MetricsMonday (008) – Vulnerabilities (Part 3)

Let's bring this topic home and cover what we want to do about them, because we are going to do something right? We patch, remediate, and mitigate in order to reduce the exploitability of the asset in question.

Ideally your business and or asset owner should be indicating how long they are willing tolerate being exposed. Turning cybersecurity into a business decision is a bigger discussion for another day so let's seed this discussion with a 30-day window. Why 30-days? Simply because we are all very used the cadence of Patch Tuesday - Microsoft, Adobe, Oracle and few others' regularly scheduled release of updates. If we can patch our systems within 30-days, we don't have to deal with complications of overlapping updates. Don't forget that there are many vendors that may have their own update cadence and that many vendors may release out-of-band updates to address more critical issues.

The typical small to mid-sized enterprise (SME) that operates 9x5 should be able to adhere to the 30-day target. For all others, you may have to have different targets depending up the type of asset. For example, you may choose to allow non-critical assets to be patched within 45-days. See previous posts regarding asset categories.

For now let's stick with 30-days for all assets.

  • Average # of days to patch Critical assets
  • Average # of days to patch non-Critical assets
  • % of Critical assets patched within 30-days
  • % of non-Critical assets patched within 30-days
  • # of assets with exceptions
  • # of assets with exceptions over 90-days

MetricsMonday (007) – Vulnerabilities (Part 2)

Yes, that is a strong password, but the sticky note needs to be hidden under the computer!

In our previous post, we determined that we need to organize our assets based upon their context. With that in mind, let's consider what vulnerabilities matter to us.

The oblivious place to start is the Common Vulnerability Scoring System (CVSS). Taking into account factors such as attack vector, complexity, privileges and user interaction, CVSS provides standardized way to assess the severity of security weaknesses. Sounds great right? Before you answer, consider the real-world context. Does a Critical vulnerability on a trivial asset, let's say an intern's laptop, matter as much as a Medium vulnerability on your mission-critical communications server? Ceteris paribus, eventually yes that laptop is concerning, but probably not in the immediate future.

Obsolete, end-of-life, of end-of-support, software is its own class of vulnerabilities. In most cases, the vendors no longer offer support or updates for these, so your only recourse is to upgrade, seek an alterative, or uninstall.

Another significant class of vulnerabilities are those that are known to be exploited. These are worth tracking anywhere in your organization. The U.S. Cybersecurity Infrastructure Security Agency (CISA) is one of several organizations that maintains a list of Known Exploited Vulnerabilities (KEV).

The last class of vulnerabilities to consider at this time are those with no remediation. Note that I did not specify patch. Remember that some vulnerabilities are simply misconfigurations such as a default password left in operation. The lack of remedy could simply be because a fix has not yet been developed. Or worse, a remediation might be incompatible with the system or might create other problems such as creating performance issues. In either case we're dealing with vulnerabilities with no solution in sight.

In summary, so far we're working with:

  • Severity
  • End-of-life/end-of-support software
  • Known exploited
  • Vulnerabilities with no remediation or mitigation

Let's now include some context and we have the following to get started:

  • Known Exploited Vulnerabilities for any asset or group
  • High-severity for Critical systems
  • Rated vulnerabilities for all non-Critical systems
  • Any severity above Informational (rated) for Internet-facing systems
  • End-of-life/end-of-support software by business unit

Next week, we bring this topic home when we also consider remediation/mitigation efforts.

#MetricsMonday (006) – Vulnerabilities (Part 1)

There are two critical vulnerabilities in the image, can you spot them?

Stated simply, vulnerabilities are weaknesses that attackers can exploit to gain unauthorized access or cause harm. Mitigating a vulnerability usually entails patching, updating, reconfiguring, or applying a compensating control. Sometimes though mitigation may not be possible due to a lack of a patch or because the patch might be incompatible with other parts of the system.

But before we can discuss measuring vulnerabilities, we need to really understand where we are measuring them. Is uniformly measuring all assets (devices, systems, operating systems, applications, etc) appropriate? If our organization only consisted of five laptops, all running the same software for users to perform the same work, maybe. But for any reasonably sized organization, a server has greater business value than a single user's desktop. The CEO's laptop is going to have greater business value (operationally) than a receptionist's desktop. And for a final example, a public-facing system will be of greater value than a test system. In other words we must establish levels of criticality or importance to business functions.

