Vulnerability Management in the time of a Pandemic
As an average person I had to refer to the book I read and to the movie I watch to experience the uncertainty caused by a full-blown pandemic. Much like in the book – and movie – Gabriel Garcia Marques, “Love in the time of cholera”.
That difficult situation is now a reality in the US and in the rest of the world.
For this reason both individuals and organizations are and will be forced to modify their daily lives and routines in order to protect themselves from the CONVID-19 pandemic.
For organizations of various sizes that means being able to quickly set up remote working systems to enable employees to work from their homes so that they can protect themselves from being infected. Practically, this in turns means setting up remote connectivity systems and security apparatuses such as VPN – Virtual Private Networks – Citrix Virtual Desktops servers, Remote Desktop connections, file sharing, FTP servers and several more.
Obviously, every time there is an emergency and time is of the essence, those systems could be set up not fully considering security considerations and implications of those installations.
Particularly, when vulnerability and configuration management are not incorporated as a consideration in the implementation practice of remote teleworking systems, bad things could happen. Especially when several remote teleworking systems are set up in a hurry with little or no consideration to security configuration and vulnerability management, it would come with consequences.
I will be referring to vulnerability management as the process for managing asset attack surface and security threat exposure. That includes the processes for asset inventory, vulnerability and misconfiguration detection, vulnerability threat correlation and prioritization, remediation workflow, vulnerability program intelligence and feedback loop.
The first step in assessing remote teleworking system vulnerabilities is to actually understand which teleworking systems are out there and how to track them. That in turn means answering the following questions:
- How many VPN terminations do I have and which routable IP addresses they are mapped to?
- How many Citrix Virtual Desktops and where?
- Are the load balancers secured, correctly configured and able to withhold the traffic load?
- Are my FTP and SFTP sites secured, correctly configured and able to withhold the traffic load?
- Are all Microsoft(MS) Remote Desktop connections to the outside world accounted for and adequately protected?
- Are all the OWA – Outlook Web Access – installations accounted for and adequately protected?
- Are all file sharing accounts accounted for and adequately protected?
- Are all CMS websites accounted for?
Obviously this is only a small part of all the remote connectivity systems managed by an organization. It is however important for an organization to take a full inventory of remote teleworking and work sharing systems enabled at every moment in time. Knowing what to protect and manage is halfway to secure your organization.
Once you understand which systems form your telework attack surface ask yourself which vulnerabilities and misconfigurations they have.
First of all, ask yourself whether all your remote working systems and related directory services they are tapping into have adequate password length policy, password expiration,and username randomization. Also, does your Internet-exposed websites allow valid username enumeration via specific response identification? Consider this: if attackers can enumerate valid Active Directory-connected username, that is half of their attack work done.
As for vulnerability identification, there have been lately a flurry of high risk threat-related vulnerabilities affecting remote connectivity systems. Obviously those have to be considered a priority for patching and reconfiguration. I include a sampla here:
- Vulnerabilities affecting VPN and NG firewalls such as Cisco and Palo Alto Networks, much like the Palo Alto Networks GlobalProtect SSL VPN Critical Pre-authentication vulnerability – CVE-2019-1579. The disclosure blog post can be found here.
- Vulnerabilities affecting your remote-administration MS Remote Desktop, such as BlueKeep vulnerability CVE-2019-0708 – https://www.us-cert.gov/ncas/alerts/AA19-168A
- Vulnerabilities in Citrix LoadBalancers and Virtual Desktop, such as CVE-2019-19781 – Vulnerability in Citrix Application Delivery Controller and Citrix Gateway – https://support.citrix.com/article/CTX267027
- Vulnerability in Microsoft Exchange Enterprise Control Panel and Outlook Web Access, like CVE-2020-0688 Microsoft Exchange Server Remote Code Execution through Fixed Cryptographic Keys – https://www.thezdi.com/blog/2020/2/24/cve-2020-0688-remote-code-execution-on-microsoft-exchange-server-through-fixed-cryptographic-keys
- Vulnerabilities on Server Message Block SMBv3, port 445 – if it is exposed to the Internet for file sharing, such as CVE-2020-0796 – https://www.zdnet.com/article/microsoft-patches-smbv3-wormable-bug-that-leaked-earlier-this-week/
- Vulnerabilities on various corporate CMS or web applications servers, such as Sharepoint, WordPress and Tomcat, such as the Tomcat Ghostcat vulnerability, CVE-2020-1938 – https://www.zdnet.com/article/ghostcat-bug-impacts-all-apache-tomcat-versions-released-in-the-last-13-years/
There might be many other vulnerabilities to mention here but the gist is: take your inventory items that form your remote access attack surface, search for vulnerabilities that currently have available exploits and attacks / malware in the wild. Those are the high-risk vulnerabilities that you should patch with priority because they represent the most risk regardless of their CVSS score.
Once you select the high-risk vulnerabilities to be patch, you can move on the remediation workflow. In this highly interconnected area, you should ask yourself:
- Can I push the vulnerability tickets for remediation directly on those online systems – ServiceNow, Jira, BMC – that are used for IT system support by system administration and devops?
- Did you agree with IT on appropriate remediation change management timeframe to make the remediation happen?
- Did you have a preferential channel of communication with IT to communicate emergency security patching procedures for remote teleworking systems?
- What if the patch cannot be applied because it breaks systems which are essential for teleworking.
The key here is to balance availability of remote access systems for supporting remote work and guaranteeing the implementation of secure access systems.
Once the remote access systems are implemented and secure, based on the vulnerabilities discovered and patched, what does this fact say about your vulnerability management program? The VM feedback loop is an important tool in improving your overall VM program and overall security of your system.
As you can see, in time of emergency like this to fight against an ongoing pandemic, it is essential to deliver remote teleworking systems in time but also incorporating good vulnerability threat management practices into the implementation of secure systems.