By Al Hartmann

Vulnerability Lifecycle Management—Not Just a Good Idea, It’s Survival

The following headline hit the news last week on September 7, 2017:

ATLANTA, Sept. 7, 2017 /PRNewswire/ — Equifax Inc. (NYSE: EFX) today announced a cybersecurity incident potentially impacting approximately 143 million U.S. consumers. Criminals exploited a U.S. website application vulnerability to gain access to certain files. Based on the company’s investigation, the unauthorized access occurred from mid-May through July 2017.

Lessons from Past Debacles

If you like your job, value your role, and wish to retain it, then don’t leave the door open to attackers. A major data breach often begins with an unpatched vulnerability that is readily exploitable. And then the inevitable happens, the malefactors are inside your defenses, the crown jewels have left the building, the press releases fly, high-priced consultants and outside legal counsel rack up billable hours, regulators descend, lawsuits are flung, and you have “some serious ‘splainin’ to do”!

Here is a grim photo of one panel of “splainers” following the well-publicized OPM breach:

The head splainer on the left, Katherine Archuleta, did not survive this debacle. Neither did the head splainer in the Target breach survive. We have yet to see if the head splainer in the current Equifax breach will survive, as he is still in ‘splainin’ mode, asserting the breach began with the exploitation of an application vulnerability.

In such cases the usual rhumba line of resignations is – CISO first, followed by CIO, followed by CEO, followed by the board of directors shakeup (especially the audit and corporate responsibility committees). Don’t let this happen to your career!

Steps to Take Now

There are some commonsense steps to take to avert the inevitable breach catastrophe resulting from unpatched vulnerabilities:

  • Take inventory – Inventory all system and data assets and map your network topology and attached devices and open ports. Know your network, it’s segmentation, what devices are attached, what those devices are running, what vulnerabilities those systems and apps expose, what data assets they access, the sensitivity of those assets, what defenses are layered around those assets, and what checks are in place along all potential access paths.
  • Streamline and toughen up – Implement best practices recommendations for identity and access management, network segmentation, firewall and IDS configurations, operating system and application configurations, database access controls, and data encryption and tokenization, while simplifying and trimming the number and complexity of subsystems across your enterprise. Anything too complex to manage is too complex to secure. Choose configuration hardening heaven over breach response hell.
  • Continuously monitor and scrutinize – Periodic audits are necessary but insufficient. Continuously monitor, track, and assess all relevant security events and exposed vulnerabilities – have visibility, event capture, analysis, and archiving of every system and session login, every application launch, every active binary and vulnerability exposure, every script execution, every command issued, every networking contact, every database transaction, and every sensitive data access. Any holes in your security event visibility create an attacker free-fire zone. Develop key performance metrics, track them ruthlessly, and drive for relentless improvement.
  • Don’t accept operational excuses for inadequate security – There are always secure and effective operational policies, but they may not be painless. Not suffering a catastrophic data breach is way down the organizational pain scale from the alternative (see the OPM congressional panel photo). Operational expedience or operating legacy or misaligned priorities are not valid excuses for extenuation of poor cyber practices in an escalating threat environment. Lay down the law.
Get the General Here