Here are some examples of asset categories that will help to define our vulnerability metrics, keeping in mind that an asset might belong to several categories simultaneously.

  • Critical vs non-critical
  • Tier 1 (production) vs Tier-2 (supporting) vs Tier-3 (test/development)
  • Internet-facing
  • Contains sensitive data e.g. customer or financial
  • VIP users : CEO, CFO, HR managers i.e. high value targets
  • Business unit

Thinking ahead, once you apply your policies and processes to the asset groups, your work is simplified to managing these groups as assets or commissioned or decommissioned.

In reference to this post's image, the first vulnerability should be obvious, the zip tie. The second is the Master lock. While wildly popular and mainstream, they are some of the easiest to defeat.

#MetricsMonday (005) – Who has admin rights?

Administrative or privileged accounts are the holy grail for threat actors because they are the proverbial and literal keys to the kingdom.

Since Windows Active Directory is the most popular network operating system, we'll focus our efforts on domain environments.

For IT administrators of a certain age, there are certain hard-to-break habits that persist. These include granting end users local administrator rights, making certain users e.g. managers Domain Admins, and the most egregious in my opinion, making their own user accounts a Domain Admins.

This can be quite an expansive topic so we're going to focus on certain fundamentals to get the proverbial party started:

  • Set aside the default Domain Administrator account with a strong password kept under lock and key
  • Minimize privileged account sprawl
  • Enforce separate user and admin accounts for IT staff
  • Require multifactor authentication (MFA) for all privileged accounts
  • Monitor for and alert on undesirable privileged account activity
  • Monitor for and alert on privileged user group changes

Minimize the following key metrics for best results:

  • # of accounts with administrative permissions
  • # of privileged accounts without MFA enabled
  • # of privileged accounts with passwords older than 1-year (your mileage may vary)
  • # of inactive privileged accounts i.e. with no logon in last 30-days
  • Frequency that the default Administrator account has been used
  • Frequency that privileged user groups have been changed
  • Frequency of privileged account failed logins, lockouts, unlocks, and password resets

We could go on and on with regards to auditing. Seriously we could go on and on, and will do so at a later time. For now, this should get you started on the straight and narrow.

Image Source: Adobe Firefly Generative AI

#MetricsMonday (004) – What’s Running?

Now that we can measure what's connected to our organization, let's see what's running (installed). As with the previous posts, we're going to initially focus on our local systems.

Consider what is running in your environment. The obvious things are productivity applications such as MS Office, collaboration software, and web browsers. Speaking of web browsers, what about plug-ins and extensions? Also consider any hardware enabling drivers, their supporting apps, and of course all of your security software. You're probably thinking that this list is getting big.

But wait, there's more! The two most important bits of software have yet to be mentioned: the computers' operating systems (OS) and firmware (BIOS). The OS probably just slipped your mind but you probably didn't consider the BIOS. Without a working BIOS, your computer is just a mess of metal and electronic circuits. It is the firmware which turns that pile of stuff into a computer, and enables the OS to load and run. And yes, you really need to manage the firmware along with everything else. Don't worry though, there is an app for that!

Let's recap the various bits of software that we should be measuring:

  • BIOS/firmware
  • Operating Systems
  • Drivers and hardware enablers
  • Applications
  • Application add-ons e.g. Browser Helper Objects

The more versions and variations of these, the greater the risk from misconfigurations, vulnerabilities and exploitation, and the greater the effort and time required to manage. Therefore we want to have a few of these as possible in order for the business to function i.e. establish a common operating environment (COE).

A common operating environment's benefits include but are not limited to:

  • Increased efficiency and productivity
  • Reduced costs
  • Improved collaboration and communication
  • Enhanced security and compliance

In terms of metrics, here are some to get you started. For simplicity with this list, we'll refer to all items in the previous list as apps. Minimize these for best results and there are bonus points for having these broken down by business unit.

