Episode 553: Organizational Responding to Vulnerability Alert

Monday, September 18, 2017

Operation: Vulnerability Response Process

They say, "There is no software without a weak point."

In other words, computers and communication devices with countless software built in are "full of dangerous weak points". There are also business systems that manage sales and salaries...

"Vulnerability Response" by IT department is, in simple words, "repair work of software".

Specifically, the IT department collects vulnerability information from "IT information site" or "Google Alert email" on a daily basis. If information relates with the software used by the company's computer, they conduct "patch application" or "version upgrade", etc. Although there are many software perform "automatic patch" and "automatic update" by themselves recently, there are still not a few "incidents that must be handled manually".

Incidentally, once or twice a year, a security test ("vulnerability assessment") by a specialized contractor should be carried out to check whether the repair work is done properly.

Challenge: Response depends on individual

However, a tremendous number of "attack methods" are found everyday.

"Methods of attack" on old software are also reported almost every day. Even though "weak points" should have been overcome by daily repair, it seems that attackers are also improving their ideas and power, day by day. It seems to continue forever. "Vulnerabilities" announced by CVE, for example, are count to more than 10,000 annually.
(CVE:Common Vulnerabilities and Exposures)

It is no longer the amount that IT department can check through. The reality is, that experienced employees are responding using their "individual information network" and "smell?"

Hmm, wouldn't be there any way to deal it more systematically?

To put it more, I would like to record and share precisely about who decided what kind of judgment on urgent vulnerability. For example, I would like to look back on when and how the correspondence was made against sensational vulnerabilities such as "ShellShock" or "Heartbleed". (OpenSSL, GNU bash)

[Vulnerability Response Process]

Solution: Organizational response to emergency alert email

The Business Process Definition (Workflow App) introduced here is triggered by "Attention E-mail" from public organizations. (jpcert.or.jp, etc)

That is, when "information on serious and broadly affected vulnerabilities" is delivered by email, the Workflow is automatically launched by Message Start Event. (On average, about 1 or 2 cases per week)

Once the Workflow is started, the person in charge in IT department will perform "1. Determine the degree of influence to organization" (human Step). If "No affect" was selected there, the Workflow ends. Whereas, if "Affectable" is selected, it will progress to "2. Preparation of countermeasure work plan" via "Department notification" (Email transmission Event).

By corresponding "Vulnerability response task" as an organization in such a Workflow, it becomes possible to share in-house about "who made the judgment" and "who is coping" in real time. Also, you will be able to look back on "past vulnerability response" in various ways. (It will be better if it is associated with discussions by chatting on the enterprise social networking.)

Discussion: Advance measures other than strengthening the organization

It is very important to prepare a "system" in which patches are applied quickly and reliably. However, in addition to that, it can be said that various advance measures should be taken. For instance, if you review "ownership of softwares" itself considering on, 1) reducing the number of software and, 2) migrating to SaaS, you will be able to reduce the point of receiving "attacks".

Moreover, as the means of reducing damages when you were "attacked" by any chance, it is also important to review the "possession of data" itself. There are many cases where "non-holding" is desired as a social demand, such as for example, credit card information. (Prevention for retailers from storing card information: Compilation of an Action Plan for the Strengthening of Measures for Security in Credit Card Transactions, Ministry of Economy, Trade and Industry, Feb. 2016.)

In addition, it is important that "making it difficult to access" regarding software that is inevitably required to operate in-house. You can greatly reduce the risk of attacks from third parties by applying "source IP filtering", if you are using a web application, for example, that is only used by employees of you company and your business partners. In other words, it can be said that it is possible to lower "urgency level in countermeasure work plan".

[Vulnerability Response Process:"1. Determine the degree of influence to organization" screen]

<Data Items list>

[Free Download]
&lt;Similar Models&gt;
&lt;&lt;Related Articles&gt;&gt;

[Japanese Entry (ε’Œζ–‡θ¨˜δΊ‹)]