As the head of project management at Raxis, I have been a part of many customer debriefing calls. Generally, these calls just entail the penetration tester discussing the findings on the report and answering questions such a priority to fix or best options for correcting them.
In some cases, though, there is no way to fix the finding, at least in the near term. Organizations that are looking to correct all findings in order to provide the most secure environment for their customers and to meet compliance requirements look to our team for advice.
In this blog, I’ll discuss the options of accepting risks or using compensating controls to limit the risks as much as possible until a larger solution can be implemented.
ACCEPTING RISKS
When dealing with penetration test findings, organizations sometimes have to accept certain risks instead of fixing them immediately. The decision is often part of a broader risk strategy that may mean fixing the issues is not feasible, at least in the short term.
Resource constraints include financial limitations, such as when the cost of fixing the vulnerability outweighs the potential impact of an exploit. Time constraints also come into play when fixing the vulnerability might delay critical projects or updates.
In these cases, we often recommend that the organization thoroughly discuss, and, if appropriate, accept the risk. The risk is still there, but the proper stakeholders within the company will understand the risks involved and document acceptance of the risk.
When deciding to accept penetration test risks, organizations should follow a formal risk acceptance process:
- Thoroughly document the vulnerability and associated risk
- Perform a detailed impact analysis, including input from several departments when necessary
- Identify and implement compensating controls
- Get sign-off from appropriate stakeholders, such as a CISO or CIO
- Set a timeline to re-evaluate the risk
- Monitor the risk closely
COMPENSATING CONTROLS
Compensating controls could include several measures that are positives to have in place at any time in case of newly discovered vulnerabilities or other issues. Examples of compensating controls include:
- Encrypting sensitive data at rest and in transit
- Implementing strong access controls such as least privilege, and multi-factor authentication
- Enhancing monitoring and alerting for the affected systems to allow for rapid detection and response if the vulnerability is exploited
- Network segmentation to contain the spread of an attack
- Keeping systems as up-to-date as possible with available patches
LOWERING FINDING RISKS WITH MITIGATION
Often vulnerabilities that cannot be fixed involve legacy software that no longer receives updates from the vendor but is necessary to business operations. In these cases, until the legacy systems can be replaced, organizations can decrease risk by segmenting the system to an entirely separate area of the internal network. This way, if a compromise occurs, the rest of the network is protected.
While this does not remove the risk from the penetration test, we’re able to lower the risk of the finding if our customer lets us know and gives us access to test that the segmentation is correctly in place.
Another case we often see are custom web or mobile applications and APIs. Updates to codebases may be a major effort that requires planning and waiting for resources to become available to make the changes. In other cases, custom code relies on vendor APIs and changes must wait for vendor API updates.
Each of these cases is unique, but there may be opportunities to limit access to the at-risk functionality or to put in place strong compensating controls.
CONCLUSION
We understand that many factors come into play when working to keep your company and customers as secure as possible. Options are available to allow organizations to stay as secure as possible while working towards a more permanent solution.
