In: Computer Science
The Executive Board approved your Security Program
Charter.
Based on your research for Unit 2:
Draft the CISO’s threat and vulnerability control plan.
To set the stage for the document and provide the reader an
understanding of its purpose, begin with an introduction that
describes a recent major computer security incident.
Explain the various control strategies such as detection and
prevention and explain how each will be used.
Provide insight into some of the methods and tools that will be
used to address threats and reduce vulnerabilities to PCS
information system assets.
In the information security space, a vulnerability is a weakness
in which it allows an attacker to reduce a systems information
assurance. It is the intersection of three elements – a system
susceptibility or flow, attacker access to the flow, and attacker
capability to exploit the flow. In order to exploit a
vulnerability, an attacker can use various tools or techniques to
connect to a system weakness and it’s also known as attack surface.
A threat is a communicated intent to inflict harm or loss to the
information system and it is considered an act of coercion.
Most recent attacks exploit known vulnerabilities for which a patch
or mitigating control was available. This makes vulnerability
management a strategic component of any advanced threat defense
strategy, providing benefits at multiple layers of a
defense-in-depth security architecture.
Attacks launched at the beginning of this year against
organizations in North America involved a zero-day privilege
escalation vulnerability affecting windows. Researchers found the
attackers first compromised the targeted system and achieved remote
code execution via the malicious documents attached to
spear-phishing emails, and then they used the CVE-2016-0167 exploit
to run the code with system privileges.
ALSO ON CSO How to respond to ransomware threats
Verizon Data Breach Q1 2016 Report shows that the threat actors
exploited an easily identified vulnerability in the payment
application, leading to the compromise of customer PII and payment
information. Hackers are consistently looking for vulnerabilities
that they can exploit to gain access to corporate networks and
systems, financial data and more.
Organizations acquire capital funds and purchase the latest and
greatest threat and vulnerability mitigation strategy by investing
thousands of dollars; unfortunately, a strategic plan to move
forward and maintain the new technology are often overlooked. This
results in new technology providing a false sense of security as
operating budgets do not take into account the time to support,
maintain and operate the new technology – thus it becomes
ineffective and leaves platform with open holes. Threat actors have
the upper hand when technology is not maintained and they develop
ways to circumvent how it works and its weaknesses. Cloud, mobile
and IoT require an innovative and different approach to assess
vulnerabilities than the traditional windows and Linux servers and
workstations required.
Today, most IT managers try to find the answer to the question “We
have found 500 vulnerabilities and can fix 300 of them quickly. So
how to prioritize which one to fix first and then next?” Threat and
vulnerability management is a tedious and time consuming manual
process that most of the enterprises use, and require business
context in order to implement the remediation plan. Enterprises
need to design a solution to support vulnerability life cycle
management providing automated workflow, reporting and
collaboration capabilities.
At the same time required coordination and planning with business
owners is necessary in order to minimize the impact to the service
availability and downtime. Security engineering teams at times
spend lot of time planning, deploying and testing the vulnerability
patching in non-production environment before applying the patches
to the production environment because businesses don’t want any
service interruption that would impact revenue.
Threat and vulnerability management is a process of identifying,
analyzing, modeling, simulating the potential impact and risk
thereby planning to remediate security threats and weaknesses. The
program could covered:
Threat and vulnerability management program managers need to
deliver effective vulnerability management for traditional and
emerging technologies in growing, perimeter-less IT environments
including mobility, cloud and IoT. To ensure a successful
vulnerability management program, security leaders need to verify
the effectiveness of their threat and vulnerability management
efforts and align these with business context and objectives.
Assessing the impact of potential threats to evaluate their risk
will become a primary tool in managing the large volume of
vulnerabilities that enterprises need to detect and remediate on an
ongoing basis in order to prevent the cyber advisories and data
breaches.
Vulnerability management is critical within any organization to
identify, classify, re-mediate, and mitigate any vulnerabilities.
Organizations that set up effective vulnerability management
programs take a proactive and preemptive approach for the safety of
their applications, software and networks and are significantly
safer from data breaches and theft.
Technical blind spots certainly present major information security
challenges to CISOs and their teams, as the complexities of
monitoring encrypted traffic and updating SAP software and other
legacy applications can be daunting tasks. But there are other
cybersecurity blind spots that involve more amorphous and less
technical concepts such as enterprise risks. Several cybersecurity
experts and CISOs offered insight into some of the hidden risks and
vulnerabilities they've discovered, as well as some of the more
persistent and growing threats to enterprise security.
For CISOs now wondering what they might be missing, experts suggest
focusing on the fact that the CEO and board of directors will want
to know where and how the company is positioned in comparison to
leading standards, such as NIST or ISO, and what the company's
level of security maturity is. They will also want to see that
CISOs have developed a roadmap to address any security gaps
uncovered.
