and priorities distilled, the Gartner team provided a great view of what they believed should be top priority Security projects for the next 12 months for all Security and Risk Management Leaders.

In a series of blog pieces, we will be exploring several of these Security projects which we believe will shape our clients strategic view of security and risk over the next 12-18 months. First up, if you can only do one thing in the next 12 months, implement an intelligent approach to vulnerability management as a project.

Before we delve into vulnerability management and why we think it should be a priority, let’s explore a very simple risk and security tenant which was discussed throughout the conference and launched at the keynote presentation – three simple questions:

1.       What is important?

2.       What is dangerous?

3.       What is real?

Three Simple Questions in Vulnerability Management.png

According to Gartner, by identifying and combining the answers, you can cut through the noise we see a lot in Risk and Security Management. You want to arrive at that middle overlapping intersection.

At this point, it is worthwhile sharing with you why we think vulnerability management is a great piece to focus on. It is a critical component of any security program as, on balance, it’s all about targeting your finite resources to gain greatest risk reduction. We believe this provides you with great bang for your buck, it supports the changing needs of cybersecurity whilst supporting digital business initiatives we are seeing out there and finally, chances are, you already have everything you need to do it well.

Vulnerability Management is critical when considering your Cybersecurity and Risk Management strategies and becoming more so with the continued reliance on digital initiatives to drive business growth. However, the reality is that IT operations cannot keep up with the sheer quantity of vulnerabilities and we are seeing significant increases in vulnerabilities.

So, if we now ask ourselves each of these three questions in relation to our vulnerability management approach, it may look like this -  

What is important?

In order to effectively prioritise your activities, first start with what is important and to whom –

What is the business value of the asset you are trying to protect? Is it mission critical? If it were to be compromised, what would happen to the business?

What is dangerous?

We are constantly reminded of the sheer number of vulnerabilities identified but how many of them are actually critical? When you look closer, you may find most of these vulnerabilities are not in fact critical and pose an urgent threat. Just because there is significant media coverage of a particular vulnerability, does not make it critical –

What is the impact of the vulnerability should it remain unpatched? What is the likelihood of this vulnerability being exploited?

In summary, make up your own mind regarding its impact and then address it based on these findings.

IBM State of Vulnerabilities.jpg

Source: IBM X-Force/Analysis: Gartner Research

What is real?

To be able to answer this question, you need to look at your mitigating controls which you have in place – they are in the best position to tell you what is a real threat. Many controls can be applied or retrofitted to legacy systems and applications for systems which cannot be changed. So don’t forget your mitigating controls (IPS, WAF, firewalls and so on) when considering your options.

The reality is that we can’t patch everything but we can significantly reduce risk by risk prioritising our vulnerability management efforts.

When done well, vulnerability management has significant risk reduction potential and will support the business push to drive growth through digital initiatives. This particular approach to vulnerability management can significantly reduce risk by prioritising Risk Management efforts.

CEO shares what keeps him up at night

At a recent Banking CEOs and director’s forum in Sydney, a CEO shared what keeps him awake at night. Not surprisingly, the two single biggest issues in his eyes were “the availability of IT systems and Hackers.”

The availability of IT systems did not come as a surprise and the fact that he was concerned about a security compromise, was not a surprise either. What did surprised me however was the choice of word he used to describe his security concerns – Hackers. The CEO did not use the words data breach, security compromise, or financial or reputational risk – yet that’s all we use as Cyber Security Experts or as an industry.

He used the word hacker, to him it was personal and emotive. A faceless person, a dark character, of flesh and blood with a mind that is unpredictable, a character that exudes uncertainty and is skilled and capable to cause a single catastrophic event. A threat actor that needs to be eradicated.

One word embodied so much for this CEO.

In this mindset, the goal becomes stop the hacker, simple right? In theory, yes, in practice, if only it were that easy. We know that with all the security technology available to us, this remains near impossible on cost alone. The discussion then moved on from stopping the hackers to mitigating the risk in the form of cyber insurance – let’s not worry about doing all we can to prevent a breach, rather let’s make sure that should something occur, we have insurance to cover costs associated with data recovery. Sadly, there is no insurance to cover reputational risk to your brand when something happens which is almost impossible to quantify in both direct and indirect costs for years to come. How altogether disappointing of a conclusion to the discussion.  

