Vulnerability management is a hugely important part of cyber security but keeping on top of threats has never been more challenging.
Redscan’s 2021 Ethical Hacking Roundtable event explored critical vulnerabilities and other key issues facing security teams.
The roundtable panel featured George Glass, Head of Threat Intelligence at Redscan, Tom Tervoort, who discovered and disclosed Zerologon, Dr Elizabeth Bruton, Curator of Technology and Engineering at the Science Museum and Dinis Cruz, CTO and CISO of Glasswall and OWASP Project Lead.
Key insights from the panel included:
- A broader security focus is now required
- Cloud brings additional risks
- Addressing vulnerabilities demands more than technical solutions
- An intelligence-led approach is vital
- Cyber security is not a barrier to digital transformation
- Organisations need to set a clear risk tolerance level
- Prevention is not a silver bullet
- Regular cyber security assessments remain essential
A broader security focus is now required
The conversation covered the issues created by the shift to remote working. The challenge of securing and monitoring systems is now more complex due to the blurring of the divide between the personal and the professional.
“Vulnerabilities aren’t just related to corporate networks. They are now personal as well. So the kind of data that might be corrupted, stolen and made inaccessible includes large amounts of digital personal information. This has quite a significant impact on our day-to-day lives given how much of our lives is now in the cloud, how much of our lives is digital, how valuable information can be to us personally.”
Cloud brings additional security risks
Dinis Cruz commented on the challenges of security in the cloud.
“With people working from home, we went from having a nice secure location in the office to an explosion of devices and networks. That brings a huge number of challenges. While it doesn’t work for every company, I see us being a little more aggressive in our definition of what is a corporate laptop, what an environment is, and how we access things. Now we have such a distributed workforce, it is very critical that we make sure the team is protected while working in a more and more distributed way.”
On the flip-side, the panel also covered the benefits of the cloud for supporting vulnerability management.
“Cloud computing definitely does make vulnerability management much easier. There are a lot of tools available where, with the click of a few buttons, you can update software and find outdated systems.”
Addressing vulnerabilities demands more than technical solutions
There is a very human aspect to addressing and managing vulnerabilities.
“It is important to remember that vulnerabilities aren’t just technical. They are social and they’re human. The weakest and strongest point in your network will be the human being behind your computer. That’s been true of information security as long as we’ve had it.”
Adopt an intelligence-led approach
Organisations can significantly enhance cyber resilience by improving their knowledge of the way adversaries think and operate.
“Knowing what attackers are going to be performing to compromise your environment is absolutely vital. So, perform threat modelling to get a good understanding of what your network layout is.
“Always assume that the stuff you don’t know about is there somewhere. The attackers certainly know. Use threat intelligence and conduct vulnerability scanning to understand what vulnerabilities are in your environment – internally and externally. Use all of that information to map a path to your crown jewels.”
Cyber security is not a barrier to digital transformation
On the contrary, cyber security has the potential to drive digital transformation.
“I think security is an agent of change. Everything we want to do (as security professionals), we require business to make some kind of change. Businesses don’t understand technology they have, technology teams tend to be stretched. Driving transformation can be really difficult. The solution in this case is that businesses need to be good at changing. Patching an issue doesn’t necessarily mean to fix it. It can mean to prevent exploitation or to limit the damage. If you’re going back to what George was saying, in terms of threat modelling and understanding your assets – that’s where you should start.”
Set a risk tolerance level
Organisations need to understand the level of risk they are prepared to accept and should review their controls and procedures accordingly. This is particularly true in respect of the use of legacy technologies which may no longer be supported.
“You’d be surprised at how many older technologies still underpin a lot of systems. It’s always safe to assume that there will be significantly older technologies in our systems that have ongoing vulnerabilities. It’s very easy to focus on these latest threats, but important to make sure that everyone knows what’s on their network and the different systems and possibilities that might be out there.”
“While a vulnerability like Zerologon is relatively rare, it is the type which can happen every few years. The difference these days is in attacker motivations and the business model of attackers. Now, an attacker will scan the external infrastructure of any type of organisation. The damage done by an attack can be destructive and the resulting impact on a business may include loss of access to critical services.”
Prevention is not a silver bullet
A multi-layered approach is essential to achieving effective cyber security. Preventative measures can’t address everything.
“Security is the canary in the coalmine. To minimise risk, organisations need the capability to detect and respond to attacks that evade defences.”
“Prevention is important but it’s vital for organisations to ensure they have a good range of controls in place to detect persistent adversaries that are able to slip through the net.”
“Another thing companies don’t do well enough is incident response. I view incident response as a way to drive change, as a way to practice your playbooks, to practice your operations so that you use incidents to know where your pain points are.”
Regular cyber security assessments remain vital
Ethical hacking can help significantly improve cyber resilience.
“Ethical hackers are not just those from the outside. The ethical hacker should be everybody in your company. I think the solution here is to create a healthy population of attackers who are friendly.”
“Understanding the risk that vulnerabilities pose to your organisations is hugely important. Patching every vulnerability is highly unlikely so it’s about understanding which pose the greatest threat and ensuring that they are prioritised. Penetration testing and red teaming can help to not only identify vulnerabilities but provide context around whether they are likely to be exploited.”
For more information on the 2021 Ethical Hacking Roundtable and the press coverage it received, visit the event homepage.