Visually highlighting flaws and vulnerabilities - how to tidy your universe

In Tenable’s 2020 Threat Landscape Retrospective 3 out of the top 5 vulnerabilities dated back to 2019 or before and 4 of them related to edge or VPN technology. This is startling and begs a number of questions as to how these vulnerabilities can have gone unpatched or unfixed for so long. Maybe one of the answers is that they get lost in the swamp of vulnerability scan data, threat metrics and other priorities that are thrown at those responsible these days, maybe it was exceptional to 2020 as the world and working practises shifted on their axis - though given CVEs reported yearly rose, again, from 17,305 to 18,358 (ave year on year growth rate of 36.6% from 2015), I doubt it. We need a better way to highlight these issues in order to improve our security posture.

TOP 5 VULNERABILITIES IN 2020

1. ZEROLOGON - CVE-2020-1472

2. CITRIXADC/GATEWAY/SDWAN/WAN-OP - CVE-2019-19781

3. PULSECONNECT SECURE SSL VPN - CVE-2019-11510

4. FORTINET FORTIGATE SSL VPN - CVE2018-13379

5. F5 BIG IP CVE-2020-5902

It’s a challenge

In order to improve the security posture of an organisation the under-appreciated soul that’s responsible for the issue (usually a Senior Information Risk Owner (SIRO) or CISO) has to first quantify, visualise, demonstrate and share the size of the issue at hand. This is a hard task given the plethora of sources from which he has to collect and glean information. That’s if the information exists or is current. Vulnerability management tools, a multitude monitoring tools, audit reports, obsolete asset registers, disparate penetration testing reports, anecdotalal evidence, hearsay and even breach reports are just some of the inputs a SIRO has to decipher in order to build a picture of an organisations information risks. Even then s/he won’t have a picture. They’ll more than likely have a spreadsheet. Probably a very big and diligently populated speadsheet but a spreadsheet nonetheless.

This spreadsheet will then be sliced, diced, tarted-up and colour-coded before it is sent (probably via email) to all the individual risk owners (systems owners, admin teams, management teams etc) and, reluctantly, the Risk Committee and Exec Board. The SIRO then gets to wait a while. Send the odd chase-up email. Takes on a Project Management role. Scratches their head a bit. Eventually, if they’re lucky, they’ll receive several versions of their spreadsheet back. Some may even have been updated, some may even be in the same format it was sent out in. It’s unlikely though.

From here the lucky SIRO can keep themselves busy compiling a single version of the spreadsheet to show, some weeks later, that very progress has been made.

PLANETPENTEST can change all this

By ingesting vulnerability and penetration test data from multiple sources at anytime SIROs can consolidate their data into one database from which risk comparisons can be drawn. All vulnerabilities and penetration test issues are automatically ranked by an algorithm that takes into account several risk factors:

Severity s        to what level would exploitation of the issue compromise its host or application? 

Probability p    what is the likelihood of the issue being exploited

Fixability  f      how readily available are patches, updates or remedies (and for how long have they been)

Exploitability e how easily can this issue be exploited. Are exploit kits available in the wild?

Impact i           how badly does the presence of this issue threaten the organisation

Priority v          how important to the organisation is it that this is fixed

Integrity t         could the integrity of the host or application compromise other systems

and is given a Fix score where:

Once assets are assigned to Individual Risk Owners (IRO) they then delegate out the fixes to sysadmins/fixers/patchers across multiple teams and/or 3rd parties. SIROs and IROs are able to prioritise fixes according to business priority (possibly an application release date or audit deadline) which will promote certain fixes to the top the queue. We know that psychology plays a big role in getting the right things done. Sometimes individuals need to be incentivised to work on difficult or boring things, so that’s exactly what we’ve done. The higher the fix score the more points the fixer accumulates on the Leaderboard. Once a fixer has cleared their priority queue they are then incentivised to autonomously address the Bounty List to identify the highest scoring issues and vulnerabilities that they can fix to enhance their score. PLANETPENTEST is then able to show us, not only, where an organisation stands at any given point in time in terms of risk and compliance but also:

• Who’s is doing all the remediation and who isn’t.

• Which IRO’s are actively reducing risk, just accepting risk or maintaining a high risk position.

• Which systems, networks, operating systems etc are representing the most risk.

If people aren’t pulling their weight or fixing issues PLANETPENTEST will automatically send a reminder, just to jog the memory. This can be invaluable when collaborating across teams or even 3rd party suppliers (for example being able to see whether your cloud provider or MSP has applied necessary patches). The platform also provides a direct chat function to the penetration testing team so that fixes can be re-tested, queries and questions answered and assistance provided immediately. All these functions save countless hours across many teams and creates an inclusive, collaborative system for remediation, which means that when the proverbial hits the fan, the organisation is in a very strong position to respond.

What’s most impressive about the PLANETPENTEST platform is it’s not expensive. We calculate that by spending an extra 30-40% of your penetration testing budget (for a PLANETPENTEST subscription) you will get returns in efficiency alone (let alone any costs of breach) of over 1,000% in time saved by the CISO, remediation/ sysadmin teams, Individual Risk Owners, network managers etc.

So what are you waiting for. Go tidy your universe!