Episode #143

How Companies Fail Vulnerability Management

With Nick McCourt
Lead vCISO at Integris
October 10, 2022

Susan and Nick talk about Nick’s must-haves for vulnerability management programs, and the best practices for whoever owns that process in an organization.

Check out the transcript below and listen along with the embed, Spotify, Apple Podcasts, or your favorite podcast app.

Transcript

Introduction

Susan Gosselin: Hi everyone, I’m Susan Gosselin and I am here again this month with Nick McCourt, one of our top vCISOs at Integris.

This month we decided that vulnerability management was the thing that we needed to be talking about this month. Why is that? Because companies are missing the boat on a lot of things.

So Nick and I, the more we talked about it, we were like, ah, there’s all these ways the companies are failing to fill these holes in their vulnerability management programs, or even failing to do a vulnerability management program at all.

Why do companies need vulnerability management?

Susan Gosselin: And I’m gonna start here with Nick and ask why do companies need to have vulnerability management at all?

What is it? Why do you need to have it? Why is it so important? Do my cybersecurity tools that I’m being sold, shouldn’t those be covering me? What do I need to have to worry about this?

Nick McCourt: Let’s not even talk about the cybersecurity tools for a second. Let’s just talk about the perfect world where you have a fantastic IT provider, or you have your own IT team and you have a patching cadence.

And that patching cadence is every single week. All of your computers, all of your servers, all of your systems, all of your applications, they are being continuously patched and updated. We’re good. We don’t need vulnerability management then ‘cuz ooh, everything’s patched.

But wait a second. You might patch on Wednesdays, but on Thursday somebody out there in the world reports that, hey, there’s a vulnerability for an application that you have on a server that faces the entire world. It’s a zero day, it doesn’t have a firmware update or a patch or anything yet. It’s just there.

We want a system that’s going to correlate with what’s being announced on almost a daily basis now, sometimes hour per hour. Hey, here are vulnerabilities, and we want to be able to scan for that because interesting enough, when you have a patching cadence that’s perfect and you’re doing it every week, for example, that’s still technically not enough.

It’s good enough to keep you hardened to a specific level, but it’s not enough to actually look for, Hey, we did a good job on Wednesday, but Thursday there’s something new. And so we really want an early warning system in place that will announce critical alerts and even take a look at other vulnerabilities that we may not actually be aware of inside our networks.

Susan Gosselin: That makes sense. Okay. So with that in mind I imagine in your position you’re seeing a lot of things that companies are failing to do or they’re doing wrong. And of course, that’s why they hire us, right, is to come in and fix these things.

Biggest vulnerability management weakness often seen in businesses

Susan Gosselin: So what are the top things that you’re seeing?

Nick McCourt: Yeah. I think probably one of the biggest weaknesses that I often see about organizations that we go in to help is if they have vulnerability management from either a previous provider or they were taking care of it themselves.

They have the after dinner approach. “Hey, cool, everybody went home, right? Nobody’s doing any work after six or seven o’clock, so let’s go ahead and do all the scanning right then and there.” The problem is hey, maybe you turned off your computers. So are we actually getting good scanning or are we getting only part of the picture of what’s going on.

A great example, a CEO of a prominent company goes home and sits down and has dinner. Whenever they do that, they turn off their computer. They do that every day. So when patching comes out the day before, for example, back to our perfect world scenario, all of a sudden we’re now missing the patches and we’re not seeing the vulnerabilities.

Now we have a huge blind spot in an important part of the organization. I don’t know. Maybe the head of company is an important person to be scanning, patching, and checking for vulnerabilities. And so with a public figure like that, doing that scanning is huge.

So one of the things that I like with the systems that we use is I want continuous scanning. I want something that you can install on somebody’s computer so they can take it with them wherever they go, and it will, when you boot up, or as you’re working, it will silently scan while you’re working and provide an accurate report any day of the week.

Susan Gosselin: So that’s something that the client can pull on their end and is something that you can pull on your end if you’re working with that client, right?

Working with internal IT teams to address vulnerabilities

Nick McCourt: Yeah. Acting as a Chief Information Security Officer for a number of different companies. When I’m doing that, I want those reports. And I’m looking at those reports cause I’m trying to correlate and understand.

