In this post SecurityStreet meets Sesame Street. One of my favorite travel songs growing up was "There's a hole in the bucket". The song can literally go on forever, which can be headache inducing at times. Here's the Sesame Street rendition, it may hit close to home as it did with me.
Why am I telling you this? Well, it feels to me like "There's a hole in the bucket" is a lot like "There's a vulnerability in the network". During my background in the military and government organizations, I saw the similarities play out on networks with systems vulnerabilities. Many of my friends are still in those trenches and express frustration with the vulnerability management process. What is unfortunate is that government agencies are victims of targeted attacks more than the average business. In many government agencies, the priority is the availability of critical services such as healthcare and military intelligence. Since availability is so important, it becomes difficult to take systems down to patch them. This poor patch management leads to widespread exploitation.
Liza in the video reminds me of many security professionals both in and outside government circles, demanding that their organization implements what they view as simple mitigating controls. This also includes some security compliance audits that I've seen where auditors can seem outright aggressive. The problem though, is that real world information security isn't as easy as we would like it to be. Many people get frustrated with the government and leave for commercial work, but the truth is that the same issues exist in corporate settings.
Many government, corporate, and other high availabiity networks organizations aren't able to patch as fast as they probably should because they don't want to take systems offline to do so. Unfortunately we know where ignoring patching usually leads - to a breach. There are networks being compromised out there with vulnerabilities that could have been patched at least a year ago in some cases. That is just sad for everyone involved. The simple answer seems to be to say "Get patching!", but in a large number of cases this doesn't happen. It really can be as complicated as the Sesame Street clip. Sometimes patches actually break things, in that case the patch was "too big" :).
When it comes down to it, business leaders, engineers, and security professionals must get together to plan agile, scalable systems and networks. They need to understand where the potential holes are in their "bucket", which is where vulnerability management comes in. Once you know where your holes are, I have always found it better to work with systems administrators - even sit with them - to fix findings. Fundamentally, good communications are the key to actually moving forward to a more secure environment. Even though Henry and Liza are communicating, they aren't really fixing anything. Good communications and teamwork requires everyone being on the same page.
Instead of getting angry as Liza does in the video, security professionals must work as a team with other stakeholders in the organization to actually fix issues. The truth is that sometimes you won't be able to apply fixes in all cases, and other cases real fixes aren't available. In this case the security team must work to provide compensating control options.
This is critical as government agencies and critical infrastructure are under non-stop attack and in many cases aren't able to deploy patches on an optimal basis. Whether you are a government, military, or private sector organization, you must take a holistic security approach and make vulnerability and patch management a priority. Again, vulnerability management lets us know where our holes are. In the words of G.I. Joe, "Well now you know, and knowing is half the battle".