Part of any good security hygiene program is to make sure you are up to date with the latest security patches. As of May 22, 2018 there have been 11,555 common vulnerability and exposures reported. In 2017 there were a total of 53,976 CVE’s reported.
These numbers are daunting to say the least. In small enterprises the resources needed to keep up to date on these CVE’s is almost non-existence. In large enterprise the environments are so complex it can be a challenge making sure you are protected from the latest CVE’s.
As individuals we are all accustomed to upgrading our operating system and apps. For iOS it seems lately there has been a new version almost weekly and every time MS Office loads and checks for updates there seems to be several patches/updates needed. For the individual running these updates it is one of the best security practices they can implement at home.
For enterprises you cannot rely solely on endpoint notifications for software updates to consider everything patched. These endpoints need to be updated and sometimes force updates might be needed. In zero trust models enterprises should check to ensure the endpoint is up to date and if not reject access. A great example of this would be with Duo who provides MFA (multi-factor authentication). When a users launches Duo it will let the user know the device needs to be updated. This coupled with DLP (data loss prevention) solutions will help with data leakage, malware movement, and further reduction of the overall attack surface.
Protecting the endpoints simply is not enough. The entire technology stack needs to be updated. For example this year alone there have been exploits found for CMS (Content Management Systems) such as Drupal CVE-2018-9861 and WordPress CVE-2018-9118. There’s also been CVE’s to our networks such as Juniper CVE-2018-0022. So what can organizations do to ensure that their environment is properly protected?
It’s important to remember that security is not a technology problem rather it’s a question of risk management. So the first step for any organization is to understand the business impact. This should be done using a BIA (Business Impact Analysis) methodology and NIST provides a great template which can be found here. Now that you know your MTD (maximum tolerable downtime), Recovery point/time object, you can begin to focus on the systems that would cause the most disruption to your business.
You also need to create a CVSS (common vulnerability scoring system). A CVSS will score the vulnerability to understand the magnitude of the potential exposure. In order to understand the potential impact you would need to take into account several factors such as: What is the attack vector and complexity? How mature is the exploit? You also need to know how complex is the fix and if there is even a fix available. When setting up CVSS there are three main categories (Base, Temporal, and Environmental). First.org provides more details on setting up CVSS which can be found here.
It’s important that as security professional’s we stay attuned to CVE’s. By following standards and industry best practices CVE management can become less of a daunting task.