Vulnerability management that every business decision maker needs to know about - Part 1

Felicia King and Dan Moyer of QPC Security talk about vulnerability management, patch management and all the things that business owners are generally not understanding adequately. As a result of that, you're being underserved, misled, and in some cases were lied to and ripped off.

Ultimately, many business owners are refusing to pay for what they need for adequate risk management because they don't understand what they need. In today's episode Felicia and Dan fill that gap. 

Announced on October 6, 2021, the US Department of Justice Civil Cyber-Fraud Initiative is applying the false claims act to those who:

• fail to follow required cybersecurity standards
• knowingly provide deficient cybersecurity products or services
• misrepresent their cybersecurity practices or protocols
• violate obligations to monitor and report cybersecurity incidents and breaches

Just let that sink in for a second. So, is your IT service provider really meeting that standard? I sincerely doubt it.

01:23 The difference between vulnerability management and patch management 

Holistic vulnerability management includes, but is certainly not limited to: 

• Software bill of materials analysis 
• Supply chain risk management 
• Third-party risk management 
• End-of-life software 
• Asset inventory up to date 
• Lifecycle management 
• Continuous vulnerability assessment 
• Frequency penetration tests 
• Tabletop exercises 
• Procurement policy 

04:38 Cybersecurity insurance applications aren’t asking JUST about patch management 

1. When did you have your last penetration test? 
2. Do you have continuous vulnerability assessment in place? 
3. How long are you going to go without having the patches applied in the environment? 
4. If you think adequate patch management can be done for $50/mo/server, you are hallucinating.

So, what’s included in patch and vulnerability management?  

05:34 Patch management 

Patches are the building blocks that are improving the software that lives on the hardware. Without software, you can't interact with the piece of hardware unless it's purely mechanical, and even then there's still improvements of usage.  

How do you manage and protect those tools of your business from threat factors? 

09:20 Third-party patches & vulnerabilities 

IT service provider proposals are telling business owners that they can patch their servers and their endpoints and automate Windows updates and some third-party patches. What are those third party applications? What about all your custom business line applications? Do you actually want your critical SQL server to have its SQL instance updated using automation? How much money does it cost you if that workload is down?

10:27 Asset management 

Do you know what you have in your environment? Do you have accurate asset management and vulnerability assessments? Simply stated:  

“You can’t secure what you don’t have an accurate inventory for.” 

It is a regulatory requirement and cybersecurity insurance requirement to adequately document and understand software dependencies in your environment. That requires a proper inventory of your hardware, software, and subcomponents of the software. This is frequently referred to as SBOM - software bill of materials. And if you think your software vendor is going to provide that information, please go ask them for that information. You will probably get a blank stare. IS security engineers can figure it out on their own.

18:48 Implementing proper procurement policies 

Does your procurement policy support your vulnerability management strategy? Does your software acquisition and implementation policy (if you even have one) support your cybersecurity insurance and regulatory requirements?

When business decision makers put pressure on an IT service provider or internal IT to implement new software without proper security protocols, vetting, and process documentation, vulnerabilities are nearly always introduced into your environment. Sometimes that comes directly from their insecure software. Sometimes it comes from the tools and connectivity they use to remote into your systems or things like API connectors that your IT is supposed to just blindly trust the software vendor to secure their software with zero validation or proof. A proper CISO on your team or through your ITSP will be able to directly vet the vendor and software itself.

You are required by cybersecurity insurance and Federal regulatory guidance to do so. It is also in your business's best interest to do so.

Be very careful looking for just certifications for someone who says they are a CISO. The majority of CISOs do not have technical chops. They are often compliance managers that cannot do the technical work. Those people have limited usefulness and will not be able to 

All of the vCISOs at QPC are hardcore technical because we understand the essential nature of that skillset being a mandatory requirement to deliver effective CISO services.

20:24 Privileged access management and privileged password management 

How do you know who has access to remote access to your systems? How many people will have access to your systems? Today, there are many IT service providers who are not disclosing their outsourced Helpdesks that are giving full administrative-level access to a customer’s back end to all those workers at the virtual live Helpdesk. Most ITSPs also fail to disclose the totality of the quantity of people that will end up with admin access to some or all of your systems.

Ask yourself. If you have 25 office personnel, why would it take 30 remote people to have admin access to your systems in order to provide competent support? Do you think it is actually possible to have a high security environment and magically keep 30 people fully up-to-speed on the exact correct configurations required in your environment and what the interaction effects are? It's not possible and will never happen. 

24:27 A procurement policy can keep a business' IT costs stable 

The number one thing that business owners complain about is the cost of maintenance. With a procurement policy in place and by working with their IT service provider and procuring anything that they do not have a full understanding of the total cost of ownership for – costs can be managed. 

Does your procurement policy support your business strategy and needs? 

34:22 Understanding the cost and time of device and software procurement 

There's also a lot of other risks that the vast majority people don't think about; they tend to only think about the budgetary risk. However, getting the strategic input from a CISO or CIO to develop an understanding of the minimum pricing floor and how that affects the total cost of ownership, can save a business not only money but time.  

SaaS can get you closer to a flat-rate cost but you may have inherited additional risk and vulnerabilities, depending on how the new technology interconnects with your systems. Additional risk factors are:

• counterparty risk
• structural increase in cost of doing business risk
• accessibility risk (redundant access is then required and cannot be fully mitigated)
• external software vendor attack vector risk that cannot be mitigated through Layer3 ACLs
• takedown/contract risk

37:33 Cloud vs on-prem security 

It's still a fallacy that having your systems in the cloud is better and cheaper, incorrectly thinking they can have as good security in the cloud as they can on premise. Going to SaaS can provide a lower and more predictable TCO if the counterparty risk you accept is worth it. But picking up your servers and hosting them on someone else's infrastructure will never be less expensive. IaaS cost savings are a fallacy for the majority of businesses. The exception being massive companies with heavy DevOps needs for spinning up and down workloads quickly. Most of those items are being migrated to Kubernetes and OpenShift.

46:48 IT/IS is not a utility 

The electricity company, the water utility, garbage pickup, fire and safety, ISP – they are monopolies and uni-taskers. Whereas IT is far more complex. People tend to think that if it’s a utility, therefore it’s a commodity, and if it’s a commodity it doesn’t matter which service provider I choose. 

Business decision makers are trying to manage budget risk without understanding their requirements. They also want to have budgetary control while abdicating their involvement upon outsourcing their IT to an ITSP.  

An IT service provider can be a partner to success and can help businesses develop better business strategies IF there is regular and open communication.  

 

This is part 1 of a 2-part series on vulnerability management. Listen to Part 2 at https://qpcsecurity.podbean.com/e/vulnerability-management-with-felicia-and-dan-part-2. To learn more about QPC Security, visit us at https://www.qpcsecurity.com/

This is another resource for vulnerability management information.

https://land.fortmesa.com/vulnerability-management-101