A Maturity Primer for Vulnerability Coordination

By Ubong Kingsley-Udoh

At the FDA Cyber Summit in Washington, DC in January 2016, issues concerning the security of medical devices & patient records were discussed and a couple of resolutions were passed by the key policy wonks/attendees/manufacturers during the summit. Make no mistake, I’m still of the opinion that the healthcare industry is the most technology-retarded. There are too many well-purposed and fragmented efforts in healthcare cybersecurity and it’s about time we bound them together.

In May 2017, the prestigious UK National Health Service patient records, systems, etc were compromised. It affected about seventy-five thousand victims and has spread to ninety-nine countries. This is fast becoming a popular trend and I believe CISOs, C-Level Executives, and even last-mile employees/end-users should upturn the overarching narrative by employing the right strategies. Most organizations should be focused on looking for solutions for vulnerabilities and quit living in denial of asking the IF probabilistic question.

The way and manner we approach vulnerability concerns could determine the posturing of our organizations, and our customers, and how we effectively defend against threats. It’s about time we employ new strategies because the threats of today cannot be remediated by yesterday’s strategies. The standards for vulnerability disclosure (ISO 29147) and vulnerability handling processes (ISO 30111) are still quite valuable in the grand scheme of things but seeking out ingenious methods is a way to go. The Vulnerability Coordination Maturity Model stirred up by other known maturity models will assist organizations:

  • Appraise their level of preparedness in the advent of a breach and act on the vulnerability reports submitted by the Information Systems/Information Security Auditor.
  • Gird-up a list of activities to heighten their effectiveness to respond to security bug reports in their own software or services.
  • Establish a guideline towards bettering their vulnerability coordination and security with time.

The Vulnerability Coordination Maturity Model inspired by HackerOne focuses on five capability areas namely:

  • Organizational: This focuses on the people, processes, and resources that would handle potential vulnerabilities. With the maturity model, you have got three different levels of capabilities namely Basic, Advanced and Expert. With the Basic, it means you have the executive support to respond to vulnerability reports and a commitment to security and quality as core organizational values. Advanced focuses on policy and process for addressing vulnerabilities according to the ISO 29147 and ISO 30111 or any other comparative framework. Expert level buttresses on the fact that you have got executive support, processes, budget and dedicated personnel to handle vulnerability reports.
  • Engineering: Evidently, to address concerns, you will need an Engineering team that can do the analysis. The team must be able to evaluate and remediate security holes and improve the software development lifecycle. At the Basic level, you should have a clear mechanism to receive vulnerability reports and an internal bug database to track them to resolution. ISO 29147 would be a good reference point in this instance. At the Advanced level, you must have had a dedicated security bug tracking and documentation of security decisions, deferrals, and tradeoffs. At the Expert level, the team should have been able to use vulnerability trends and root cause analysis to eliminate entire classes of vulnerabilities. Refer to ISOs 29147, 30111 and 27034 as a guide.
  • Communications: At this stage, the focus is on the ability to communicate to audiences internally and externally about vulnerabilities. At the Basic level, you will have the ability to receive vulnerability reports and a verifiable channel to distribute advisories to the affected party. At the advanced level, you will have tailored, repeatable communications for each audience, including security researchers, partners, customers, and media. At the Expert level, you will be providing structured information-sharing programs with a coordinated distribution of remediation.
  • Analytics: This is where you take every information you have learned about vulnerabilities, do data analysis of it to identify trends and improve processes. At the Basic level, you track the number and severity of vulnerabilities over time to measure improvement in code quality. At the Advanced level, you use root cause analysis to feedback into your software development lifecycle. At the Expert level, this is where you use telemetry and real-time threat detection to drive dynamic pivots of the remediation strategy.
  • Incentives: This is an area where you are trying to hit the goal of getting vulnerability researchers to report issues directly. At the Basic level, you give thanks or little gifts like T-Shirts and most importantly state in your vulnerability disclosure policy that there wouldn’t be any legal action taken against anyone who reports bugs. At the Advanced Level, you give financial rewards or bug bounties to encourage reporting the most serious vulnerabilities. At the Expert level, you should have a detailed understanding of adversary behaviour and vulnerability markets, and structure advanced incentives to disrupt them.

The recent cyber-attack being spread is a Ransomware. It’s a type of malware that once executed, encrypts all your files and demands the payment of a ransom before they can be decrypted. The Ransomware is nomenclature in various ways as WannaCry, WanaCryp0r, WCry and the malware is believed to be among a tranche of brawny hacking tools stolen from the NSA in August of 2016. The attack vectors and its reach is quite broad in scale as the spread has gotten to Europe, Asia, North and South America and Africa (North & South).

This malware exploits a known Windows vulnerability, bypassing traditional antiviruses and firewall protection and granting full administrative privileges over the victim’s computer. The common mode of delivery is via eMail and if mistakenly opened, starts to encrypt user’s files. As soon as that’s done, it locks the victim’s out of their computers and demands a ransom to be paid in BitCoins. As a fundamental rule of thumb, do not open emails from people you don’t know or eMails that have an acute sense of urgency. E.g. “Click on this link to avoid losing access to your account” etc.

If you aren’t infected, please run your Windows update as soon as possible and if you are yet to download the Microsoft Fix, kindly do so below:

MSU Files X64 

MSU Files X86 

You might also like

More Similar Posts