If your organization needs a compelling reason for establishing or enhancing its vulnerability management program, circle this date in bold, red ink on your corporate calendar: May 25, 2018.
On that day, the EU’s General Data Protection Regulation (GDPR) goes into effect, intensifying the need for organizations to painstakingly protect EU residents’ data from accidental mishandling and foul play.
While complying with GDPR involves adopting and modifying a variety of IT systems and business processes, having comprehensive and effective vulnerability management should be key in your efforts.
Why? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but haven’t been installed.
This happens because many organizations, including large ones with sophisticated IT infrastructures and resources, lack visibility into their IT assets and their vulnerabilities. Flying blind, they fail to detect and remediate on a timely basis critical bugs, leaving them like low-hanging fruit for cyber data thieves to feast on.
In this installment of our GDPR preparedness series, we’ll dive into the topic of vulnerability management and its importance for staying compliant with this regulation. GDPR carries hefty penalties and fines, including one of €20 million or 4% of annual revenue, whichever is higher, and applies to companies worldwide that handle EU residents’ personal data.
GDPR: A Fierce Regulation for EU Customer Data Protection
You won’t find detailed prescriptions for specific processes and technologies required for compliance in the text of GDPR. What the 88-page document makes abundantly clear is that both data “controllers” and data “processors” must protect EU customer information through “appropriate technical and organisational measures.”
The regulation also stresses the need for organizations to have in place secure IT networks and systems that can “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”
“This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems,” reads the document.
In the context of GDPR, this means you must do whatever is in your power to prevent accidental or malicious incidents that compromise the “availability, authenticity, integrity and confidentiality of stored or transmitted personal data.”
As a basic, foundational InfoSec practice, effective vulnerability management should be a core component of complying with GDPR and its requirements for the protection of EU residents’ personal data.
Immunize Your IT Environment Against Vulnerability Exploits
Every vulnerability that has been publicly disclosed represents a potential opportunity for hackers looking to break into your network.
When you methodically, strategically and continuously detect, assess and remediate these bugs, whether through patching or mitigation, you eliminate entry points for cyber criminals, systematically and consistently lowering your risk.
With proper vulnerability management, you “immunize” your IT assets against opportunistic attacks which are designed to exploit common, well-known bugs and which are the most likely to hit your network.
In its 2016 Data Breach Investigations Report (DBIR), Verizon said hackers view as “oldies that are still goodies” these long-disclosed CVEs (Common Vulnerabilities and Exposures) which remain unpatched in many organizations. “Hackers use what works, and what works doesn’t seem to change all that often,” reads that study.
To exploit these well-known vulnerabilities, hackers don’t use sophisticated, carefully crafted attacks, but rather aim for volume. “They automate certain weaponized vulnerabilities and spray and pray them across the Internet, sometimes yielding incredible success,” states the Verizon study.
For example, Kaspersky Lab recently reported that exploits to CVE-2010-2568 — the one used in the Stuxnet campaign years ago — ranked first in 2016 in terms of the number of users attacked, even though a patch for it has been available since 2010.
“The conclusion is a simple one: even if a malicious user doesn’t have access to expensive zero-days, the chances are high that they’d succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated,” Kaspersky stated.
Even if you’re not leaving critical vulnerabilities unpatched for years, you must make sure you’re as quick as possible in your remediation work.
SANS Institute’s second annual survey on continuous monitoring (CM) programs — titled “Reducing Attack Surface” and published Nov. 2016 — found that only 10% of respondents were able to remediate critical vulnerabilities in 24 hours or less, which is the ideal scenario. According to SANS, breach risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer.
A good example of why time is of the essence when dealing with critical vulnerabilities was the WannaCry ransomware rampage that created chaos worldwide in May. WannaCry spread using EternalBlue, an exploit for a Windows OS vulnerability (MS17-010) that Microsoft had patched in March and had rated as “Critical” due to the potential for attackers to execute remote code in affected systems.
Simply put, if most organizations had patched that vulnerability promptly, or at least within a month after its disclosure, WannaCry would have been a non-event. Instead, it infected hundreds of thousands of computers in about 150 countries, severely disrupted the operation of hospitals, utilities, manufacturing plants, telecommunications companies, transportation providers, government agencies and financial institutions, and caused an estimated $4 billion in losses.
