The Big Question Asked ” Mohit, a ZERO DAY VULNERABILITY ” how can you discover something which is unknown? You expect us to believe there is a Zero Day and our Perimeter security devices cannot discover it? and my Answer is Yes, there are Zero Day or Unknown Vulnerabilities which have not been reported and may be existing in your applications, appliances or network devices. It becomes difficult for people to believe so I generally use a layman example to explain.
Before we move forward let us understand a little about Vulnerability Management. Wikipedia defines this as Vulnerability management is the “cyclical practice of identifying, classifying, remediation, and mitigating vulnerabilities”, especially in software and firmware. Vulnerability management is integral to computer security and network security. (http://en.wikipedia.org/wiki/Vulnerability_management).
Vulnerability management can be defined as an ongoing continuous process which covers Identifying, classifying, remediation and mitigating vulnerabilities. Organization use vulnerability management to pr-emptily defend against the exploitation of vulnerabilities in company applications, software and networks. Network Analyses of all critical elements helps in identifying the key vulnerable elements be they applications or appliances and then testing these network elements/ applications for known as well as unknown or zero day vulnerabilities. The next step is classifying them and then creating actionable points to address and mitigate these vulnerabilities. In brief ” Vulnerability management can be defined as the cyclical practice of identifying, classifying, remediation, and mitigating vulnerabilities.
By creating a process organizations can effectively implement vulnerability management will be significantly safer from data breaches and theft. The biggest challenge comes for organizations is to have the correct set of tools to address these issues. Some tools are used because “I have used them before” or ” Someone has used them before” syndrome creeps in, but the question is do those tools suffice or address the present needs or are they required?.
In a recent client meeting this issue cropped up vehemently. The client had a senior technical resource who had over 15 years experience in the IT & Telecom Industry. The discussion started with ” Well we want to Test all our purchased applications and devices for Cyber Security and Unknown Vulnerabilities”. The discussion went on a serious note and I started describing the process to the client. We broke the problem into Known and Unknown Vulnerability Management and the client liked the approach when the senior technical resource jumped into and said ” What about generating load and conducting performance and conformance testing and check for security vulnerabilities”?. I stopped and paused, and asked ” What about conformance and performance testing?”, ” What do you wish to do about it?”. Prompt came the reply ” Well how can your tools help us to do that?”. Then I shared with them that this portion of testing is not a part of security testing and part of conformance and performance testing to ensure that if the product OEM says he can handle XGB throughput or data on a particular device or port, those tools would help them to verify if the same meets the said requirements or not, and that unknown vulnerability testing is not related to conformance or performance testing.
After providing with some more examples to the client on the details and after my re-emphasis on the fact that one needs to use those tools to only conduct the performance and conformance testing. The client got the picture and we got into discussing Known Vulnerability Management. Though this topic is heavy and not just limited to testing just applications for known vulnerabilities, it also includes code rot or the decay of software code over time.
ย
What this means is that organizations need to have more of these discovery processes and be proactive. My discovery process also got a little bigger and I started asking organizations
1) Education – consumption, absorption and implementation and usage within organizations. Education existed but there was no way it was being measured for its consumption. Most of them had vendors and teams helping educating by doing multiple activities but measuring consumption and absorption was missing. To prove my point, I asked a few of them to create hotspots on phone which was being used for official work to and the passwords included their personal information. They got the message, we measure what we treasure.
2)ย Tools usage and process were like cut and paste. Why are you using such a configuration or such and such tools? Reply was apt and prompt and expected, “well the leader in the domain is using it” or ” we have a mandate from our regulator and we are using it? or ” we have problem 1 and for this we are using solution 1″. On probing and a discovery, they realized it was like ” do we actually need all this?โ, or ” you are right, we need to reinvent our process to enable us to be proactive and reduce tools which are there as furniture items โ.โฏMessage was well taken, but then there was another issue?