Xen and the Art of Vulnerability Maintenance

It is no secret that hackers have been making the rounds, targeting organizations of all sizes, from national retailers to local financial institutions, using familiar exploits like Heartbleed and Shellshock to execute their hits. This recent spate of malicious attacks has shown just how vulnerable our Internet-based world is.

In the era of ‘Internet of Things’, minor flaws can have catastrophic consequences if vulnerabilities are not fixed in time. The recent Xen hypervisor bug and the 2003 Northeast blackout due to the older rare condition error illustrate how a single vulnerability can represent widespread risk.

Security has many layers and collaborators as part of the process to ensure a relatively high assurance of minimum risk. The first step is to establish a baseline of where an organization stands in terms of security maturity, including a comprehensive penetration test that yields actionable results. To paraphrase Sun Tzu, if you know yourself and the enemy, you need not fear the result of a hundred battles.

Penetration Test

There are many reasons to conduct a penetration test.  One obvious, and unfortunate, motivation for a penetration test is because you have been hacked and want to discover more about the exploitable vulnerabilities and threats to your systems. The outcome of a successful penetration test can reduce the risk of another hacker attack.

In some industries certain types of data and how the data is handled securely is strictly regulated. Examples of standards include the Payment Card Industry Data Security Standard (PCI DSS), the Health Insurance Portability and Accountability Act (HIPAA), and the Office of the Comptroller of the Currency (OCC) which supervises all national banks. Regulators commonly require a documented certification process, and penetration test results can serve that purpose. The main objective of penetration testing is to determine IT security weaknesses. A penetration test can also be used to gauge an organization’s security policy compliance, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.

Penetration testing allows you to understand where you need to focus your attention by determining the feasibility of a particular set of attack vectors. A penetration test will identify high-risk vulnerabilities and may uncover vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software.

Penetration testing will determine if your organization is able to successfully detect and respond to hacker attacks. It will also help assess the magnitude of potential business and operational impacts should an attack occur. In addition to the benefits listed above, if you are in the role of protecting and maintaining infrastructure and applications for your company, penetration testing may provide the evidence to support increased investments in security personnel and technology.

Upon completion of the penetration testing and receipt of a formal report, you may need some help determining next steps. Now armed with accurate, vulnerability information the logical next step is to fix the issues. You should request a full debrief from the penetration testing provider. During this process you can get clarification about critical and high level vulnerabilities along with guidance on remediation.  It might also be advisable to schedule a follow-up re-test at a later date to ensure that your remediation efforts have been successful.

Vulnerability Management and Remediation

Context-Aware Analysis

Based on the results of the penetration test, the organization should analyze the results to prioritize and focus on critical risks without wasting time on low-risk exposures. Creating a short-list of action items that can be executed quickly and broadly organization-wide eliminates or lowers the risk of exploitation by attackers. Organizations might choose to remediate based on:

• Attack Surface Analysis – Groups of hosts with density of critical and high risk vulnerabilities which can be fixed over patch windows
• Attack Vector Analysis – For business critical assets will have to be given top priority to reduce exposure

Prioritization

In many cases, the most common complaint from security teams is that IT resources available are severely limited. This adds to the need for prioritizing remediation in a way that is aligned with business objectives. Context implies taking into account several factors including business criticality of an asset or asset group in terms of Confidentiality, Integrity and Availability, existing security controls in place, ease of exploitation including automated exploit capabilities by malware and the impact of the potential attack in terms of technical and business risks.

Remediation

Remediation should consider security in different layers that include:

1. Patching and hardening according to industry recognized best practices
2. Secure Architecture and design
3. Implementation of defense mechanisms such as Firewalls and IDSs
4. Monitoring and alerting.

Security in an organization is the responsibility of all members of the IT team. Effective communication and collaboration with an integrated workflow will enable swifter action and improved security across the enterprise.