You know, one of my favorites is, I get a report and what I do, ‘cuz you know, I’m not part of the managed services team, I’m not part of the infrastructure team. I do the cybersecurity.

So I get that report and I take a look at it and then what I do is I turn and look at the services people and I say, “Hey, this server might have a vulnerability. Why? Why does that server have a vulnerability?”

It turns out that server’s only allowed to be rebooted once a month because of the systems that they run on it have to be up 24/7. So instead of going, “Oh gosh, shame on your IT people,” it’s, “Hey, we gotta have a conversation to see what we can do as far as the compensating control, or we have to talk about rebooting the server on a more regular basis so we don’t see these vulnerabilities.” So that’s huge.

Reading & comprehending reports

Nick McCourt: In the meantime, yeah I like for my clients to be able to pull these reports, but interesting enough, if you’ve ever seen a vulnerability report before, there could be hundreds to thousands of pages long. And that’s really where it comes into kind of taking it seriously. If you’re an organization and you don’t have somebody on staff to do that, it’s good to actually have some sort of professional, some sort of cybersecurity analyst, essentially taking a look at it and prioritizing what you need to do first.

Susan Gosselin: Terrific. So number one, on what not to do. Don’t fail when it comes to continuous scanning. Don’t think you can just scan in fits and starts. You need continuous scanning.

So what would be the second thing that people are failing to do, that they need to correct?

Setting it and forgetting it

Nick McCourt: You ever park your car in a parking lot and leave the engine running and then walk away from it for four hours? Like, I don’t know anybody that’s really done that and has had a good experience. So setting it and forgetting it is huge. We don’t want people doing that. We want somebody continuously looking at these reports coming in.

A very good vulnerability management system sends you critical alerts. What we really like is we also like a vulnerability management system that will automatically notice new devices that get added to the network. Sure, there are other security systems and everything else, but when you have a continuous vulnerability scanner and it’s going, “Hey I just saw a new device. I’m gonna start scanning it now.”

I want that alert, so I can’t necessarily just walk away, leave it, “I’ll see you in three months” kind of thing. I want something that’s actually giving me data on a regular basis, but not necessarily overwhelming me. A vulnerability scanner is exactly that if it’s configured correctly and you have the right product.

Susan Gosselin: So it’s parsing the information so it’s digestible and actionable and all of those things. Okay. So you heard it all. Number two, don’t set it and forget it. Expect to have a continuous scanner that is providing you actionable information.

All right, so number three.

Failure to run and reboot at the right time

Susan Gosselin: I understand that when you scan is just as important as what you scan and how you scan, right?

Nick McCourt: Yeah. As I mentioned in that first line item, let’s scan it six o’clock, seven o’clock at night. I mentioned the continuous scanning. It really comes into this with other vulnerability tools that may not have continuous scanning. Again, put in the feature request. We want something that continuously scans. But two, let’s say you do really like what you have. If you’re not running it regularly during business hours, then you’re not getting a very good snapshot.

If you’re not getting a good snapshot, then guess what? You’re actually not going to actually do reboots and patching on a regular basis. And that’s one of those things where we ran a scan, we see this server that’s got some vulnerabilities. Okay, well, are you going to reboot it? When are you going to reboot it? What’s the plan?

And oftentimes a lot of people will fail to run it during the day when everybody’s actually working so that you can actually see what’s going on. And two, they fail to reboot anything. I don’t wanna see the same report. Month after month or quarter after quarter.

Rebooting without productivity problems

Susan Gosselin: Right, right. So, when it comes to rebooting, is there a way to do that without creating productivity problems for your people?

Nick McCourt: Are we talking about server rebooting or are we talking about computer rebooting?

Susan Gosselin: I’m talking about the rebooting you need to do for the vulnerability management, whatever that entails.

Nick McCourt: So let’s just start with workstations here real quick. A lot of employees will just leave their computers on, so they do not always necessarily reboot it. And so there are two or three different ways you can do this.

From a technical standpoint, you can actually control when a computer reboots, you can set a cadence, you can tell all the employees, “when you go home, your computer’s gonna reboot.” That works great for desktops.

It doesn’t always work great for laptops because you can make the laptop go to sleep. That’s not actually rebooting it though.

