Security – Processes built around solutions and products

Every time I meet a client to discuss Cyber Security and its importance the replies are mostly like ” I have the best firewall etc. so I am secured. So why do I need to worry about security as my firewall /IDS etc. will take care.”
Yes, one may have the best Perimeter Security devices but then I give them some How much of security testing should I do? .? I end up describing the basic security they have to explain where perimeter security ends and Unknown vulnerability takes over. Perimeter security is like the Physical security- the security at your office entrance gates. These security people have been given directions like what to check, what to allow inside etc. for example not to allow a person entry without being escorted etc. This is what the perimeter security device does only follows what it is asked to do, like monitor any activity which any device/ application is doing which it is not supposed to do. But can it detect something truly unknown or a zero-day vulnerability?
I do agree that you need these devices to secure your networks from known vulnerabilities but the main big question ” How do we protect from the ZERO DAY Vulnerability”. The Big Question Asked ” Mohit, a ZERO DAY VULNERABILITY ” how can you discover something which is unknown? You expect us to believe there is a Zero Day and our Perimeter security devices cannot discover it? and my Answer is Yes, there are Zero Day or Unknown Vulnerabilities which have not been reported and may be existing in your applications, appliances or network devices. It becomes difficult for people to believe so I generally use a layman example to explain.
Before we move forward let us understand a little about Vulnerability Management. Wikipedia defines this as Vulnerability management is the “cyclical practice of identifying, classifying, remediation, and mitigating vulnerabilities”, especially in software and firmware. Vulnerability management is integral to computer security and network security. (http://en.wikipedia.org/wiki/Vulnerability_management).
Vulnerability management can be defined as an ongoing continuous process which covers Identifying, classifying, remediation and mitigating vulnerabilities. Organization use vulnerability management to defend against the exploitation of vulnerabilities in company applications, software and networks. Network Analyses of all critical elements helps in identifying the key vulnerable elements be they applications or appliances and then testing these network elements/ applications for known as well as unknown or zero-day vulnerabilities. The next step is classifying them and then creating actionable points to address and mitigate these vulnerabilities. In brief ” Vulnerability management can be defined as the cyclical practice of identifying, classifying, remediation, and mitigating vulnerabilities.
By creating a process organization can effectively implement vulnerability management will be significantly safer from data breaches and theft. The biggest challenge comes for organizations is to have the correct set of tools to address these issues. Some tools are used because “I have used them before” or ” Someone has used them before” syndrome creeps in, but the question is do those tools suffice or address the present needs or are they required? In a recent client meeting this issue cropped up vehemently. The client had a senior technical resource who had over 15 years’ experience in the IT & Telecom Industry. The discussion started with ” Well we want to Test all our purchased applications and devices for Cyber Security and Unknown Vulnerabilities”. The discussion went on a serious note and I started describing the process to the client.
We broke the problem into Known and Unknown Vulnerability Management and the client liked the approach when the senior technical resource jumped into and said ” What about generating load and conducting performance and conformance testing and check for security vulnerabilities”? I stopped and paused, and asked ” What about conformance and performance testing?”, ” What do you wish to do about it?”. Prompt came the reply ” Well how can your tools help us to do that?”.
Then I shared with them that this portion of testing is not a part of security testing and part of conformance and performance testing to ensure that if the product OEM says he can handle X-GB throughput or data on a particular device or port, those tools would help them to verify if the same meets the said requirements or not, and that unknown vulnerability testing is not related to conformance or performance testing.
After providing with some more examples to the client on the details and after my re-emphasis on the fact that one needs to use those tools to only conduct the performance and conformance testing. The client got the picture and we got into discussing Known Vulnerability Management. Though this topic is heavy and not just limited to testing just applications for known vulnerabilities, it also includes code rot or the decay of software code over time.
My interactions were not limited to the seniors in the industry but across the lines. A common thread to all was discovery. Discovery, I realized was limited to follow and implement what’s been done across by others. No real discovery and organizations limited the same. During these discovery discussions with a few we unearthed a lot of information. Such Information though available was limited to a few and seldom shared. These helped us to identify a number of gaps in their processes.
During these discovery discussions we emphasized going beyond the normal during security testing, discussing beyond the tools and the processes, and helped organizations create a combination which encouraged and built stronger supply-chain. In some cases, due to availability of the teams we were able to fix these gaps and had clear defined next steps.
A quick recap as what’s been happening in these past 5 years. Ransomware attacks, and more recent the COVID 19 Scams. Cyber threats are evolving with people finding more ingenious ways to make a quick buck. In the past we have seen a series of cyber-attacks using the SWIFT banking network . This resulted in the successful theft of millions of dollars. The attacks in Bangladesh were reported to be perpetrated by a hacker group nicknamed “Lazarus” by researchers and was the same group, which is also considered responsible for the 2014 Sony Pictures Entertainment hack. These have been linked to North Korea, and if true this would be the first known incident of a state actor using cyber-attacks to steal funds. Even bank in India were compromised. I won’t go into the detailing of how it all happened as lots been discussed and printed already. However, what I would like to bring in to notice the fact hacking is getting specialized just like the doctors. We have specialist who are knowledgeable of the environment and the working of the domains.

What this means is that organizations need to have more of these discovery processes and be proactive. My discovery process also got a little bigger and I started asking organizations

1) Education – consumption, absorption and implementation and usage within organizations. Education existed but there was no way it was being measured for its consumption. Most of them had vendors and teams helping educating by doing multiple activities but measuring consumption and absorption was missing. To prove my point, I asked a few of them to create hotspots on phone which was being used for official work to and the passwords included their personal information. They got the message, we measure what we treasure.

2) Tools usage and process were like cut and paste. Why are you using such a configuration or such and such tools? Reply was apt and prompt and expected, “well the leader in the domain is using it” or ” we have a mandate from our regulator and we are using it? or ” we have problem 1 and for this we are using solution 1″. On probing and a discovery, they realized it was like ” do we actually need all this?”, or ” you are right, we need to reinvent our process to enable us to be proactive and reduce tools which are there as furniture items “. Message was well taken, but then there was another issue?

3) Skill sets and lack of trained manpower. So how many people do you have and what are the skill sets they possess to help out? This was a major challenge across. It, boiled down back to tools specializations mostly with most agreeing that they were being drained into transactions. These tools were consumed as the organizations were following directives from their respective statutory bodies. More so being done to tick a box for compliance.