Krome Cast: TECH-IT-OUT - Vulnerability Management - Is your network vulnerable?

Show Notes

In this episode of Krome Cast: Tech-it-Out, we discuss data security vulnerability management, how to identify ransomware vulnerabilities, how to run a vulnerability scan, and what vulnerability scanning tools we recommend to ensure your network is protected.

With new cybersecurity vulnerabilities emerging each day the need for effective data protection vulnerability management tools has never been so crucial. 

This podcast features Krome’s Commercial Director, Sam Mager, along with Krome's CTO Rupert Mills, sharing their insights into vulnerability management for businesses along with a short demo/description of Tenable Nessus to show how effective it is as a tool to check network vulnerabilities.  

If you would like to watch the full video version of the demo and podcast please visit our youtube channel: https://youtu.be/ALWH0Vwaa6s 

► ABOUT KROME: Krome Technologies is a technically strong, people-centric technology consultancy, focused on delivering end-to-end infrastructure and security solutions that solve business challenges and protect critical data. We work collaboratively with clients, forming long-term business partnerships, applying knowledge, experience and the resources our clients need to solve problems, design solutions and co-create agile, efficient and scalable IT services.

► KROME WEBSITE: https://www.krome.co.uk/

► SOCIAL MEDIA
• YouTube: https://www.youtube.com/@krometechnologies
• Linkedin: https://www.linkedin.com/company/krome-technologies-ltd
• Instagram: https://www.instagram.com/krometechnologies/
• Twitter: https://twitter.com/KromeTech
• Facebook: https://www.facebook.com/KromeTechnologies/

► CONTACT
• Telephone: 01932 232345
• Email: info@krome.co.uk

Transcript

SPEAKERS

Sam Mager, Rupert Mills

Sam Mager  00:00

Welcome to Krome Cast, Tech IT Out. I'm Sam Mager, Commercial Director for Krome Technologies. I'm joined once again by Rupert Mills, my co-founder and CTO of Krome Technologies. And today, we're discussing vulnerability management, and the importance of using proactive tool sets to mitigate the risk around protection of your environment. Mr Mills, welcome back to the sofa, good to see you in the office.

Rupert Mills  00:21

Yeah, you too. I haven't been here for a while.

Sam Mager  00:23

it's been a little while. I was in here, a little while back talking about the importance of strong passwords, with Ben. And it's interesting, just the, some of the data and statistics we pulled out on that how scary the world is right now from kind of cyber challenges, and brute force attacks and ransomware, and all this sort of scary stuff. And obviously, the problem with that one is mainly the person in the chair, with the passwords. But clearly, there's other types of vulnerabilities that we need to be aware of. 

Rupert Mills  00:52

Yeah, absolutely.

Sam Mager  00:52

So kind of throw it straight over to your side of the table, I guess what type of vulnerabilities are there, that we as an MSP need to be aware of, and our clients need to be aware of?

Rupert Mills  01:03

There's hundreds, there's hundreds and hundreds, I think the interesting part of what you just said there, actually, you need to put the two together. So actually, when you've got people with password vulnerabilities out there, if the passwords locked down to only do certain things, or everything's patched as it should be, then generally, that will limit the scope of what an attacker can do with that compromised data. The problem is, if you get that compromised data, and you haven't taken care of the systems over here, then actually, you're in a really bad situation. So in terms of vulnerabilities, there's all sorts things, there's long term vulnerabilities, there's patching of your infrastructure, there's zero-day vulnerabilities, there's tools out there that will show you this sort of stuff, but if you don't pay attention to it, it's really, really easy to let it fly under the radar and, and not realise quite how vulnerable you may be as an organisation. 

Sam Mager  01:46

Okay, so if we cut to the chase now, I suppose. And I'll pretend that I don't know anything about this. And clearly we do. You know, but we do see the issue being that there are tools out there really good tools that will proactively tell you there are issues, not just for vulnerability assessment, we use things like PRTG for monitoring and that will kick out a red light, say if something's wrong, and we know of people that will ignore that red light and clearly that's a problem and the same with a vulnerability, proactive vulnerability assessment tool. If you're not paying attention to what it's telling you, then again, I guess the human element, creates a problem once more.