So one of the things I like to recommend is a couple different things. One, desktop, sure. Let’s have them on a regular rebooting schedule. Get everybody used to it and then once you do it, it actually makes life easier.

For your laptops, I actually like encouraging employees to reboot when they come into work or when they start work that day. Hopefully we sit down and we go, “Oh, you know what? I forgot my coffee. I’m gonna go get my coffee right now.” Click reboot. Go get your coffee. Okay.

You can do that on a daily basis. You can do it every couple of days. The idea though is if you, the employee, are doing something as simple as rebooting your computer, you can save a lot of pain and torment on your daily schedule for what you’re doing for work.

Instead of going, Oh, It’s Microsoft or it’s this, or whatever. Instead, if there’s an actual issue, then there’s an actual issue and It’s not just, “Oh, I missed rebooting it the past four months, and maybe I need to upgrade everything.”

Right, which is what normally stops people for sometimes up to a day. And this is something I do want to emphasize with. Doesn’t matter whether you’re the CEO of a company or you are there as an assistant, or you’re working a help desk or you are doing whatever, it doesn’t matter if you come in and you don’t reboot your computer on a regular basis.

The patch management isn’t gonna work very well. Your vulnerabilities are going to skyrocket. The higher your vulnerabilities go, the more you are seen as a risk to the company.

Susan Gosselin: Oh, wow.

Nick McCourt: Yeah.

Susan Gosselin: That’s strong language .

Nick McCourt: Right?

Susan Gosselin: Don’t have a dirty computer you guys. Reboot, clear your cache, upgrade the patches.

Right. Okay, so that is number three. Run your scans at a regular time that employees expect, and then make sure that you encourage them to turn off and reboot their computers at least once a day. Okay.

Addressing remote workers

Susan Gosselin: So number four, what do we have for number four here? Does this have something to do with remote employees perhaps?

Nick McCourt: Yeah, historically what you did is you took a server or you took a virtual appliance, you put it down. People came into work and then you’d run that scanner usually at eight o’clock at night. That doesn’t work now for people that don’t work in the office all the time.

I work with people all over the country. Okay. Which means I’m not always necessarily going into an office ’cause that actually may be a waste of the people that I work with’s time.

What I really want is I want a vulnerability system that can actually handle employees wherever they go. A system that actually has an agent and the agent can basically reach up to the cloud with a report for vulnerabilities.

We don’t want it trying to connect to an office with a VPN. We don’t want it to have to actually go into the office to be scanned. We want to make sure that if you are anywhere, that your computer’s being scanned, being checked health wise. And in that case, we wanna make sure that you can do it any time you want.

So we don’t want that scanner or that little agent to cause issues. So we want it to be lightweight and still provide us with the best information possible.

Susan Gosselin: That makes sense. It’s a particularly vexing thing, right? When you’re dealing with people that are working remotely, I’m a good example. Here I am in the Indianapolis offices of…[laughs you know, there is no Indianapolis office in Integris. But I’m a 100% remote employee and I have a big Integris setup here, right? There’s all kinds of different things that come up when you’re dealing with vulnerability management for remote employees. What are some of those big concerns that, you just need to do a little bit of extra to mitigate for?

Nick McCourt: Yeah. One of the biggest things, and I recently actually had to deal with the situation on this, where vulnerability scanning was being done in the office, but you had over half of your workforce remote.

And back to, how much can an employee pose a risk to an organization if you’re not able to check their computer for vulnerabilities on a regular basis? And I was asked, I was actually asked directly by somebody, “Would it be the employee’s fault if something happened?”

Susan Gosselin: Oh, wow.

Nick McCourt: And I said,

Susan Gosselin: “Where does the liability go for your insurer?”

Nick McCourt: Right.

Susan Gosselin: And that kind of thing. Yeah.

Nick McCourt: So, a good organization wants to actually protect its employees. Your greatest resource for most organizations, if not all organizations, are the employees. And so with remote employees, there’s no change in the level of importance for a remote employee.

You may even want to be higher, right? ‘Cuz you are sitting there all by your lonesome. You don’t have some… Well, I don’t know, maybe you do. Maybe you’ve got some thousand dollar firewall sitting there next to your router, maybe you’ve got your own servers there, Susan, right? [laughs

But at the end of the day, if you don’t have those things, and please notice that she didn’t completely say no. So we’ll just leave that up as a mystery. [laughs But, let’s say you don’t have those things. At the end of the day, I wanna make sure that you’re protected, right?

