* By Rangel Rodrigues
Thinking like a hacker, knowing how to exploit loopholes by creating or editing code, and understanding how security holes are used can help you understand and manage patch and patch application.
Two months ago I mentioned in an article “Advance to 'Next Level' Security” the challenge of keep a system or service up to date by the time the vulnerability is discovered versus the time to apply a patch mid-2000. Notorious that manufacturers on the one hand developed new software consequently brought new vulnerabilities and the most exploited at that time was the webservers, whether on Unix platform, Linux or Windows were not yet mature. Of course, services such as DNS, FTP, Telnet, Netbios, among others, were also massacred.
Crackers used their ability to create exploits to exploit vulnerabilities in Internet services, and at the time, as I worked for an American bank, it was many early hours to update the environment and fix web server failures. Although it was run was challenging and the next day, a new vulnerability appeared and, for us, there was no rest, because the goal was to keep the environment always updated. Over time I learned how to exploit some vulnerabilities by creating or editing some code with the main idea of understanding how a security hole was exploited. Knowing the dark side was necessary. Thinking like a hacker was, above all, a requirement to become resilient, able to remedy and deal with storm situations where a zero day is reported or a possible worm or ransomware infection occurs.
In one of those early hours I got a call from the director calling me to go immediately to the bank due to an infection of a worm that had paralyzed the corporate network. The famous “Code Red” was responsible for shutting down millions of ATMs from many banks around the globe, and in our case we found that the developer team had the “IIS” web server installed on Windows machines by default. Everything on the network has been infected by this worm variant. The result was the turning of the night identifying the infected machines and fixing them one by one. Soon after came the "Ninda" for SQL Server and so creativity has increased over the years.
Today there is a lot of talk about crashes in every layer, be it the operating system, DNS, SSH or web service, web application due to an Injection, XSS failure or, deeper down, a hardware and processor failure Meltdown and Specter - and we can't forget the layers of a virtual machine in the cloud environment.
Evidently, the experience in living such situations and working for large corporations, responsible for managing the vulnerability management process, helped to think outside the box and learn (from mistakes) to create new strategies and processes to circumvent the unknown. Therefore, I would like to share some tips for managing a vulnerability management process.
I emphasize that the help of frameworks and standards such as ISO 27001, PCI-DSS, OWASP, CyberSecurity NIST, etc. will enable the construction of an effective and efficient process. Last week, the National Monetary Council of the Central Bank enacted Resolution No. 4,658, dated 4/26/2018, which establishes a cyber security policy for all financial institutions. It is evident that this is yet another element to strengthen the credit market. security in Brazil, but let's go with the tips:
Updated Asset List
Have an up-to-date list of all the organization's technology assets including: Operating System, Internal and External Applications, Front-End Websites, Internet, Mobile Applications, Database, Web Management Software, Virtual Machine Versions, Appliances (Firewall, IPS , network devices, camera monitoring) and ensure that everyone is included in the vulnerability management process.
Asset Classification
Every asset has given, especially now in the era of big data, but it is necessary to determine levels of information classification in these assets as it will help you determine the security requirements for projects, systems, etc.
Patch Management Process and Tool
Ensure that a vulnerability management process and policy is current and up to date. If there is not yet have elaborate immediately. Use frameworks and standards such as CyberSecurity NIST, ISO 27001, if it is the banking industry itself Resolution No. 4,658 already determines this requirement. As for the tool to manage the process, it has numerous; Microsoft itself offers a free one, either creative use automated spreadsheets or internally develop a dashboard tool to consolidate risks if the budget is short. Market solutions offered by security players already offer an up-to-date dashboard with community-released vulnerabilities and CVEs, which saves you time rather than browsing through various websites and analyzing manufacturer bulletins. Remember that your policy needs to have a risk and vulnerability rating criteria and matrix according to business requirements and relevance.
Senior management support
Support from top management is vital, and you as a leader need to have executives as partners knowing how to convey the importance of risk to the organization. Usually depending on the structure of the business, IT is responsible for correcting the failure and applying patches. However, this may be your Achilles heel if you do not have this group as your partner. Remember that a retail company will not want to stop the environment to install a patch as it does not want to lose money, but windows must be found to remedy the situation. Here you need to be able to perhaps use qualitative and quantitative risk analysis tools to give senior management visibility about the importance of correcting the environment. For banks, with Central Bank requirements makes the process more accessible.
Raise awareness and train developers
Awareness remains the key to convincing and gaining a security partner in your organization. Focus fully on making IT and DevOps primarily aware and make them aware that they are responsible and part of the context and that security should be taken by everyone. Train on OWASP, secure code, code review, etc. and ensure that a secure SDLC process is ongoing.
Code Review and Vulnerability Scan
Technology is getting more advanced and you need to make sure the development team is prepared, invest in secure software development training, (ISC) ² CSSLP, application level pentest (OSCP) certifications, and have scanning tools capable of checking application and code layer failures including OWASP Top 10 and code review. Remember that a network / system scan is not capable of checking web application failures and there are several solutions such as free and paid.
Specialized Team
The security team needs to understand and know what they are doing, have professionals who think like a hacker, explore and learn from computer giant bug bounty programs if applicable. Having a collaborator with a pentest expertise is valuable.
Beware of Third Parties
Ensure that the vendor management process is covering all business partners, cloud providers and service providers and ensure that the vulnerability management process is present. If the process is flawed keep an eye out and demand that it be implemented before going to production.
Introduction of vision in project risk assessment
Introduce in the project risk assessment process the importance of verifying that the system, application and / or environment is up to date with the active process depending on the structure in your company. ISO must always look at this process with priority and match the risk management process and also include supplier assessment. I once identified a camera monitoring appliance (CCTV) running on the Windows platform without patch management, hardening and unsupported.
Safety or Hardening Checklist
This is a simple technical procedure that many do not do. Changing a router's default password and properly configuring a web server is vital for survival. The entire technology park must have a written security procedure, formalized and updated by the responsible team.
The above tips will help build a good patch management process, but make sure you have a snapshot of the company's current security maturity situation and more insight into critical business processes mapped through Business Impact Analysis. (BIA), which will help define a good policy and focus on the heart of your organization. Also, don't trust every security solution, there have been encrypted attacks that some Web Application Firewall (WAF) have not identified, so the key is to stay current, attend conferences and be aware of what the hacker community is Speaking.
In summary, how to apply this process will vary from company to company. If you realize that the challenge is impossible to achieve and, even using different skills, to convince leadership whether or not to patch, this may not be a cyber security company, or the choice is not so right It's time to break the paradigm, whether it's to change the conscience of executives or change companies. Good luck!
* Rangel Rodrigues specializes in Information Security, CISSP and postgraduate in Internet Networks and Information Security from FIAP and IBTA, and MBA in IT Management from FIA-USP.