What I did take from this experience is that maybe we need to think about the language we use – should we consider moving away from hard, cold, almost “clinical” words to a more emotive, descriptive and  approachable subset of language to describe cybersecurity risk? I don’t know the answer, but it has certainly got me thinking about the language I use with our clients. We will make more of an effort to think about appropriate use of security terms and pepper them with what our customers use when they think about cyber security – perhaps it is time to make cybersecurity more relatable and approachable. What do you think?

Security Principles Software Developers Should Follow

Having our heads buried in application security most days, we find that if you are not careful, you can get very technical about application security and forget about the people, money, risk and business priorities side of security. Let me explain that for a moment. Like in everything in life, security is also not black and white, rather shades of grey – what may be perfectly adequate in one scenario may be a big no, no in another. 

Let me give you an example us parents can relate to which explains my point -  whilst it is perfectly acceptable to send your responsible teenager to the corner store to pick up milk when you run out, it is completely unacceptable to have your pre-schooler complete the same task. The task being to have a child go get milk from the corner store – same task, merely an age variable. If we think about this in the security sense, you can see where I am heading. To be black and white in application security decisions can lead to poor decision making, unnecessary complication and wasted resources.

In our practice, we have found over time that it’s important that developers, when building or choosing security solutions, consider other aspects of security (beside the technical one) when picking the right one for their business and organisational situation. Our advice is that developers should appreciate and understand the wider context they are working within when making security decisions. In a nutshell, its important to be pragmatic when making these decisions. 

Here are a few principles which guide our application security practice which we would like to share with you.

Don’t get stuck on hard and fast principles

Dogma – a principle or set of principles laid down by an authority as incontrovertibly true
Absolutism - the holding of absolute principles (in security)

Consider this – the argument regarding the common and widespread use of Java Web Tokens (JWT) and their potential to create a security gap. There is an argument built on not using JWTs in local storage and it goes something like this – 

JWTs are the same thing as a username/password and if a hacker can get a copy of your JWT, they can make requests to the website on your behalf and you will never know so don’t ever store them in local storage. 

The conclusion, clear message and absolute position here is never use JWT in local storage. Keep in mind these are widely used in development. The issue with this advice is that it does not allow developers to consider the nuance of the situation they are using it in. Here is a counter argument to this – 

Where you store a JWT is really not that important and storing it somewhere deemed “safe” does not in itself ensure it is secure. Perhaps as a developer you should ask yourself what is the information you are placing in these JWT’s, how are you accessing these and in turn,  what are they accessing? 

Depending on your answer, you can then decide whether using JWT is the right way forward for your application – if the data being stored is not personable, identifiable data then maybe JWT is ok, if not, then go find an alternative. 

That’s what we would be looking at when assessing your use of JWT’s when completing an assessment of your application – not dogmatic nor absolute, rather pragmatic. Don’t get so caught up in hard principles – they can be your friend, but not always.

Don’t believe anyone who tells you its watertight, foolproof secure

Believe us when we say there is no such thing as completely secure, rather we talk about secure as “so far as is reasonably practicable” relative to what is being protected.

In simple terms, based upon the value of the data being protected, the protections you build around this should be in proportion to the security placed around it. The best type of security creates hurdles for hackers which are higher than the value of the target to them, thereby making them unattractive targets.  

When developing applications, it really puts you in good stead to consider the value of the data being collected and stored before creating appropriate security measures which reflect the value of the data being protected.

Know what you are up against and your exposures

When you know what you are up against, you are in a far better position to assess the risk to your assets and know what to do to protect these assets and reduce the risks. Interestingly, we know that hackers can range from kiddy scripters and automated threats all the way through to state sponsored hackers but unless you are developing programs which are of significant financial value or sensitive government work, as a developer, your likelihood of attracting any hard hitting hackers beyond your kiddy scripters or automated threats is pretty low. This knowledge should guide you in understanding the threats you face.

Beyond hacking resulting in a data breach, your application may be more vulnerable to a DDOS attack, if so, explore what this would mean to your organisation – will a DDOS attack result in taking your asset offline thereby creating significant embarrassment to your company and result in reputational damage? 

Take a measured, proportionate approach

It may sound obvious, but you need to consider what you are up against – by knowing the risks, you can then consider what sort of security plan makes sense. When considering what is an appropriate level of security, the risks you face is important, but so is your budget and what it affords you. Questions you should be asking are

1.    What is it that I need to protect and how valuable is the asset to my organisation and to others?
2.    Who would be interested in getting to it?
3.    What are the resources I have to do this?

