Vulnerabilities

The importance of asset visibility in the detection and remediation of vulnerabilities

Drew Robb
September 15, 2023 by
Drew Robb

“You can't manage what you can't measure,” said Management guru Peter Drucker.  

Similarly, in cybersecurity, you can’t detect or remediate vulnerabilities endpoints you can’t see. Asset visibility, then, is an essential first step in understanding an organization’s risk profile, identifying threats, and rapidly deploying fixes. 

“Creating and managing an accurate inventory of internet-facing assets and being able to identify potential exposures and vulnerabilities has become a key focus for many organizations,” said Nabil Hannan, Field Chief Information Security Officer at NetSPI. 

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

That may sound easy to do but can be challenging in practice. According to a report by Ivanti, popular vulnerability scanners often miss key vulnerabilities. 3.5% of ransomware vulnerabilities, for example, are being missed. The number rises higher for other forms of vulnerability. 

The situation of unspotted vulnerabilities has worsened in recent years due to the shift in the workplace from the office to the home. As a result, the external facing attack surface has evolved. Far more enterprise assets are exposed to the internet. They connect to a multitude of cloud-based and on-premises systems. This makes life easier for cybercriminals. 

Undetected and Unpatched Vulnerabilities Proliferate 

In such a climate, organizations must be on their toes when it comes to spotting and addressing potential threats. Sadly, that is not always the case. Despite almost 18 months of alerts and heavy publicity about the Log4j vulnerability as well as the existence of patches, it continues to be exploited. 

"As the Log4j vulnerability shows, discovering, mitigating, and fixing vulnerabilities as soon as possible is more important than ever to good cyber-hygiene," said Michelle Abraham, an analyst with IDC. "Leaving vulnerabilities without action exposes organizations to endless risk since vulnerabilities may leave the news but not the minds of attackers." 

Storage and backup software, for example, can sometimes present an easy breach pathway for attackers. Continuity Software detailed almost 10,000 discrete security issues, vulnerabilities and misconfigurations detected across commonly used storage and backup systems. 

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

“The typical enterprise storage or backup device has 14 vulnerabilities on average,” said Doron Pinhas, CTO at Continuity. “Out of those three are high or critical risk.” 

Raising Asset Visibility 

No wonder raising asset visibility has become a priority of the Cybersecurity and Infrastructure Security Agency (CISA). It recently published a directive to Federal Civilian Executive Branch (FCEB) agencies, mandating continuous vulnerability scanning across all devices, endpoints and systems operating on their networks. 

They are now required to: 

1.       Initiate vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days. 

2. Perform automated asset discovery every seven days. While many methods and technologies can be used to accomplish this task, at minimum this discovery must cover the entire IPv4 space used by the agency.   

“The basic requirement to know what you have in your infrastructure has a major impact on your ability to manage risk,” said Yossi Appleboum, CEO of Sepio. 

With tens of millions of devices within the government, insecurity in one device could expose a great many agencies and systems. In extreme cases, it could represent a danger to national security. CISA has effectively stepped up the heat on agencies to ensure they are doing all they can to increase asset visibility. 

Too Narrow a Focus 

A single, regular scan from one tool is a good place to start. But it is far from enough. Appleboum pointed out that vendor focus can cause scans to target too narrow an area. This can lead to holes in inventorying and lack of awareness of potential threats. For example, there is a big difference between the risk posed by software and that posed by infrastructure on the hardware side.   

“Some technologies today are trying to apply a software way of mapping and understanding risk to a hardware environment,” he said. “It’s not efficient, it’s not scalable and not accurate enough.” 

By viewing things purely from the software perspective, vulnerabilities may be missed. Appleboum said that in some cases, an understanding of diverse areas such as physics, electronics, Ethernet and Wi-Fi may be required to be able to inventory and assess all possible risks. 

He cited the example of traffic and activity monitoring. While it is a good tool in itself, it is limited by the fact that a silent presence within the network is not picked up. If a threat actor breaks in and lies dormant, reliance on traffic monitoring won’t do you any good.  

Hence, there is room in cybersecurity for people from multiple disciplines and for those who can combine several skill sets. As well as cybersecurity or networking expertise from a largely software perspective, the industry needs more people who have a firm grip on the infrastructure engineering side. 

“I would recommend building your knowledge around an understanding of the overall ecosystem,” said Appleboum. 

 

Learn Vulnerability Management

Learn Vulnerability Management

Get hands-on experience with dozens of courses covering vulnerability assessments, tools, management and more.

Scan Regularly 

Appleboum and others make it clear that too specialized a view of the enterprise leads to lower asset visibility and heightens risk as some vulnerabilities may be missed. Those implementing the CISA directive to conduct regular vulnerability scans on all systems and endpoints, therefore, are advised to: 

  • Update vendor signatures used in vulnerability detection within 24 hours from the point or release by the vendor
  • Include mobile devices as part of the group of devices scanned.
  • Deploy multiple scanners and scanning types. It is wise to use a mix of vendor-based and open-source vulnerability scanners as well as those specializing in specific areas such as storage and backup.
  • Ensure that hardware and infrastructure elements are inventoried and assessed as these may be missed by software-focused scanners. 

“Scanning should not be limited to once a month, as is currently common among traditional vulnerability management tools,” said Graham Brooks, Senior Security Solutions Architect at Syxsense. “Scans should be performed on an ongoing basis.”  

To learn more about the art of asset detection on any scale, check out the full Cyber Work episode with Yossi Appleboum

Drew Robb
Drew Robb

Drew Robb has been writing about IT, engineering and cybersecurity for more than 25 years. He's been published in numerous outlets and resides in Florida.