An enterprise invests considerable amount of time in its day to day scanning and managing patched for the infrastructure. But, an enterprise psychological analysis shows us otherwise i.e. most of the enterprises shy away from scanning and patching their business critical infrastructure in a fear of interrupting their already established critical applications. Another side of the story shows that, the enterprise test, scan and manage patches up to the staging elevation but fail to re-asses the same when they go live on production environment. The major challenge here is to convince the stakeholders about the end user impact after running a thorough security scanning and management of patches. Metasploit which is a famous exploit development toolkit adds several exploits to its repository on a monthly basis there by hinting to us that the threat vectors are increasing day by day. In this article we shall understand how to balance the security management with business operations.
Stakeholders generally frown on scanning and patching the critical infrastructure. This is because security teams are considered as a pain to the day to day operations for the rest of the enterprise and also the fact that security management in its real vigor is never atop the priority list for stake holders. For decades we have witnessed that, only after a breach, an enterprise strengthens its security infrastructure. Otherwise the security implemented is pretty mediocre.
Securosis Patch Management cycle: securosis.com
In the above image, we see the securosis patch management cycle representing the activities across any technology platform. The importance towards implementing stringent security measures and infrastructure is gaining value in the current decade, as we have seen maximum number of Data breaches and exfiltration happening around the world. Instead of staying isolated, security teams must work closely with the operations team so that, they are no longer considered intrusive by the rest of the organization. Each cycle of vulnerability assessment for business critical applications should include a thorough analysis of its impact on the operations as well as the threat surface presented by the organization. Generally, internal security teams run a set of automated tools and end the story by patching the suggested patches by well-known tools like Nessus and Accunetix. Not all production environments of the enterprise are a plug-n-play environment for the patches. Each production environment undergoes its own share of customization before going live to the end user. A logical error might lead to vulnerability/Zero day which the general automated scanner cannot detect.
Vulnerability scanning and management of patches must be more than just a compliance check which enterprises go through. The difference between a vulnerability assessment and penetration testing matters in these scenarios. Organizations undergo vulnerability assessment to see the attack surface exposed to the hackers whereas a penetration test would determine which among the following vulnerabilities is exploitable. There must be a lot of interaction with the business stakeholders and the security teams for a successful security analysis of the business critical applications. Most of the time, stakeholders do not completely understand the process behind the approach of Security teams. Owing to these, the stakeholders shy away from completely trusting the end user impact after the inspection. The stakeholders should understand the core difference between application level security and infrastructural security. In the infrastructural security the knowledge required about the hosts and services is minimal compared to application level assessment. Automated tools fail to completely cover the customized APIs and applications. Passive scans have their own advantages of not actively probing the target, thereby not disturbing the operational state of the critical applications. On the other hand detecting XSRF, SQLi, XSS etc. are not covered under passive scans. Enterprises need to understand that attackers generally attack the application layer more compared to infrastructure.
Most security practitioners advocate the frequent scanning of patches to manage and mitigate undiscovered risks. Applying security scanning at all phases: development, QA, staging, production and maintaining a strict program to avoid any kind of unexpected data breach. Threat modeling can be implemented right from the development stages to combat the security bugs in early lifecycle. This makes sure that developers as well as QA would learn to develop and test products being security aware. It’s always advised to hire professional firms to find difficult to find bugs after the internal teams complete their rounds of security tests. This would make sure that production environment would go live with little or no major security flaws knows to the enterprise. Over the past decade, most of security breaches and data exfiltration attacks happened over the production environment and the reasons are discussed above in detail.
Experts suggest that mirroring production environment and running security tests without causing any dreadful impact to customers is the way to proceed in continual security assessments. Continual security assessment is needed because; an application with unknown vulnerability today might be explored tomorrow for a Zero Day. Vulnerabilities found in mirrored environments can be used to produce a daily dose patch and get validated on the production environment. Making the process granular is the key here. Bugs raised must not be forgotten and must be patched based on priority. The efforts of bug hunting are only fruitful when the bugs are patched in a timely manner. Handling the way a patch is deployed in a system can differ from system to system. Suppose a patch is being deployed for a web application, then a couple of changes in the code and uploading to the server does the trick. But in case of operating systems, they might require a reboot in order to be effective. Load balancers play a critical role in patching of systems which need 24/7 uptime.
Remedying vulnerabilities is a never ending process and not every security test would give you threatening bugs. The catch here is to understand the vulnerabilities that are exploitable and its impact on the business as well as the end users.