Security testing reports exist to give rational direction to your vulnerability management activities, but only if you a) understand the logic behind the scoring methodology and b) decode the metrics being used for scoring. It sounds simple in principle. But there are many metrics under the Base Metric Groups in the Common Vulnerability Scoring System(CVSS), and when do you ever hear them described in terms of operational impact? What is the real risk?
Using the most common, high Impact vulnerabilities found in our customers’ systems this year as examples, Penetration Tester Tom Barber, will answer this key question in his upcoming session on November 17. Attendees will begin to understand the process behind contextual vulnerability scoring, know what to look for in vulnerability reports, and have more confidence to design frameworks for pragmatic, risk-based prioritisation. You can register for the session here.
In preparation, Tom gave us some of his time to provide an overview of his role and the content lined up for November.
Hey Tom. How long have you been at Claranet now?
Tom: Nearly 2 years – which works out at about 700 days of security testing.
What’s your role exactly?
Tom: I’m a Penetration Tester in our Continuous Security Testing team. That means I do the targeted, manual testing work alongside the automated scanning part.
Do you specialise in any areas of pentesting specifically?
Tom: Web applications especially (which is a big focus in Continuous Security Testing). That’s backed up with some programming skills as well.
What’s the most interesting thing about your job?
Tom: Every day is different. Every customer has their own unique infrastructure, applications, and setups, which gives me new and interesting challenges for every job.
What are you most looking forward to sharing during the session?
Tom: We’re very proactive in explaining vulns and scores in reports or service reviews, but our customers are busy. There’s nothing like spending an entire session showing the research we’ve done and explaining what it means for real businesses. I’m looking forward to having the time to do that.
Why have you decided to focus on the Impact metric?
Tom: Every metric is important obviously, but I chose Impact because it indicates the severity of potential consequences following exploitation. That’s really interesting and it’s important to our customers who are thinking “how could this one thing actually affect my company?”.
If there was one piece of advice you could share with organisations about their approach to patching and vulnerability management, what would it be?
Tom: When it comes to patching, and vulnerabilities in general, there’s no silver bullet. You have to address the whole context of your security. To be as secure as possible, you should follow a Defence in Depth strategy, so that if one component is compromised, additional layers exist to keep you secure.
Can you explain that concept in more detail in the concept of security vulnerabilities?
Tom: The idea behind Defence in Depth is that you have multiple layers of security. If you don’t patch something in time, that layer of security has failed, and other layers must be in place to mitigate the threat. Having these layers of redundancy allows for the inevitable – that some layers will fail – without it leading to a total compromise. It's a form of resilience building. In practice, it means that you patch the most risk-heavy vulnerabilities, whilst still planning other measures. The NCSC’s defence-in-depth tactics are:
- Reduce ways to exploit attacks through architecture and configuration
- Manage your assets well (know what you have and what it's doing, and have ways of finding out when something changes)
- Manage your operational risks
- Back up your business-critical data
- Have a security monitoring capability, to help with problem detection and cleanup
- Create and practise incident response (IR) and business continuity plans
What’s the biggest challenge you’ve seen organisations facing when it comes to patching? Where should they go for guidance?
Tom: I think it’s simply keeping on top of all the updates and patches. There’s loads to do and what adds complexity is that sometimes the implementation breaks other software that the organisation relies on.
If an organisation knows it’s running unpatched software, there should be the desire to update it. If that’s not possible, the risk needs to be understood, by researching software vendors’ security advisories, for example. It must then be addressed by putting protections in place to mitigate the impact of the vulns being exploited
Can organisations really lower risk if they get their patching right?
Tom: Cyber risk never goes away, especially with vulnerabilities occurring all the time. Sometimes they’re quickly identified by the security community, other times zero days take years to be discovered. The risk can be controlled though. That begins with identifying the threat (who will target you, how, when, and how severely), building suitable measures in response (not just as many as your budget can cover), and then layering these for maximum protection. Patching is one piece in the puzzle. Understand your threats and apply vulnerability scoring metrics intelligently and you can do that part well.
Register for Tom’s session: Patch-22: how to protect your organisation when you can’t patch everything here.