Compliance & Vulnerability Scans are NOT Enough

Author: Chris Huey
Date: June 26, 2022

I’m always stumpified to learn when security programs rely almost exclusively on automated compliance and vulnerability scanning to assess the technical security aspects of an integrated system. Compliance and vulnerability scans are extremely important as a foundation for the security program, but the scan results should not be used as the only measurement for the risk posture. Scanning tools can examine common operating systems and popular applications, but they can’t scan all security-enabled components since security criteria is not yet defined by vendors for every product on market, including many popular products… and they definitely don’t perform functional testing to verify the behavior of the fully integrated infrastructure.

How secure are the multitude of components within the infrastructure that can’t be scanned? Do you know the prevalence of the log4j vulnerability and how simple it can be exploited? Do all interconnected system components operate as expected?… you might be surprised to learn security features do not operate as expected during testing. Here’s some examples to consider that an in-depth security assessment might discover:

  • Does your popular Security Information and Event Management (SIEM) server meet least privilege criteria? Is there a default role allowing privilege escalation to perform unfettered actions (e.g., delete collected security-critical audit data, use the command line interface to make configuration changes)?  This is a true example of a default role existing within a popular SIEM.
  • Did you change the commonly known default password for iDRAC ssh or all the other default passwords for network accessible applications?
  • Does the perimeter and boundary firewall correctly enforce the established ports, protocols, and services standards?
  • Can you justify least functionality principles for all listening ports on each system within the infrastructure? Are the interfaces secure?
  • Is the backup server application configured correctly to perform regular backups, encrypt highly sensitive backup data, verify backup integrity, and protect unauthorized access to backup data? Does the restoration process actually work as expected?
  • Does the Intrusion Prevention System (IPS) and Web Application Firewall block and alert when critical attacks are active?
  • Are the Data Loss Prevention (DLP) features configured correctly and did you prove the solution enforces the organization’s data exfiltration policies?
  • Is the performance monitoring platform recognizing and alerting on critical security service failures, storage threshold issues, and network availability problems as expected?

Programs should always make an investment to examine components not covered by automated tools and perform some level of functional testing to assess the security features and determine the actual risk posture of system/network infrastructure.  

chris.huey@chueyise.com

www.chueyise.com