“It's important to recognise that the process of vulnerability assessment and analysis has existed as an enabler of security and risk audit for quite some time. It has become an integral and critical component for many framework regulations and cyber data privacy laws which we have to deal with in our current data-rich market”, stated Christopher Strand, Chief Compliance Officer of IntSights as he addressed the virtual audience at the Black Hat Asia 2020 conference which went on last week.
In his session titled “Enriching Risk Assessment through Vulnerability Prioritisation”, Christopher talked about how contextual threat intelligence can be applied directly to cyber-regulatory requirements to prioritise security control assessment processes, gap analysis and threat protection.
For Christopher, it is appropriate for cybersecurity and data security regulations that vulnerability-ranking and prioritisation have become a prerequisite – almost becoming a standard or default for organisations. “This evolution in cybersecurity has certainly led to challenges in proactively meeting compliance guidelines and achieving the goal of continuous compliance”, added Christopher.
One of the growing challenges in the cybersecurity ecosystem today is malware that not only demands a ransom payment, but also threatening to leak the affected data if a ransom is not paid. However, such advanced ransomware is rampant because some companies are operating in older systems, making threat intelligence difficult to do.
“Probably one of the most widespread challenges we have, emphasises the need for better vulnerability prioritisation as there are systems no longer provided with security patches as they're no longer supported by their software vendors. This is something that all organisations will need to deal with”, explained Christopher.
In his presentation, Christopher singled out a few of the older, but still widely used operating systems that need to have near-term mitigation plans to effectively safeguard critical, personal and sensitive data:
WePOS Ready 2009 – implemented on ATM systems and Retail POS
Windows 7 – on client admin systems
Windows Server 2008 – largely implemented in server farms for finance and payment system estates
“The missing protection of the security patches on these systems is going to affect multiple data security regulations that businesses are held to. It's also going to present a challenge to the already overstressed systems and the personnel that are tasked to protect them, and thus, the data that resides on them”, Christopher added.
Christopher then gave some examples of regulations and standards using automated vulnerability risk prioritisation to enable risk-based compliance. This includes Payment Card Industry Data Security Standard (PCI DSS), which has a long history of supporting prescriptive controls that encourage a proactive method of implementing security that helps to protect data.
PCI DSS enables vulnerability automation by establishing a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and to assign a risk ranking – including the identification of all “high” risk and “critical” vulnerabilities as part of its threat intelligence.
“These are some of the metrics we can look for as we narrow down the gaps within our systems to prioritise critical vulnerabilities. Vulnerability prioritisation needs to be taken as a measure to protect critical systems and data in all cases”, concluded Christopher.