Rupert Mills  02:21

Yeah. And I think there's a lot of people out there that have taken on board vulnerability scanners or vulnerability testing platforms, and found that they basically are completely overwhelmed with the amount of data it gives them.

Sam Mager  02:31

It must be, well, I've seen some of this.  And it's trying to make sense, especially for a layperson, but trying to make sense of it. It's an onerous task. 

Rupert Mills  02:35

Yeah.  Yeah. Yeah, it can be. And actually, it can be quite daunting when you first look at it. Part of it is actually understanding how easy the tools are to use, and how quickly, you can drill into it, but then the manpower or the systems required to deal with the problems in the backend. So, there's a variety of different options out there. But I mean, let's take some very simple things like doing your patching on your Windows servers, I've created a demo for today just have a quick look at something. But just patching Windows Server can deal with a vast amount of that vulnerability, vulnerability information. But when you start off with it, it can look really daunting. You look at it. Oh, my goodness, I've got all this to deal with. So yeah, it can it can be, it can be scary. 

Sam Mager  03:15

How do you eat an elephant?  Yeah.  One bite at a time right? Yeah, it's interesting that some things we'll discover. It was a, I forget, who was one of our guys mentioned, it was, it was Jason Wake, on one of our blogs, it was actually the password one, talking about simple things like with admin passwords set on these switches being as basic as AdminAdmin. 

Rupert Mills  03:35

Yeah. 

Sam Mager  03:35

And people missing that. And obviously, that's something that's core in your environment. 

Rupert Mills  03:38

Yeah.

Sam Mager  03:38

That's easily missed and overlooked because it's set up quickly, everything works, no one thinks about it, but that's right in the heart of everything you're doing, and is a clear opportunity for someone trying to do something nefarious.

Rupert Mills  03:50

Yeah, absolutely. I mean, it's one of the sorts of standards for ISO or PCI, or any of the big compliance standards is to not have any default admin passwords or admin credentials in there, but people don't think about things like that, and things like switches. 

Sam Mager  04:00

Let's get moving. Let's get it working and

Rupert Mills  04:01

Plug it in and it works. Oh Hang on. Actually, it's because it comes with the default configuration, if you never need to change that, you might never change the default admin password. 

Sam Mager  04:08

And that's just sits there as a ticking time bomb as an open door essentially. 

Rupert Mills  04:11

But the same thing with your vulnerability management at that point is that actually patching things like a switch, people will look at the switch and say oh look it's a switch, it just sits there. Yeah, actually, if someone can get in at the back end and start taking your data out of that switch, because you haven't patched a vulnerability in the firmware, just as valid as putting a Windows update on a Windows machine.

Sam Mager  04:27

It's true, just talking, just made me think of the cadence that we recommend.  I know we work to certain, as Ben was talking about, there is government guidelines and so on, and things like Cyber Essentials Plus, but 

Rupert Mills  04:37

Yep. 

Sam Mager  04:37

Just from your perspective, and for our audience very quickly, the cadence that people should look at things like endpoint, server, switch, host storage, all that sort of stuff.

Rupert Mills  04:47

Yeah, it varies and it changes depending on the environment you're in and what the change control around it are. But some of the best practices is sort of Windows machines every 14 days getting patched, get them out there. For critical updates, things like switches and firewalls, we tend to do, and that's where a vulnerability scan, scanner comes in, we tend to patch if there's a critical or high update, and if not maybe a quarterly patch to get rid all the medium updates or something like that. Because you don't want to be doing those every five minutes. But if there's a critical vulnerability, you want to do it now, because actually, in a week's time, it may be too late.

