Eric Haupt
Return to Archive
Sunday Musing

Sunday Musings A Matter Of Perspective

Happy Sunday Friend!

Welcome back to another musing! I’m glad you’re here. Here are your Sunday Musings, a quick dose of what I’m exploring and thinking about. If you find it useful, please feel free to forward this along to friends!

Quote I’m Musing

“Every event has two handles, one by which it can be carried, and one by which it can’t.”

-Epictetus

I’m traveling to Maryland and around the National Capital Region this week. Driving the Baltimore-Washington Parkway results in one thing primarily. Traffic. I remember finding it quite frustrating when I lived in the area traveling back and forth between offices in Maryland and the office in Washington D.C., to better explain, 51 miles took me on average 2.5 hours one way. It can be a miserable and frustrating experience in modernity.

However, flying over the region at night is a very different experience. The same traffic lights up the arteries of human connection. It paints with light the beauty that is modernity and the almost living organism that is human interconnectedness. I’ll still have to come down to earth (literally) and engage that traffic, that congestion of the masses. But I will hold close this alternate perspective and hold tight the opportunities this kid from a tiny town on the other side of the continent has been given, experiencing the breadth of humanity here in the U.S. and in many countries abroad.

There is a lot in life that isn’t in our control. What is in our control, my friends, is the lens we choose to view our lives through. We can choose to see disadvantage and obstruction in one perspective (handle), or we can choose to opportunity and good in our situation.

Which handle will you choose to carry your burdens? I hope you’ll choose the one that lets you see the opportunity and good in your situation.

Reflection on Control 6

Unfortunately, we have been known to grant accounts more privileges than they should have or need out of convenience. For example, adding an account to the Administrators group rather than tailoring privileges. Additionally, we aren’t always the most thorough in revoking unneeded privileges. This creates unnecessary risk for our organizations.

CIS Critical Security Control #7

Continuous Vulnerability Management

The Remediated Vulnerability Cannot Be Exploited.

Our seventh control is considered one of the older “technologies”. I argue that we must think of it as a program primarily. Technologies come and go, but programs and implementation methodologies remain. Here we focus on identifying, prioritizing, documenting, and remediating security vulnerabilities in our enterprise.

What is it?

Create an ongoing strategy to consistently evaluate and monitor vulnerabilities across our organization's entire infrastructure. The end state is to swiftly address and reduce potential opportunities for attackers. Additionally maintaining a weather eye on both public and private industry channels for emergent threats and vulnerabilities.

Implementation Group 1 (Essential Cyber Hygiene)

Safeguards 1-5

7.1 Establish and Maintain a Vulnerability Management Process

Implementation Note: This protect-based safeguard follows its preceding controls in telling us to establish a process. Ensure we create it as a cyclic process from beginning and ending in evaluation to start anew. The idea in creating all these cyclic processes is to follow the concept of “stay ready so we don’t have to get ready”.

7.2 Establish and Maintain a Remediation Process

Implementation Note: This response-based safeguard compliments our first safeguard; focused on how to fix the discovered vulnerabilities in a way that (hopefully) doesn’t break another system or create a new vulnerability. Having a system to help you prioritize will help in considering all internal and external factors that can impact our organization.

7.3 Perform Automated Operating System Patch Management

Implementation Note: Back to protect-based safeguards. While I agree with automating proven processes, we can only partially automate this. patch management software and automations are not a guarantee against necessary post-patch configurations for our security patches. Patch Tuesday is definitely followed by exploit Wednesday. To make sure we are resolving vulnerabilities and not also creating new ones when implementing patches with our business software, we must have a human in the loop here.

7.4 Perform Automated Application Patch Management

Implementation Note: This protection-based safeguard is the business application brother/sister to Safeguard 3. Our OS may be secure, but our attack surface expands exponentially when we bring all the applications required for the conduct of business. Think about the chain of custody of data, the flow of data, and how many different exquisite software applications our myriad divisions require. From HR, to finance, to logistics, and communication. They are legion.

Implementation Group 2 & 3 (Foundation Building & Complex and Tailored Expertise)

IG 1 + Safeguards 5-7

7.5 Perform Automated Vulnerability Scans of Internal Enterprise Assets

Implementation Note: Identifying vulnerabilities via an automated tool. I’m on board with this. While I appreciate the SCAP standards and the push towards a standards-based tool recommendation, I can’t help but think there is more to consider like frequency of updates and the rate of false positives and negatives with respect to the people-hours required to remedy them. I think SCAP should be in IG 1, then have the idea of something like SOAR in IG 3.

7.6 Perform Automated Vulnerability Scans of Externally-Exposed Enterprise Assets

Implementation Note: Safeguard 6 is the external side for Identifying enterprise vulnerabilities. While we’re being deliberate, I’d add that we should pick a tool that works for both Safeguards 5 and 6 to reduce complexity, streamline adoption and policies, and increase effectiveness.

7.7 Remediate Detected Vulnerabilities

Implementation Note: Responding to the detected vulnerabilities via remediation. This is how we reduce risk. Failing to remediate and prioritize effectively places our entire enterprise at risk.

Why Should We Care About Control #7?

We must have timely threat information and vulnerability information regarding our networks, their software, patches, advisories, etc. Malign actors are incessantly scanning for vulnerabilities to exploit and gain a foothold in our networks. Inculcating vulnerability management as a continuous effort that requires dedicated focus, time, and resources from our experts is essential.

Prioritizing patches and vulnerabilities by which are most impactful to the enterprise and likelihood of exploitation (ease of use, maximal effect) reduces the risk further. Assessing risk to enterprise, regression-testing patches, and patch implementation further reduces the risk.

While there is no such thing as perfect security, I continue to maintain that imposing cost by making things more difficult for the would-be attacker while reducing operational disruption is the key to maximizing our risk-reduction efforts.

I would love your feedback!

Which musing is your favorite? What else do you want to see or what should I eliminate? Any other suggestions? Just send a tweet to @erichaupt on Twitter and put #SundayMusings at the end so I can find it. Or, eric@erichaupt.com for long form email.

Have a wonderful week, I’ll see you Sunday.
​-e

End of transmission.