Your responses to these questions will decide what level of security is reasonable. If the value is low, keep it to basics, if it is high, you need to consider advanced security measures and if it is a mix, create a hybrid which accepts compromises in some areas and needs advanced measures in others.

In summary, its clear that we cannot be absolute or dogmatic in our approach, rather pragmatism saves the day. When considering the risks you face, think about the value of the asset you are trying to protect – both to you and hackers before implementing a security policy which is proportionate to the risk, its value you and the resources you have at your disposal.

Have you given much thought to how you choose a security consulting firm?

You have no doubt lots of options available to you but beyond the hype and marketing, how do you identify the right organisation to team up with? I have some thoughts to share with you on the right questions to ask which can help you make a great choice to ensure a successful engagement.

Whether you are needing a penetration test done, a security audit complete, a web application security assessment or development of a complete security strategy, the questions you need to consider apply across the board.

By its very nature, finding the right security consulting firm can be challenging given you need to place a great level of trust in the capabilities and integrity of the organisation. As a result, it is critical to know who will actually be doing the work which assists you in understanding their capabilities. In addition, knowing what the actual deliverables will be will ensure you can assess the value they bring to you. Finally, that you can actually trust them with your sensitive security information.

Here are some critical questions to ask when considering who will become your preferred firm -

1. Who are the individuals who will be completing the work?

All proposals, whether it is a straightforward penetration test or the development of a complete security strategy, should include a list of the individuals who will be working on your project. You need to know what sort of experience they bring to the table and how they add value to the engagement. We have always found that clients see value when we explicitly list who will be responsible for our engagements and their previous experience with similar projects.

2. What are the deliverables you will receive at the end of the engagement?

Before you make your decision, know what you are going to get at the end of the engagement. And what I mean by know is actually SEE a sample report. If you are getting a penetration test done, ask to see what the final output looks like – will it be suitable for the various stakeholders eyes? In particular -

What sort of language is used? Will it be suitable for your technical team or is it better suited for auditors or regulators? What about board members? As you can see here, each one of these audience members have differing needs – some may overlap, others not so. So make sure you know your audience and that the final report will reflect this.

Are the recommendations realistic and take into account your level of risk appetite? Reports written with unrealistic dramatic recommendations are hardly going to be helpful in improving your security posture.

On the flip side, technical audiences need a deeper dive into the specifics to allow them to remediate appropriately. So I think there is a fine balance there and will be determined by the reason for the engagement of the service in the first place. From our experience, we are explicit in our questioning of clients on projects to understand how they plan on using the deliverables so the format of the deliverable is suitable for their purpose. We will always provide one so don’t be shy in asking for one next time you are evaluating a proposal!

3. What are their security practices like?

This question has become particularly poignant with the recent arrest of the self proclaimed leader of lulzsec in Australia who was actually working for a local security consulting firm working on various government and enterprise accounts. This sent shivers down the collect spines of all the leading security firms – hopefully prompting them to take a closer look at their staff and their backgrounds. Just be sure to check who is privy to your sensitive security information. We have made a point of ensuring our principal security consultants have security clearances to the Highly Protected level under the Australian Government Attorney-General’s Department security classifications.

4. Understand the final price

You were wondering when I was going to get to this weren’t you? My thoughts on this revolve around value – that is, what are you getting for your money? Are you comparing apples with apples when assessing various proposals? Lets take an example of a basic penetration test being done on a new web application launch. We all know that a good penetration test involves both manual and automated testing so given different security firms use different tools and techniques, how can you compare on price alone? Well, a good place to start is you need to look at the experience of the person who is doing the test to understand the level of expertise they will employ with the manual side. This goes back to the first point I made about the individuals working on your project – are they bringing expertise which is reflective in the price? Next, look at the automated tools they are using – some are free whilst others are significantly more expensive per engagement but will reflect in the thoroughness of the final deliverables. From here you can reflect on what delivers greater value to you. No matter how you measure value in this instance, ask for a clear list of charges which make up the proposal.

In summary, security firms all differ in their capabilities and finding the right one for you will depend on matching your expectations, the nature of the engagement with a firm that has the capabilities to deliver with the integrity that provides you with piece of mind.