Sam Mager  05:18

Yeah, I mean, it doesn't take very long for someone to actually get in and and do some damage or with ransomware, and so on, they can be sat there doing damage without you knowing, right, if you haven't addressed that problem,

Rupert Mills  05:28

We saw it recently with the Exchange vulnerabilities that were out there, where basically Microsoft found a load of new vulnerabilities in Exchange. Now people who had a vulnerability scanner would have found out about those pretty much immediately because all the vulnerability scanning agents updated to say there's a new vulnerability, and when you're looking for Exchange, look and see if this issue exists. And if it does flag it, now, it's critical, because it really was critical. And actually, we were able to get out in front of that with most of our clients and help them patch really, really quickly. But some people will have left that completely unknown, because if they didn't see the news articles at the time, it'll just sit in the background, and they may patch Exchange once a quarter or something like that.

Sam Mager  06:01

Or didn't actually pay attention to the flashing light saying there's a problem here. 

Rupert Mills  06:05

Yeah. 

Sam Mager  06:06

Yet again. I think it's probably a good time to actually show what we use as an MSP to support our clients, and what we see, and the bit I referred to earlier, kind of the information as I saw it, can be, it can be quite daunting, but how, how it is displayed, what we look for, and actually how you then manage, how we manage our way through that to support our customers? 

Rupert Mills  06:24

Sure. 

Sam Mager  06:25

So I know you've built a couple of Windows 2016 for us? 

Rupert Mills  06:29

Yes.

Sam Mager  06:30

Okay. Do you want to talk to me about what you've done? And I guess the difference between A and B, and let's dive into the GUI and some of the reporting, and you can talk us through, I guess, what we look for, what people should look for, and let's go from there. 

Rupert Mills  06:41

Sure. So there's a bunch of tools out in the marketplace, the big boys out there are people like Rapid7, Qualys, Tenable. We tend to use Tenable. They're all good tools. Having one is much better than not having one. If a customer already has a different one in place, we're happy to work with that as well. But as a recommendation we tend to use Tenable, Tenable has their real-time scanning tool, which is what we tend to deploy, a tool that sits there, and with the Exchange update, for example, the definitions inside Tenable will update and it will flag immediately to you that there's a problem or within the next run through and it runs through systems in real-time. So it's always scanning. What I've done today is built a demo around their Nessus product. So we use the Nessus product to come out and do a one-off assessment. For example, if we came to your organisation, you said, "look, tell us how we look, what's the initial shape of it?"

Sam Mager  07:30

 Kind of RAG list us? 

Rupert Mills  07:31

Yeah, RAG list. RAG list is really good term because it's, I'll show you the visuals in a minute, but that's kind of how it looks. If they came to us and said, right, show us what you've got and where we stand, then we'd build a scan, Tenable, in Nessus. So what I've done for the point of view of having some demo data, is I've built two Windows servers this morning. One, both windows 2016 servers, completely standard, nothing untoward, one called patched, ones called not patched. Nice and simple.

Sam Mager  07:58

That gives it away. 

Rupert Mills  08:01

So what I did is I simply ran all the Windows updates on one. 

Sam Mager  08:04

Yep. 

Rupert Mills  08:04

So if I show you on the screen, what I've done.

Sam Mager  08:07

Yeah. 

Rupert Mills  08:07

Essentially, I've built two Windows servers. This one here, called patched. As you'll see, this shows all the Windows updates, we can see the machine itself here. There's its IP address, because that'll show up in the Tenable scan in a minute, or Nessus scan. But you can see today, I've run all the Windows updates on it. If we go and look at the alternative, this one's brother the unpatched one, Windows updates, nothing. So just to give you a really simple flavour for how this scan will show the difference between if you're doing updates or not, and what the vulnerabilities that might be left behind if you don't do updates. You see the different IP address here that shows you the different machine that we're looking at in the results. So if I go to the results of that scan, which are here.  You can see, imaginatively named podcast scan and that's today, and the two updates. Now the first thing you'll see there is straight away, the vulnerabilities. So actually, they're RAG listed, or colour coded, critical Red, high priority, Amber medium, Yellow, low, Green, and information only, Blue. So anything that is Red or Orange, going back to the conversation you had with Ben, should be dealt with within 14 days if you're going to be Cyber Essentials Plus certified. So, you can see there, by running Windows updates, I've actually dealt with 16 critical vulnerabilities and 67 high vulnerabilities, just by running Windows updates. But there are a bunch of medium vulnerabilities that are left behind, even though I've done the updates, so they'd require a bit more work. But to give you an idea of the sort of thing, a basic scan will do. This takes very little time to configure if I show you the configuration.  There we go, we've got the two target machines that I was scanning. 

