The Truth About Patch Validation – Charles Leaver

Written By Logan Gilbert And Presented By Charles Leaver

 

Intro

A recent report shows almost twenty thousand brand-new software vulnerabilities were discovered in 2017 – an all-time record. Consider that for a second. That’s approximately fifty five new vulnerabilities per day. That’s a big amount for any IT shop to manage.

Now there’s good news and bad news. The bright side is that patches were available for 86% of those vulnerabilities on the day they are disclosed. The bad news is that a lot of companies continue to deal with patch prioritization, application, and validation. And as IT workloads progressively migrate to the cloud, vulnerability visibility tends to decrease – exacerbating an already difficult problem.

Let’s take a more detailed look at ways to manage cloud patch validation effectively.

Initially, a Patch Management Guide

Patch management is the practice of updating software applications with code changes that attend to vulnerabilities exploitable by cyber attackers. Although it’s been around for decades, patch management remains a tough procedure for a lot of IT organizations.

Modern businesses have complicated IT environments with several integration points in between business systems. That means it is hard for software developers to account for all unexpected repercussions, e.g., a piece of code that might close a port, disable critical infrastructure interaction, or perhaps crash its host server.

And focusing on the reliable patching of recognized vulnerabilities is the undeniable ‘huge bang for the buck’ play. In 2017, Gartner stated that 99% of exploits are based upon vulnerabilities that have already been known to security and IT professionals for a minimum of one year.

Cloud Patching Principles

The first secret to shutting down the right vulnerabilities in your cloud IT infrastructure is being able to see everything. Without visibility into your cloud systems and applications, you cannot actually understand if both those systems and applications are patched where it is most important. The 2nd key is patch validation. Just firing off a patch is no assurance that it activated effectively. It may, or may not, have actually released successfully.

How would you be sure of this?

The Ziften Approach

Ziften offers the visibility and recognition you need to guarantee your cloud IT environment is safe and safe from the vulnerabilities that are the most crucial:

– Comprehensive capture of found OS and application vulnerabilities

– Findings mapped to vulnerability insight points, e.g., OWASP, CIS, CVE, CWE, and OSVDB

– Detailed explanations of the implications of findings, business effects, and dangers for each of the identified exposures

– Vulnerability prioritization based upon asset urgency and danger of attack

– Remediation recommendations to close recognized shortages

– In-depth actions to follow while reducing reported shortages

– Detection and mitigation of attacks that take advantage of unpatched systems with quarantine treatments

Far too frequently we discover that the data from customer’s patching systems incorrectly report that vulnerabilities are indeed patched. This develops a false sense of security that is undesirable for IT operations and security operations teams.

GDPR And Cybersecurity Monitoring – Charles Leaver

Written By Dr Al Hartmann And Presented By Charles Leaver

 

Robust business cybersecurity naturally consists of monitoring of network, end point, application, database, and user activity to prevent, identify, and respond to cyber dangers that could breach privacy of business staff, partners, suppliers, or clients. In cyber space, any blind spots become totally free fire zones for the legions of hackers looking to do damage. But tracking likewise captures event records that may consist of user “personal data” under the broad European Union GDPR analysis of that term. Enterprise personnel are “natural individuals” and hence “data subjects” under the guideline. Prudently balancing security and personal privacy issues throughout the business can be tough – let’s go over this.

The Mandate for Cyber Security Monitoring

GDPR Chapter 4 governs controller and processor roles under the regulation. While not clearly mandating cybersecurity tracking, this can be inferred from its text:

-” … When it comes to an individual data breach, the controller will without unnecessary delay and, where practical, not later than seventy two hours after having actually become aware of it, notify the individual data breach to the supervisory authority …” [Art. 33( 1)]

-” … the controller and the processor shall execute suitable technical and organizational steps to make sure a level of security appropriate to the danger …” [Art. 32( 1)]

-” Each supervisory authority shall have [the power] to carry out investigations in the form of data defense audits.” [Art. 58( 1)]

One can well reason that to find a breach one must monitor, or that to verify and to scope a breach and provide timely breach notice to the supervisory authority that one must also monitor, or that to carry out proper technical procedures that a person need to monitor, or that to react to a data security audit that one should have an audit path which audit paths are produced by monitoring. Simply put, for an enterprise to safeguard its cyber space and the individual data therein and validate its compliance, it reasonably must monitor that space.

The Enterprise as Controller of Data

Under the GDPR it is the controller that “figures out the purposes and means of the processing of personal data.” The business decides the purposes and scope of monitoring, selects the tools for such monitoring, determines the probe, sensor, and agent releases for the tracking, picks the services or personnel which will access and evaluate the monitored data, and chooses the actions to take as a result. In other words, the enterprise serves in the controller function. The processor supports the controller by providing processing services on their behalf.

The business also employs the staff whose personal data may be included in any event records recorded by monitoring. Personal data is specified rather broadly under GDPR and may consist of login names, system names, network addresses, filepaths that consist of the user profile directory site, or any other incidental information that might fairly be connected to “a natural individual”. Event data will frequently include these aspects. An event data stream from a specific probe, sensor, or agent might then be connected to an individual, and expose aspects of that person’s work efficiency, policy compliance, or even elements of their individual lives (if enterprise devices or networks are not used correctly for private business). Although not the object of cybersecurity tracking, prospective privacy or profiling concerns may be raised.

Accomplishing Clarity through Fair Processing Notices

As the enterprise employs the staff whose personal data might be captured in the cybersecurity tracking dragnet, they have the opportunity in employment agreements or in separate disclosures to inform staff of the requirement and function of cyber security tracking and get educated approval straight from the data topics. While it might be argued that the legal basis for cybersecurity monitoring does not necessarily demand informed approval (per GDPR Art, 6( 1 )), but is a consequence of the data security level the business must preserve to otherwise abide by law, it is far more preffered to be transparent and open with staff. Employment agreements have actually long included such provisions defining that workers consent to have their office interactions and devices monitored, as a condition of work. However the GDPR raises the bar substantially for the specificity and clarity of such permissions, termed Fair Processing Notices, which need to be “freely given, specific, informed and unambiguous”.

Fair Processing Notifications must clearly lay out the identity of the data controller, the kinds of data collected, the function and lawful basis for this collection, the data subject rights, in addition to contact info for the data controller and for the supervisory authority having jurisdiction. The notification needs to be clear and easily comprehended, and not buried in some prolonged legalistic employment contract. While numerous sample notifications can be discovered with a simple web search, they will need adaptation to fit a cyber security monitoring context, where data subject rights might conflict with forensic data retention mandates. For example, an insider hacker may demand the deletion of all their activity data (to ruin proof), which would overturn personal privacy regulations into a tool for the obstruction of justice. For other guidance, the widely used NIST Cyber Security Framework addresses this balance in Sec. 3.6 (” Method to Safeguard Personal Privacy and Civil Liberties”).

Think Worldwide, Act In Your Area

Given the viral jurisdictional nature of the GDPR, the severe charges imposed upon lawbreakers, the tough dynamics of tweezing out EEA from non-EEA data subjects, and the likely spread of comparable policies globally – the safe course is to apply rigid personal privacy regulations across the board, as Microsoft has done.

In contrast to global application stands regional application, where the safe course is to position cybersecurity tracking infrastructure in geographic areas, rather than to face trans border data transfers. Even remote querying and viewing personal data may count as such a transfer and argue for pseudonymization (tokenizing individual data fields) or anonymization (redacting individual data fields) throughout non-cooperating jurisdictional borders. Just in the last stages of cyber security analytics would natural person identification of data subjects end up being pertinent, and then most likely only be of actionable value in your area.