In today’s security ecosystem, there are several technologies/programs that are considered to be the old dogs. They’ve been around the block a few times, have a few gray hairs, and just aren’t as sexy anymore. Most companies have had these technologies for years now, and they typically don’t get the headlines that some of the newer, hotter technologies are getting. Antivirus, Email Security, Firewalls, and Vulnerability Management are a few of these. It’s hard to compete with big-data-machine-learning-predicative-intelligent-analytics for press when you’re a technology that first emerged before Y2K.
However familiar these technologies are, they are still incredibly valuable and a necessity to any organization even remotely concerned with security. Vulnerability Management is one of these critical programs that has been around for a while, but is vital for organizations to follow to remain safe from attacks. This was highlighted recently by a speech given at the recent Usenix Enigma security conference in San Francisco by Rob Joyce, the head of the Tailored Access Operations for the NSA and has been with the NSA for more than 25 years. This organization is responsible for the “official” hacking done by the United States and is also a leader in providing the tactics used by nation states for hacking. If there is a strategy used by hackers, Rob Joyce would know it.
“Even temporary cracks, vulnerabilities that exists in a system for days or even hours, are targets for the NSA” - Joyce
In the presentation, available here, Mr. Joyce - coined the “hacker in chief” by Wired - didn’t cover th
e details of how they perform their own offensive security maneuvers but instead he reviewed an array of best practices designed to reduce an organization’s risk. In covering best practices, he described how evident and important vulnerability management is. Nation States and APTs (Advanced Persistent Threats, i.e. Bad Guys) will watch a network for extended periods of time waiting for a chance to get it. They don’t have an endless supply of 0days they rely on for penetration. Temporary openings or briefly exploitable vulnerabilities are utilized to gain access the majority of the time.
The risk of un-patched vulnerabilities is also evident in the recent history of real-world attacks. Over the last year, several major attacks could be attributed to exploited known vulnerabilities. In addition, the 2015 HP Cyber Risk Report started that almost half of the breaches analyzed in the were enabled by the persistence old (and sometimes known) vulnerabilities. Furthermore, the report made it clear that in 2015 there was an increase in the prevalence of monetization of vulnerabilities.
“To ward off a persistent actor, you really need to invest in continuous defensive work” - Joyce
At Rapid7, we understand that this is still an area that is critical for organizations to protect and that is why we have Vulnerability Management as key component in our Threat Exposure Management set of solutions. One of the key features we’ve developed specifically to address this issue is Adaptive Security in Nexpose. Adaptive security helps you reduce the time required to understand risks brought about by an ever-changing environment by allowing actions to be automated based on certain triggers. For instance, if a new CVE is released, Nexpose will automatically scan your environment for the existence of any vulnerable assets. This is a good approach because it doesn’t over-tax your network with constant scanning, but only scans after critical events. Additionally, when a new asset joins the network, Nexpose can automatically scan the asset or categorize it appropriately. More information on Adaptive Security is available here.
So make sure you’re doing your best to keep your systems up to date with the latest patches. In order to create and maintain a more secure environment you should make sure you know your network, poke and prod your network, and keep your vulnerabilities patched. Don’t take some of the ‘old dogs’ in your security infrastructure for granted.