Sam Mager  10:03

Yep. 

Rupert Mills  10:03

Demo scan for podcast.  I've given it some credentials in here to go and look for what it's doing. So it can talk to the Windows servers inside them. That's important because an authenticated scan is so much more detailed than an unauthenticated scan.

Sam Mager  10:16

So to set this up, we set us up for one of our customers. Is this something we have to put On-Premise? Is this from the Cloud directed at them? Have do we manage that?

Rupert Mills  10:24

So there are two different ways to do that, you can scan externally looking in, but you'll only ever see what's visible via the firewall. 

Sam Mager  10:31

Surface.

Rupert Mills  10:31

On the surface. Yeah. So the conversation we've had recently with another client is okay, we can certainly do that. But if your firewalls doing its job, it's going to be hiding the fact that you may have vulnerabilities behind the firewall, okay, which if someone gets behind the firewall, ie they come into your office or something like that.

Sam Mager  10:46

Yeah, from inside of. 

Rupert Mills  10:47

Yep. Or they use a weak password from one of your staff that's, and then use a VPN to come in and they're inside your firewall, there may be vulnerabilities in systems at that point that you're not protecting. So it's worth doing an internal and an external scan.

Sam Mager  10:58

So is that an agent that would deploy out or is that..

Rupert Mills  11:00

No, it's agentless, it uses various different technologies to talk to, underlying sort of WMI, SSH, etc, etc, etc, to talk to the machines. 

Sam Mager  11:05

Okay. 

Rupert Mills  11:12

So if I drill into this, for example, we can look at those 16 critical vulnerabilities there. And it will show you where they actually come from, and these are the various different updates it recommends that you need to do. If I look at this one here, this particular set of Windows updates, there's a whole bunch of knowledge base articles, which will tell you what each one is. Now, as you saw, I got rid of most of those by running Windows updates, I can go into here, and it will tell me exactly what this particular vulnerability is. And exactly using a tool like this, exactly how to solve it. So vast amounts of information says a solution for this, apply security update. 

Sam Mager 11:49

Okay, so it's after the long..

Rupert Mills  11:51

Yep. After the vast amount of detail about what it's doing, apply security update.

Sam Mager  11:54

But still, I can imagine that we've obviously got two servers here, one healthy one not healthy, right? 

Rupert Mills  11:58

Yep. 

Sam Mager  11:58

If I've got environment, three to four hundred, VMs in it.

Rupert Mills  12:01

Yeah, 

Sam Mager  12:01

This could be a fairly onerous task for someone to sit and remediate themselves, which obviously, where people like us come into, take the heavy lifting away, but I can see a tool, like this is invaluable to see where do you start? 

Rupert Mills  12:14

So our managed services team will run a tool like this as part of their process to make sure that we're doing our job properly. And where they can include the reporting to say, look, actually, here you go, this is before we started, this after we started, and then on a monthly basis, you'll find actually, the number of vulnerabilities will go way down, and then they'll spike back up because somebody will find a whole new load of new ones, and a lot of new patches come out. I mean, you know Microsoft, how often they patch. But not just them. Dell with firmware updates, HP with firmware updates, Palo Alto with Firewall updates, whoever it may be, all of those updates, because this is just two windows servers.

Sam Mager  12:46

I was about to say you're just mentioning firewalls there and I'm assuming we can hit access points, firewalls, switches, storage, if you've got an IP address 

Rupert Mills  12:53

VMware, all of those other things, pretty much anything out there. And interestingly, you can also hit, this is information technology, you can also hit OT stuff, which is things in an industrial environment, that are maybe running an oil rig or something like that, you can scan that sort of stuff as well. This traditionally has been a lot more tricky to do.