  • # of different app versions
  • # of end-of-life/end-of-support apps
  • # of unauthorized / non-COE apps
  • # of authorized / COE apps not used in the last n-months
  • # system deviations from COE standard
  • # of systems with COE exceptions or extensions

Image Source: Adobe Firefly Generative AI

#MetricsMonday (003) – What’s Connected? (Part 3)

In this final installment of Enterprise Asset Management metrics, we're going to connect these with the business, specifically in terms that the business understands.

Let's recap what we're working with:

  • % of active vs inactive systems
  • % of managed vs unmanaged systems
  • % of known vs rogue devices

Ultimately, we're deal with a matter of management or control. If we can manage it, we can manage the risk. These metrics all serve the underlying purpose of maximizing management and minimizing risk,

The traditional and dare I say legacy approach to procurement is to say something like "We need $1M for a network access control system that also means we're going to have to replace all of our network equipment for compatibility" and then you launch into the vendor presentation. The typical executive's eyes are going to go vacant quite quickly!

Instead try something like this: "How much exposure are you, the business, willing to tolerate from unauthorized devices operating on the network?" Their answer may be a resounding none, until they hear that there is a $1M price tag for a completely automated system. They'll likely ask for an alternative proposal. So then you can offer five-day tolerance for $250K. Now there is a clear business decision which can be made.

Assuming they choose the second option, you have a working budget without even needing to explain the tool being used. You might choose to invest in a new asset/patch management tool, a vulnerability management service, and even some training for your staff. What started out as an ask to fix one issue, became a win across multiple areas!

In our next post, we're going to discuss Software Asset Management.

Image Source: Adobe Firefly Generative AI

#MetricsMonday (002) – What’s connected? (Part 2)

Now that we have practical set of metrics, how to we obtain them?

  • % of active vs inactive systems
  • % of managed vs unmanaged systems
  • % of known vs rogue devices

For an SMB/SME, there are a few options which, when combined, will provide you with a highly accurate snapshot of your organization.

Starting with user systems, the following tools have valuable data, to be combined to form your basic asset register.

  • Active Directory - Everything about domain-joined systems is found somewhere in here.
  • Asset/Application Management - Ideally you need a tool that synchronizes automatically with Active Directory both adding new domain-joined systems to management as well as removing recently removed domain-joined systems from management.
  • Auditing Log Management - A good tool can identify active vs inactive systems, by collecting network-wide data and by taking cues from Active Directory.
  • Endpoint Security - You wouldn't dream of running a system without some sort of managed endpoint security would you? So you should have very high coverage here. Extra points if you automatically synchronize with Active Directory.
  • Network Management - A unified network system i.e. a single pane of glass for all switches, firewalls, and wireless is ideal and would allow you to passively monitor everything.
  • Vulnerability Management - Scanner(s) are a great way to actively discover what is on your network and explicitly beyond what is expected to be found.

Now let's consider unmanaged systems. Since we have already established that unmanaged systems aren't in Active Directory, you're going to need to leverage your non-AD capabilities such as Network and Vulnerability Management. These two also help with known vs rogue devices. You have probably noted a trend.

For best results:

  • Use a combination of active (AD-aware, network scanner) and passive (network management) tools. Leveraging multiple sources for your asset information reduces the risk of a single tool providing inaccurate or incomplete information.
  • The appropriate choice of tools provides value beyond their immediate purpose. For example your asset management tool might provide information about network assets and your network management tool might provide information about your systems.

In Part 3, the rubber meets the road where we fully connect the technology dots to the business.

Image Source: Adobe Firefly Generative AI

#MetricsMonday (001) – What’s Connected? (Part 1)

To kick things off, let's start with a fundamental aspect of cybersecurity, Enterprise Asset Management. We'll keep it simple by initially focusing on our local networks.

How many devices do you have in your organization? Is 100 a good number? Probably not if you're only a five person office. If you have a 100 person office, that number starts to make more sense. But if you have a 1000 person office, 100 managed systems is a little short. If you don't know what's connected to your network, how can you expect to manage and secure them?

For argument's sake, you operate a Windows Active Directory environment, and all user systems are domain-joined so that they can access shared resources. In general terms domain-joined systems are manageable and non-domain systems are not. A managed system has central policies and settings applied, and carry less risk from rogue applications or misuse. Business people understand risk: less risk is good, and more risk is bad.

