The importance of asset visibility in the detection and remediation of vulnerabilities
“You can't manage what you can't measure,” said Management guru Peter Drucker.
Similarly, in cybersecurity, you can’t detect or remediate vulnerabilities endpoints you can’t see. Asset visibility, then, is an essential first step in understanding an organization’s risk profile, identifying threats, and rapidly deploying fixes.
“Creating and managing an accurate inventory of internet-facing assets and being able to identify potential exposures and vulnerabilities has become a key focus for many organizations,” said Nabil Hannan, Field Chief Information Security Officer at NetSPI.
Learn Vulnerability Management
That may sound easy to do but can be challenging in practice. According to a report by Ivanti, popular vulnerability scanners often miss key vulnerabilities. 3.5% of ransomware vulnerabilities, for example, are being missed. The number rises higher for other forms of vulnerability.
The situation of unspotted vulnerabilities has worsened in recent years due to the shift in the workplace from the office to the home. As a result, the external facing attack surface has evolved. Far more enterprise assets are exposed to the internet. They connect to a multitude of cloud-based and on-premises systems. This makes life easier for cybercriminals.
Undetected and Unpatched Vulnerabilities Proliferate
In such a climate, organizations must be on their toes when it comes to spotting and addressing potential threats. Sadly, that is not always the case. Despite almost 18 months of alerts and heavy publicity about the Log4j vulnerability as well as the existence of patches, it continues to be exploited.
"As the Log4j vulnerability shows, discovering, mitigating, and fixing vulnerabilities as soon as possible is more important than ever to good cyber-hygiene," said Michelle Abraham, an analyst with IDC. "Leaving vulnerabilities without action exposes organizations to endless risk since vulnerabilities may leave the news but not the minds of attackers."
Storage and backup software, for example, can sometimes present an easy breach pathway for attackers. Continuity Software detailed almost 10,000 discrete security issues, vulnerabilities and misconfigurations detected across commonly used storage and backup systems.
Learn Vulnerability Management
“The typical enterprise storage or backup device has 14 vulnerabilities on average,” said Doron Pinhas, CTO at Continuity. “Out of those three are high or critical risk.”
Raising Asset Visibility
No wonder raising asset visibility has become a priority of the Cybersecurity and Infrastructure Security Agency (CISA). It recently published a directive to Federal Civilian Executive Branch (FCEB) agencies, mandating continuous vulnerability scanning across all devices, endpoints and systems operating on their networks.
They are now required to:
1. Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.
2. Perform automated asset discovery every seven days. While many methods and technologies can be used to accomplish this task, at minimum this discovery must cover the entire IPv4 space used by the agency.
“The basic requirement to know what you have in your infrastructure has a major impact on your ability to manage risk,” said Yossi Appleboum, CEO of Sepio.
With tens of millions of devices within the government, insecurity in one device could expose a great many agencies and systems. In extreme cases, it could represent a danger to national security. CISA has effectively stepped up the heat on agencies to ensure they are doing all they can to increase asset visibility.
Too Narrow a Focus
A single, regular scan from one tool is a good place to start. But it is far from enough. Appleboum pointed out that vendor focus can cause scans to target too narrow an area. This can lead to holes in inventorying and lack of awareness of potential threats. For example, there is a big difference between the risk posed by software and that posed by infrastructure on the hardware side.
“Some technologies today are trying to apply a software way of mapping and understanding risk to a hardware environment,” he said. “It’s not efficient, it’s not scalable and not accurate enough.”
By viewing things purely from the software perspective, vulnerabilities may be missed. Appleboum said that in some cases, an understanding of diverse areas such as physics, electronics, Ethernet and Wi-Fi may be required to be able to inventory and assess all possible risks.
He cited the example of traffic and activity monitoring. While it is a good tool in itself, it is limited by the fact that a silent presence within the network is not picked up. If a threat actor breaks in and lies dormant, reliance on traffic monitoring won’t do you any good.
Hence, there is room in cybersecurity for people from multiple disciplines and for those who can combine several skill sets. As well as cybersecurity or networking expertise from a largely software perspective, the industry needs more people who have a firm grip on the infrastructure engineering side.
“I would recommend building your knowledge around an understanding of the overall ecosystem,” said Appleboum.
Learn Vulnerability Management
Scan Regularly
Appleboum and others make it clear that too specialized a view of the enterprise leads to lower asset visibility and heightens risk as some vulnerabilities may be missed. Those implementing the CISA directive to conduct regular vulnerability scans on all systems and endpoints, therefore, are advised to:
- Update vendor signatures used in vulnerability detection within 24 hours from the point or release by the vendor
- Include mobile devices as part of the group of devices scanned.
- Deploy multiple scanners and scanning types. It is wise to use a mix of vendor-based and open-source vulnerability scanners as well as those specializing in specific areas such as storage and backup.
- Ensure that hardware and infrastructure elements are inventoried and assessed as these may be missed by software-focused scanners.
“Scanning should not be limited to once a month, as is currently common among traditional vulnerability management tools,” said Graham Brooks, Senior Security Solutions Architect at Syxsense. “Scans should be performed on an ongoing basis.”
To learn more about the art of asset detection on any scale, check out the full Cyber Work episode with Yossi Appleboum.
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- The importance of asset visibility in the detection and remediation of vulnerabilities
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- Whitespace obfuscation: PHP malware, web shells and steganography
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get free resources in your inbox!
Sign up for our newsletter and get free cybersecurity resources in your inbox every week. Prepare for your next cert, learn new skills, increase your salary and more!
Vulnerabilities
Vulnerabilities
Vulnerabilities