FOUR: You’ve got to see the problem
          A central issue is visibility. How do we determine that an application has a patch available for a serious issue?
          There isn’t necessarily a foolproof way to determine that at scale, but you have to do your best.


          Most companies use the Common Vulnerability and Exposures (CVE) [link: https://cve.mitre.org/index.html]
          mechanism; this is a giant database governed by the public and private sector volunteers that lists all the
          vulnerabilities on most products.

          But this depends on the company to be forthright about it. It’s totally voluntary.

          And companies can choose how to word the notices — some companies might be more interested in
          downplaying the issue than clearly explaining the problem, but in large part the data is good.

          Though not comprehensive, it’s one of the best tools we have, and regular scans of  CVEs as well as regular
          reviews for patches in third party software will give you visibility into what existing, known problems you need
          to address.

          Asset management is a security fundamental, you need to have a good sense of what happens on devices
          especially those where an employee has wide discretion to install applications without top down Security or
          IT involvement.


          Chief among these are:
          •      what software is installed
          •      what services you use
          •      what you connect to (OneDrive, SharePoint, Dropbox, etc.)
          •      what does a “normal” system look like and how does it behave

          Although this might not tell you exactly which vendor has a vulnerability, it will help you to keep an eye on
          entry points that are possible, and you can tighten up those entry points as much as possible by allowing
          only certain types of software, ensuring that where services interface with your own stack you’ve put some
          safeguards into place, and locking down those permissions as tightly as you can.


          You need visibility into these questions: logs that are useful and sortable, an accurate inventory, and an
          awareness of the places you connect to others in your security framework.


          And you need to have a strong focus not on an impenetrable security system (as we’ve shown, there is no
          longer any such thing), but on mitigating, rather than eliminating, risk. All you can do is drag the risk into the
          window that you can tolerate.

          A good device management system with a strong inventory and permissions feature can help Security and
          IT sort through what happens in the event of a compromise of their internal systems after the fact, and push
          out a fix as quickly as possible.

          FIVE: Stick with Security 101

          You do all the things you learn about in Security 101. You do them well. You do them consistently. You review,
          and you do them again.











             88    Cyber Defense eMagazine – April 2021 Edition
                   Copyright © 2021, Cyber Defense Magazine.  All rights reserved worldwide.