Because what you do is important. And so remote employees, if they are not afforded some sort of system that is able to check their stuff, so that, hey, a vulnerability management program that has continuous scanning, that actually has an oversight from cybersecurity specialists and analysts who can really help trigger what to do.

It really does actually leave you out on the quintessential island where you are by yourself, you are defending, and you may not even have the correct tools. And so rather than having you sit there and talking to a volleyball the entire time and trying to figure out what to do, let’s make sure your computer is turned into its own warship, essentially. And it has all the firepower needs, and a vulnerability scanner with an agent that I can install on your computer is a very powerful defensive tool.

Susan Gosselin: And that helps me when I’m connecting to my home’s WiFi, but also if I have my laptop out, whether I’m a rope employee or not. If I have my laptop out and I’m having a meeting in a Starbucks, that’s gonna cover it then as well.

Nick McCourt: And the idea is with that report coming in if your computer has vulnerabilities and we have a critical that comes up, then that allows the team to react fast.

You’re sitting in Starbucks, you’re having a conversation, maybe you’re doing business, right? Maybe we’re not just there for the pumpkin bread, right? Cause that’s back in, and believe me, I do like the pumpkin bread. So,

Susan Gosselin: Oh, you’re a pumpkin spice guy. All right.

Nick McCourt: No, no, no, no, no, no, no, no. I said the pumpkin bread. I said the pumpkin bread. Wow. No, no, no. [laughs I’m gonna take off my Ugg boots now.

So anyway, so you’re sitting there, you’re actually having a business meeting in a Starbucks because you’re meeting with, a client or a colleague or whatever. You’re discussing things. In the meantime, a critical alert comes in. It turns out that there is already a patch available. That can actually be queued into a patch management system and pushed out to your computer while you’re working, remotely, covering you in case somebody sees that, “Hey, this has just been announced to the world. I’m gonna see who’s at this Starbucks with me, or maybe they’re just sitting in the parking lot or something like that… let me see who’s there. Maybe I can get in.” So that’s the idea of having a good vulnerability management system.

Too heavy systems

Susan Gosselin: Sounds good. All right. So we got one more tip. Don’t deploy a system that’s too heavy.

So that kind of goes back towards the whole conversation we were having on scanning, right? So it’s not just a matter of having a powerful one, it’s having the right powerful one. How would you explain that?

Nick McCourt: I already mentioned war ships and pumpkin bread, so let’s talk about ancient Rome, right? You know, or,

Susan Gosselin: [laughs

Nick McCourt: Or the Greeks, right?

Susan Gosselin: Man, you are getting it with the metaphors. Alright.

Nick McCourt: If you’ve seen all the movies, the heavier the shield that you hold, the tougher it is to walk. And so what you really want is you want a shield that actually covers you, but that you can actually carry it around.

And vulnerability management is the same kind of deal. You want something that’s lightweight but can actually really do something for you. And so it doesn’t matter whether you deploy out a virtual or physical scanner on a network, or whether you install an agent on a computer. If the agent on the computer kind of blows up your computer for an hour, then that doesn’t help. It really slows the processes down. It stops the employees from being able to work. We don’t want to do that. We want people to come in, we want them to be able to do their job. We want them to be able to enjoy doing their job. If your computer slows down and dies on you all the time, that doesn’t really make life fun.

Back to that, the dinner hour scanning and whatnot, it used to be historically that scanners, when you ran them, they could cause network outages. They would disrupt communications. And so what we really like are scanners that while they’re running continuously, they do not necessarily knock everything out.

Okay. I want you to be in Starbucks and doing work. If that agent causes your computer to blue screen, that’s not a very helpful scanner. And the idea of course is to have a mobile system, a shield that you can carry essentially with you. A shield that allows you to walk or travel or drive wherever you want, that’s not necessarily going to drag you down.

And so that’s the idea of a good vulnerability management program and a good type of product and system you can really run.

Susan Gosselin: So, you’re choosing vulnerability management scanning tools based on the number of end points that a customer is trying to cover, the type of work that’s being done, the load on the system, the hours of operation, all those kinds of things.