Sam Mager  13:10

Yeah, yeah. 

Rupert Mills  13:10

That's one of the reasons we use Tenable because they offer that sort of scanning as well. And so in an industrial environment, you can scan. 

Sam Mager  13:15

Yeah, well, 

Rupert Mills  13:15

control machinery, 

Sam Mager  13:16

certainly some of our clients as well to have that capability.

Rupert Mills  13:19

Absolutely. But but to be able to go back, it also allows us to check our own homework and see that we're doing our job properly. But we'd recommend we can we can do this for people that come in with Nessus as a one one off, and say, okay, we can scan your environment and give you an idea of how how well it's looked after and what you're, what you're looking at. 

Sam Mager  13:34

I guess for some people that's at very least a rubber stamp that you've done a great job. Everything is in shipshape. 

Rupert Mills  13:39

Yep. 

Sam Mager  13:40

Conversely, it might be an eye opener that there's some work to be done. But kind of better to know, than not right.

Rupert Mills  13:45

Absolutely. And the cost of Nessus as a product as an example, if you want to go and use one of the full blown products, Tenable, Rapid7, Qualys, any of them, the real-time products that sit there in the background, you can set automation, all sorts of funky tricks in there to make it do its job and help you manage it on a day to day basis. They can be more expensive. And actually, one of the things about Nessus is it's really very cost-effective, it might be a few thousand pounds, which gives you the reassurance that you can actually run a point-in-time scan. And yes, it's a bit more manual. It's a bit more clunky. But you can use the tool that I've used here, to do a manual check and show you exactly where you stand. Yeah it's point in time and it's manual, but and you can go out and update the definitions. If you see something big on the news, you update the definitions, run it again. "Do I have that problem? Oh yes, I do." And we can help you set that up, get it up and running, but it's something I'd highly recommend is it's a good reassurance, for all the money you spend on firewalls, antivirus, patch solutions, all those other things. This will give you a view of - are they working? Which I guess, is about the most important thing there is because we've seen before you can invest in whatever technology stack that you want, you know you can look at the top right hand of Gartner's Magic Quadrant, etc, etc. If they're not set up, right, then you're gonna have a vulnerability, if you couple that with the human element, there is always going to be an issue somewhere. But I guess having a proactive tool, such as Nessus, or Tenable, whichever is the right fit for the particular client we're talking to at least puts you ahead of that curve of ensuring that you've mitigated and let's be honest, there's no such thing as perfect. And the way you know the cyber attacks and so on, get clever and clever, it'd be foolish of us to say you can create a perfect or infallible environment.  Yeah

Sam Mager  15:21

But you can't give yourself kind of the best headstart as possible, by using tools like this but, I think it's the being proactive bit, that is really important. And then not, as we said, we kind of talked about it, we see too often don't ignore the Red bits. 

Rupert Mills  15:35

Yeah.

Sam Mager  15:35

And actually, either have your own policies, procedures, behaviors to take into account. Or if you're too busy, doing the BU, then engage with a good partner that can actually take some of that from you, or help you, and action, some of the Red elements on this, which ultimately, could be very detrimental, reputation and commercially, to your business.

Rupert Mills  15:54

Yeah, absolutely. I mean, part of the reason for showing the tool is that basically the number of times I've sat down with people and shown them what this will do, and they just go  "Oh my goodness, that's so simple, that makes such a difference, it tells us what we're going to look at."  Yes, there's a lot of data in there when you start, but if you get it drilled down into, you can break it up into scans of individual areas or individual technologies, or whatever you need. But actually, it just gives you a, almost as you say, a RAG list to say, this is what I need to go fix. Let's go, let's go start on it and get involved. 

Sam Mager  16:20

Perfect. Excellent. Thank you Rupert. It's been really interesting. 

Rupert Mills  16:24

No worries.

Sam Mager  16:25

Thank you for joining us on this edition Krome Cast. Tech IT Out. If there's anything you'd like us to cover on future episodes, then please leave that in the comment section below.  Like, comment, subscribe, and share. And join us again next time on Krome Cast, Tech IT Out.