So the number of domain-joined systems makes sense as a metric, but do you have well-executed asset management practices? When a system is rebuilt or replaced, are the old computer accounts explicitly removed? Tracking the number of active domain-joined systems starts to make more sense. Now you need to define a threshold for what qualifies as active. Allowing for time off work, let's say that systems are expected to be used at least once every two weeks. Of course, you'll want a procedure to handle someone on extended leave. Perhaps just booting the system or performing a wake-on-LAN call will suffice. Up until now we've been focused on user systems, but don't forget that you need to count your servers as well. If you're an SMB/SME you can probably consolidate the numbers but if you're large enough to have separate IT server and desktop teams, it might make more sense to retain separate accounting.

So now we have some metrics that are starting to be useful:

  • # of managed systems
  • # of active systems
  • % of active / managed systems

But wait, do you see the blind spot? What about unmanaged systems? Having 100% active systems is great but if you have unmanaged / unknown devices in your environment, that's bad right? Of course, computers aren't the only things we have on our networks. We can expect to see network devices such as switches, routers, firewalls, wireless access points, security cameras, and even devices from third parties. Let's generalize and group these into a single category of known devices. If you've been following along, you know that the next logical item is the number of unknown devices, which I'll affectionally refer to as rogue devices.

  • # of known devices
  • # of rogue devices

Let's distill these and consider how each of these metrics directly corresponds to a clear risk factor. Keep in mind that these can be applied to an entire organization or to individual business units.

  • % of active vs inactive systems - Minimize inactive to reduce risk
  • % of managed vs unmanaged systems - Minimize unmanaged to reduce risk
  • % of known vs rogue devices - Minimize rogue to reduce risk

The last part of this initial puzzle is to establish a comfort threshold or risk appetite for these. I like 5% as a threshold because even in larger Caribbean environments, the list of offenders is manageable. For example, in a 1,000 device environment, tracking down 50 rogue systems is quite achievable in a short period of time. In specialized environments, such as the industrial SCADA/OT/ICS part of a power plant, that risk appetite is going to be much lower, even nil.

TIP: For larger organizations, regularly sharing and comparing the metrics of different business units can help encourage cooperation and support!

Now how and where do we get this data? That's the proverbial million dollar question which we'll discuss in Part 2!.

Image Source: Adobe Firefly Generative AI

#MetricsMonday (000) – Metrics, We Don’t Need No Stinkin’ Metrics!

Security starts with visibility. Great, I see some trending data but is that good or bad?

You can't manage what you can't measure. Is what we are doing effective? Is what we're doing even useful?

We've all heard these nuggets of wisdom before. And yet with the ever increasing pace of change, complexity, and demands of daily life, it's easy to get stuck in the weeds and neglect metrics and reporting.

Without good metrics, how do we know if we're doing a good job? Without good metrics, how do we justify our time and investment in a product or service? How can we demonstrate that we need more resources such as budget or staff? Worst of all, without meaningful metrics, how do our businesses understand and recognize the value cybersecurity?

So what metrics should we report? The number of blocked network threats is always good eye candy, and so is the number of rejected emails. Do any of these matter to the business? Maybe, if the blocked network traffic negatively impacted a business function. The same goes for blocking emails. These might be more useful to performance management than cybersecurity; so what to do?

Follow our #MetricsMonday series, where we explore cybersecurity metrics with the aim to develop a set of meaningful metrics that directly map to cybersecurity and most importantly, to business outcomes.

So welcome aboard, we're glad you're here.

Image Source: Adobe Firefly Generative AI

Case Study – Ourselves!

As the saying goes, sharing is caring but first, some background. Most of our infrastructure has been in the cloud for close to ten years i.e. email, security and management consoles, etc. Early on, our endpoints were domain-joined but that proved cumbersome for us as we spent the majority of our time off-LAN, working remotely or were at customer sites. As cybersecurity service providers we lead by example and make a point of using the same technologies and tools that recommend for our customers.