Financial impact of a scanner

Susan Gosselin: Any other considerations you need to think about when you’re purchasing a vulnerability scanning program?

Nick McCourt: I think the financial impact is always big. You don’t wanna buy something that’s so cheap that it doesn’t work. I’m fine with getting water guns from Five Below, but I don’t expect them to last that long.

In the meantime, I don’t know that I need to go out and get something incredibly expensive either. What I want is something that works and I want something that works well and does not interrupt my business.

And financial impact, you really want something that may cover less than 1% of revenue for your organization. It depends on the size, right? It depends on whether or not you have people internally doing it or whether or not you have a Managed Service Provider. If you have a Managed Service Provider and they’re doing vulnerability management they’re actually invested, right?

I had somebody tell me not too long ago. ” I think that it’s a conflict of interest, Nick, right? If I’ve got this guy and he’s doing patching and he is also running your vulnerability management at the same time, isn’t that a conflict of interest? Doesn’t he wanna hide the vulnerabilities.”

And I responded and said hold on. If you’ve got somebody patching they’re kind of doing fulltime patching. They’re not necessarily gonna run the vulnerability management. You’re gonna have somebody else, you’re gonna have a different department or division. That’s their job. That’s their focus.

They’re checking on vulnerabilities because that helps protect the reputation of an organization proactively by making sure that you don’t get torpedoed by some hacker who saw something that they didn’t have a patch that day, ” we didn’t even take a look at it cuz why would we?”

No, no, no, no. You have a dedicated department or division that’s really looking at doing this and so, interesting enough, that actually cuts down on that cost for a business. Cuz they have somebody else looking over their shoulder. In a very polite, nice way, of course, but they’re looking over their shoulder and they’re going, “Okay, you guys are doing this and this. But in the meantime, hey, the CEO keeps going home at six o’clock and he’s turned off his computer all the time.”

The vulnerability management actually helps to compensate for, “Hey, we pushed out patches because Microsoft only pushes out patches on Tuesday, right?” You’ve got all these different software companies that have to write the patches, and so they release them on specific days, so the vulnerability management helps catch that, and so it does make it cheaper or less expensive for companies that really want somebody that knows how to do this by going to a Managed Service Provider who does both.

Susan Gosselin: Right. Yeah. Because if you’re a smaller company or even a lot of midsize companies, they can’t dedicate a whole person just to do this one job. So this is one area where outsourcing to our CISOs makes a lot of sense.

With that in mind we have run through our five biggest tips, right?

For people, ways that you’re failing to cover your vulnerability management program. So with that, I am going to say we have our podcast covered. Do you have any parting words of wisdom, Nick, that you’d like to tell all our listeners out there about vulnerability management? Anything they need to know.

Final thoughts

Nick McCourt: Well, I think vulnerability management is more fun than people let on, and I, at least speaking from my perspective, obviously, but I think that, whether you’re the CEO or the owner of a business, or whether you’re an employee looking to make sure that the place that you work is safe, vulnerability management is important.

Take it seriously. A single vulnerability can cause an entire company to go down. It’s important to have it.

Susan Gosselin: Yep. Makes sense. And it also keep your cyber risk insurers happy too. So there you go. All right. We will catch you next month on The Helpdesk, talking about cybersecurity issues. Stay tuned for us and have a safe one.

Keep reading

“Anything We Can Do to Make It Right Is Our Thing”

“Anything We Can Do to Make It Right Is Our Thing”

Scott sits down with Jared Nolan, CEO of Norman & Young, a full service media company serving real estate agents. Jared talks about the highs and lows the pandemic has brought the industry, the new technology and standards raising the bar in the industry, and how...

What IT Leaders Are Facing, and How to Fix It

What IT Leaders Are Facing, and How to Fix It

Anthony sits down with Stephen Hanson, Regional Director of Sales for Integris in the midwestern region, for a discussion on the problems and opportunities that IT leaders across the country are facing, and the possible methods of resolving these issues in the short...

Cybersecurity Policies: What Businesses Miss

Cybersecurity Policies: What Businesses Miss

Susan sits down with Nick McCourt, Lead vCISO at Integris, to discuss all things cybersecurity policy: what they are, why they're important, and what businesses often miss when they create them (if they create them at all). See our article, as mentioned in the...