1.) They run a vulnerability scan on their network, which identifies many missing patches and vulnerabilities related to a lack of server hardening.
2.) The organization goes into firefighting mode in which they run around trying to fix these vulnerabilities.
3.) The person in charge of running the vulnerability scans sends out a bunch of emails requesting various people in various departments to fix the vulnerabilities on systems and applications they administer.
4.) Some of these people respond by remediating these vulnerabilities, but others are not so responsive and require continuous follow-up.
5.) Finally, after many meetings, arguments, Google searches and training sessions, the vulnerabilities from the scan report have been addressed. By this time, it is time to run another scan at which time the process starts all over again. The person in charge of running the scans sighs heavily and thinks to themselves…”there has got to be a better way.”
Desired State (Love is an irresistible desire to be irresistibly desired)
Ideally, vulnerability scans should identify fewer vulnerabilities over time until the organization comes to the point where there are only a few left to discover. This occurs when the organization takes the vulnerabilities that the scanner identifies and addresses the vulnerability at the root of the problem. When a scanner identifies a missing patch or a vulnerability related to a misconfiguration it is important to remember that the real problem goes much deeper. Most of the time the problem can be traced back to the program level, such as the change management program, patch management program, system hardening processes, security awareness training, or password management program. By making changes at the program level most organizations can greatly reduce the likelihood of similar vulnerabilities appearing in the future, and thus, greatly increase their security posture.
How to Get There (If you don’t know where you’re going, any road will get you there)
By performing root cause analysis on each vulnerability the scanner identifies, an organization can effectively find and address the issue at the root of the problem. Many times the root cause of one vulnerability is the same cause of others within the environment. One of the easiest ways for performing root cause analysis is to ask the five whys. The five whys involve asking the question why five times in order to get to the underlying cause of a problem.
Here’s an example showing how the Five Whys might play out.
A scan was run on an organization’s network and it identifies that a new MS-SQL server had a Blank System Administrator (SA) password configured on it. This is a very severe vulnerability which has allowed me to gain administrator access to many servers during Internal Attack and Penetration assessments throughout the years.
1.) Why does this server have a blank SA password? – No one configured a password on the SA account.
2.) Why did no one configure a password on the SA account? – This was a new server build and the person who configured the server did not know that they should place a password on the SA account.
3.) Why did the person not know that they should place a password on the SA account? – This person did not know that this was an important task when configuring a new server.
4.) Why did the person who configured the server not know that this was an important task? – Because they were never trained in the fact that it is important to harden a system before placing it in production.
5.) Why was this person never trained on system hardening? – Becausesystem hardening is not part of the process of new server builds, so this sort of training is not applicable to the employee’s role.
Strategic Change (The supreme art of war is to subdue the enemy without fighting)
In our example we can see how what appeared to be an oversight or negligence on behalf of the person who performed the server build was actually a problem in the server build process. By requiring system hardening of servers before they are placed in production, the organization can help reduce the chances of this vulnerability (as well as similar vulnerabilities) appearing in the organization’s network in the future. Thus, strategic changes will help increase an organization’s security posture over time by building and addressing program level gaps, as opposed to tactical fixes that only benefit the organization in the short term by addressing the immediate vulnerabilities. Additionally, the people involved in running scans and remediating vulnerabilities will have more time to spend on productive tasks.
In the end, vulnerability scanning should essentially be a process that identifies weaknesses in existing security processes rather than simply identifying vulnerabilities in the existing environment.