Despite the global mayhem caused by WannaCry, which major media outlets covered exhaustively, a researcher found more than 50,000 machines still vulnerable to EternalBlue as recently as mid-July.
That’s just one example that illustrates why effective vulnerability management is such an important InfoSec practice.
Vulnerability Management: Cornerstone of InfoSec
“Continuous Vulnerability Assessment and Remediation” stands as the fourth most important practice in the Center for Internet Security’s (CIS) 20 Critical Security Controls.
CIS estimates that an organization that implements its first five controls — which collectively are considered foundational for cyber security “hygiene” — is able to protect itself against 85 percent of attacks.
“Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised,” CIS states.
Thus, an InfoSec team with flawed or non-existent vulnerability management is at a high risk for data breaches, and, consequently, for GDPR non-compliance.
Effective vulnerability management requires continuously identifying threats, monitoring changes in your network, discovering and mapping all your devices and software — including new, unauthorized and forgotten ones —, and reviewing configuration details for each asset.
You need global visibility into your systems’ vulnerabilities to stay ahead of attackers, especially today, as digitalization blurs the traditional boundaries of IT perimeters and exposes more and more IT assets on the Internet.
Qualys Vulnerability Management
Qualys’ cloud-based Vulnerability Management (VM) continuously identifies exposures so you can defend your organization against attacks anytime, anywhere.
VM maps all assets on the network, detailing their OS, ports, services and certificates, and scans them for vulnerabilities with Six Sigma 99.99966 percent accuracy. It assigns remediation tickets, manages exceptions, lists patches for each host and integrates with existing IT ticketing systems.
In addition, VM generates comprehensive reports customized for different recipients — like IT pros, business executives or auditors — and incorporates context and insight, including progress against goals. Via VM’s APIs, the reporting data can be integrated with other security and compliance systems.
When VM is paired with the Qualys Continuous Monitoring (CM) app, you’ll be alerted about potential threats — such as new hosts/OSes, expiring certificates, unexpected open ports and unauthorized software — so problems can be tackled before turning into breaches.
“Continuous monitoring is quickly coming to the forefront as a key activity for the ongoing security of networks, systems and, by extension, enterprises,” reads the 2015 SANS Institute continuous monitoring report “What Are Their Vulnerabilities?”
With Qualys CM, you can keep an eye on your global network from the cloud, like hackers are doing right now, and alert the appropriate people to critical security issues, like unexpected network changes.
In addition to Qualys scanners, VM also works with the groundbreaking Qualys Cloud Agents, extending its network coverage to assets that can’t be scanned. These lightweight, all-purpose, self-updating agents reside on the assets they monitor — no scan windows, credentials or firewall changes needed — so vulnerabilities are found faster with minimal network impact.
VM also supports your organization’s digital transformation efforts through its capacity to monitor hybrid IT environments that include not only on-premises hardware and software but also cloud workloads, mobile devices, IoT systems, DevOps continuous app development and deployment pipelines and other disruptive technologies.
Stay on the Right Side of GDPR with Qualys
New software vulnerabilities are disclosed daily — to the tune of thousands per year — so organizations must know at all times which vulnerabilities are present in their IT assets — on-premises, in clouds, and on endpoints —; understand the level of risk each one carries; and plan remediation of affected IT assets accordingly.
“Vulnerability management has been a Sisyphean endeavor for decades. Attacks come in millions, exploits are automated and every enterprise is subject to the wrath of the quick-to-catch-on hacker. What’s worse, new vulnerabilities come out every day,” reads Verizon’s 2016 DBIR.
If an InfoSec team patches, remediates, and mitigates the right vulnerabilities at the right time, its organization will avoid falling prey to most cyber attacks, and slash its risk of suffering a data breach, whose consequences could include GDPR penalties.
With Qualys VM, you’ll be able to consistently address critical vulnerabilities in your most important IT assets on a timely basis, putting your organization in a solid position to withstand the daily attacks from hackers seeking to exploit unpatched gaps and compromise your customer data.
With an effective vulnerability management program in place, you’ll be a lot more confident about complying with GDPR when dawn breaks on the morning of May 25, 2018.
To learn more about how Qualys solutions can help you become GDPR compliant, visit qualys.com/gdpr where you can download our free guide and watch our webcast.
(Jimmy Graham is a Director of Product Management at Qualys.)