Our core endpoint security consists of several tools and layers. We’ll start from the foundation and work our way up the stack:

  • Trapezoid FIVE – If you can’t trust the hardware, how can you trust the software? Firmware is everywhere, from your laptop to IoT device to datacenters to the cloud. It is even part of the NIST Cybersecurity Framework. Using Trapezoid FIVE, we monitor the BIOS integrity of our systems for unauthorized changes.
  • OpenDNS Umbrella, specifically the Roaming Client provides security management and reporting from the endpoint, network, and web perspectives. Our systems benefit from the same Community Threat Intelligence feeds that we provide for our customers.
  • CylancePROTECT – All modules are fully enabled and enforced. File security is set to Auto Quarantine with Execution Control. Files are examined pre-execution.  Memory Violations are terminated. The CylancePROTECT services and applications are protected against tampering. The Application Control module is enabled and prevents creating or even saving an unauthorized application (Portable Executable or PE) file let alone running it. ScriptControl is fully enabled and will block unauthorized ActiveScript, PowerShell scripts, or MS Office Macros from running. Objectively, fully locking down scripts was the hardest aspect but critical for the prevention of file-less malware. Lastly, the Device Control module allows the usage of only authorized devices.
  • CylanceOPTICS – The OPTICS endpoint detection and response (EDR) tool is deployed with a custom-developed ruleset that also aligns with the MITRE ATT&CK Framework.
  • OPSWAT MetaDefender Cloud – All web downloads are scanned with over 35 antimalware engines in the MetaDefender Cloud system.
  • HerdProtect – As CylancePROTECT only monitors Portable Executable (PE) files, we also regularly scan our endpoints with HerdProtect’s 68 independent antivirus scanners. This ensures an explicit check of data files such as MS Office, Adobe, and image files.
  • McAfee GetClean – We have a long relationship with McAfee and continue to work with the company, notably with the Joint Development Program. We use this tool to help provide McAfee with information on known clean system images and files.
  • DUO Beyond – Authentication to our local systems requires multifactor authentication using DUO. In addition to requiring MFA, we are also enabling usage of Yubikey Two Factor security keys wherever possible.
  • BitLocker – All local volumes are fully encrypted using Windows BitLocker.
  • Windows and application updates are installed within one month of release. Patch management is primarily monitored using Patch Manager Plus Cloud but also with DUO’s Device Health application.
  • RoboForm Everywhere manages my passwords. I’ve been using it for a very long time. LastPass is the other popular app for this. We never save passwords in browsers.
  • User accounts never have administrative rights – not now, not next November, never! Check out the latest BeyondTrust report on Microsoft vulnerabilities.
  • Device management is performed using several tools and layers subject to the individual device’s specifics. Cisco Meraki’s MDM system is the most common and the ability to manage our own systems as well as customers’ systems, firewalls, switches, and wireless devices simply more efficient.
  • Finally, our online presence, or our digital risk, is monitored using a combination of opensource tools like Google Alerts as well as private tools deep/dark web tools, including but not limited Digital Shadows and SpyCloud.

The commonly stated trade-offs for security are performance and convenience. As security is our business, it cannot be compromised for convenience. That said, if I really had to nitpick, the one area that might be considered inconvenient would be the authentication process with MFA. In reality the few extra seconds required to use the DUO app on our phones is truly trivial. Technology is constantly evolving and we’re always looking at ways to improve.

As for performance, we have long believed in making the right investments in computing devices up-front. We favor business-class computers, currently the HP Zbook Workstations. We also made the switch to solid-state drives (SSD) ten years ago and haven’t looked back. My current system is a five-year-old HP Zbook 14 G2 with dual SSD drives and 16GB RAM. It runs as well now as the day I purchased it. Only when I am simultaneously running several virtual systems do I long for more RAM. More recent models like the Zbook 15u support 32GB RAM. Over time that too will improve. The longevity is partially due to the choice of hardware (platform, RAM, SSD) and partially due to our carefully, curated security stack.

Bonus Tip: An easy way to improve the performance of a Windows system running on a standard hard disk is to use a USB key and enable ReadyBoost. This nifty feature has been around since Windows 7 and does a really good job improving performance. Note that you should format and dedicate this key to the computer and not use it for moving files around. A small, high-speed 16GB key is ideal and can be connected to a USB port somewhere on the back or side, where it will be out of the way and that you won’t be tempted to remove.

I hope you found this information useful. If you have any questions about the information provided, please do not hesitate to contact me.