In order for the above objectives to be met by the Vulnerability
Management Program, a CISO needs to ensure that it meets the
following Top 10 requirements:
1. Maintain an Updated IT Assets Inventory and Categorize it by
Business Risks
Most companies lack sufficient insight into the number of
information assets that are critical to running their business. It
is imperative that an organization’s IT assets are enrolled into
the Vulnerability Management Program. IT assets can include
in-house managed assets, third-party assets used for business
processes, and assets on the private/public cloud used to conduct
businesses. Business owners, along with their security team, should
assign risk to these IT assets depending on the critical areas they
support in the business value chain. The risk value can be
determined on the basis of business value, sensitive information or
the transactions that are supported or handled by the IT
asset.
2. Prioritize Security Assessments on the Basis of Risk
Once IT assets have been enrolled and assigned risk values, it
becomes easier to prioritize security assessments. Make effective
use of automated and manual assessments on your IT assets depending
on the risk value assigned to them. For example, for a high risk
asset, a more detailed assessment with manual expert security
testing can be designated, whereas for a low risk asset, a general
vulnerability scan for compliance can be carried out. This type of
approach towards security assessments can help while collaborating
with business owners to schedule security assessments. Critical
assets can undergo continuous assessments on a weekly or monthly
basis, whereas others can follow a less periodic schedule of
assessments.
3. Engage IT Teams in a Continuous Security Assessment Plan
IT teams need to be sensitized about the need for integrating
security assessments to their build–deploy cycles. Once the
schedule of assessments is decided, the engaging IT teams have to
ensure that all of the necessary assets are ready and configured
for assessments. This is a key requirement for the success of a
vulnerability management program.
4. Maintain Updated Security Baselines
In order to improve the overall IT security posture, the
vulnerability management program should be guided by secure
baselines/standards against which assessments should be carried
out. These baselines should be created for different asset types
and can be further categorized into mandatory, important and
optional standards.
5. Map Baselines with Compliance Requirements
Ensure that baselines map to compliance requirements of the
business, for example, PCI for payment card data handling. This
will help ensure that adhering to security baselines or standards
automatically helps in compliance with global standards.
6. Empower IT Teams with Security Training
Once the vulnerabilities have been identified, the IT team needs to
mitigate the risks on the IT assets. Training IT teams in secure
baselines and secure-coding guidelines goes a long way in ensuring
that vulnerabilities are mitigated faster.
7. Adopt a Risk-Based Mitigation Strategy
The derived risk values of the IT assets will help in determining
the controls that have to be applied for mitigating the risks on
the IT assets. Do you use advanced two-factor authentication
systems or complex passwords? This will be determined by the type
of asset that has to be protected.
8. Integrate Mitigation Tracking into the VM Program
Maintain a system, such as an MIS system, to track the mitigation
of vulnerability classes and asset types. This system can help you
determine the progress of mitigations, how classes of
vulnerabilities are being mitigated and how soon. Assigning
mitigation tasks to specific teams or IT owners and integrating
them with bug-tracking systems is also something that proves
beneficial to the success of a vulnerability management
program.
9. Define, Measure and Review the Metrics for the VM Program
Determine whether the program is on track to assess all the
enrolled IT assets. Determine whether your vulnerabilities are
being addressed or risks are being mitigated with the progress of
time. Measure the time taken to acquire new assets or asset
components. Measure the time taken to go live for critical business
applications. These metrics would give you better visibility of the
security issues affecting your IT assets. Intelligence gained can
be used to further fine-tune your vulnerability management program,
drive specific trainings, and develop better IT security
standards.
10. Centralized Visibility of the Entire Vulnerability Management
Program
Finally, all stakeholders of the vulnerability management program
should have a unified view of the current status of the
vulnerability management program. A centralized dashboard can serve
this purpose by providing views of the assessment schedule across
all assets, the most critical vulnerabilities that need immediate
attention, and the departments with the highest/lowest number of
vulnerable assets.
Technical blind spots certainly present major information
security challenges to CISOs and their teams, as the complexities
of monitoring encrypted traffic and updating SAP software and other
legacy applications can be daunting tasks. But there are other
cybersecurity blind spots that involve more amorphous and less
technical concepts such as enterprise risks. Several cybersecurity
experts and CISOs offered insight into some of the hidden risks and
vulnerabilities they've discovered, as well as some of the more
persistent and growing threats to enterprise security.
For CISOs now wondering what they might be missing, experts suggest
focusing on the fact that the CEO and board of directors will want
to know where and how the company is positioned in comparison to
leading standards, such as NIST or ISO, and what the company's
level of security maturity is. They will also want to see that
CISOs have developed a roadmap to address any security gaps
uncovered.