Application Security , Governance & Risk Management , Government
Battling Bugs: UK Government Pitches 'Scanning Made Easy'Trial Program Aims to Empower Organizations With Scripts to Find Critical Flaws
The British government's National Cyber Security Center has launched a trial project designed to make it easier to find and eliminate software vulnerabilities.
See Also: Webinar | How the SASE Architecture Enables Remote Work
The program, dubbed Scanning Made Easy, aims to help small and midsize organizations identify whether or not critical vulnerabilities are present in their infrastructure.
The effort is not meant to replace an enterprise vulnerability management program but to assist organizations for whom bug hunting might not be a well-mastered discipline.
The NCSC is the government's lead technical authority on cybersecurity and public-facing arm of GCHQ, which is Britain's intelligence, security and cyber agency. The NCSC is also the national incident response lead, and its strategies are honed in part based on the latest attack trends as well as security program shortcomings that it sees.
One challenge with vulnerability management is that it remains a never-ending process, given that organizations continue to add new software and update existing software. Meanwhile, researchers, criminals and others continue to look for fresh ways to exploit the software.
When a new software flaw comes to light, anyone using that software faces the "patch or perish" problem. Namely, can they fix or at least mitigate the flaw before attackers exploit it? Knowing a flaw exists and remediating it, however, are separate - but related - challenges.
"When a software vulnerability is disclosed, it is often easier to find proof-of-concept code to exploit it than it is to find tools that will help defend your network. To make matters worse, even when there is a scanning script available, it can be difficult to know if it is safe to run, let alone whether it returns valid scan results," says "Ollie N.," who serves as the NCSC's vulnerability management lead. (Members of British intelligence in public-facing roles often have their names redacted when issuing public-facing communications.)
"Scanning Made Easy was born out of our frustration with this problem and our desire to help network defenders find vulnerable systems, so they can protect them," Ollie N. says. "While there won't be a script for every single vulnerability, our plan is that scripts will be developed, and continuously reviewed, for critical vulnerabilities and for vulnerabilities that are consistently causing headaches for system administrators."
Scripts for SME will be written by partners, as part of the NCSC's i100 program. This involves 100 individuals from public and private organizations being embedded part-time with the NCSC.
The scripts themselves are being developed using the industry-standard Nmap Scripting Engine, aka NSE.
'Government Being an Enabler'
Cybersecurity expert Alan Woodward, who's a visiting professor in the University of Surrey's computer science department, has lauded the new program for helping organizations improve their own practices.
"I am really quite keen on this kind of initiative. This is government being an enabler rather than doing it for organizations. Personally, I think that's the correct place for them to be. NCSC has previously shared threat intelligence with organizations so this is a natural progression," he says. "It does require those organization to look for the vulnerabilities themselves and ultimately I suspect NCSC will act as a repository of Nmap scripts - and ways of using other tools - based on best practices emerging from those under attack."
The program will hopefully drive more organizations to adopt and hone vulnerability management practices, says Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting.
"This is a very welcome and smart move by the U.K. government in assisting firms of all sizes to better get to grips with vulnerability scanning," he says. "The increasing reliance of companies and businesses on software, particularly post the COVID-19 pandemic with remote and hybrid working, means that organizations need to ensure the platforms they employ are secure."
But he says small and midsize organizations have historically struggled with patch management, both in terms of in-house technical talent as well as knowing which tools to adopt. "The Scanning Made Easy project should provide many organizations with the opportunity to get a good base level of capability started, and from this they can build upon it further."
First Script: Critical Exim MTA Flaws
The first script being made available via the Scanning Made Easy program is available from GitHub and designed to find critical, remote code execution vulnerabilities in Exim, which is one of the world's most-used message transfer agents.
The particular Exim flaws searched for by the script are designated CVE-2020-28017 through CVE-2020-28026 and are also known as 21Nails.
The script was developed by Ollie Whitehouse, Group CTO at U.K. consultancy NCC Group, under the i100 program.
An initiative I was proud to support and play a small part in at @NCSC via the Industry100 (i100) scheme.
I wrote the inaugural check for Exim 21Nails (CVE-2020-28017) aligning to the designed standard.
Was a good excuse to visit @nmap NSEs. https://t.co/ZakXNgzpRc— Ollie Whitehouse (@ollieatnccgroup) January 25, 2022
"The script will output simple-to-read results, including a description of the vulnerability and a link to the vendor security advisory. Running this script often and following the linked vendor advice will help to keep your network secure," says NCSC's Ollie N.
"We would encourage you to review the script before running across your networks," which includes details about how the script can generate both false positives and negatives, Ollie N. adds.
Challenge: Vulnerability Management at Scale
Thus remains one of the challenges facing organizations that run a vulnerability management program: How to accurately chase down every last bug, prioritized by those that pose the biggest risk to that particular organization, says David Stubley, head of Edinburgh, Scotland-based security testing firm and consultancy 7 Elements.
"Any support and guidance that enables small and midsize enterprises to adopt a more robust approach to cybersecurity has to be supported and seen as a positive step in the right direction," he says. "However, scanning is only one aspect, and approaches that rely on automated tools and output often contain superfluous findings, false positives and incorrectly assigned risk ratings."
Stubley adds: "This level of noise creates a technical barrier against organizations being able to make informed decisions and can adversely lead to an increased likelihood of a breach. As such, organizations should also focus on the ability to critically interrogate the output."
Thus beyond tools, he says, training is also required to run an effective vulnerability management program, not least at scale.
Critical Flaws Often Remain Unpatched
The launch of the NCSC's program comes as attackers continue to successfully exploit a number of critical flaws for which fixes have long been available, but which victims have yet to patch (see: CISA Directs Federal Agencies to Patch Known Vulnerabilities).
Experts say Scanning Made Easy will hopefully drive more organizations to at least start to better find and eliminate the most critical flaws in their IT systems.
"The initiative also brings to the fore how important it is to conduct regular vulnerability scanning and should serve as a reminder to all organizations that they need to focus on this discipline to better identify and manage any vulnerabilities in their environments," says Honan, who also serves as the head of Ireland's first computer emergency response team, IRISSCERT.
"In a world where organizations rely so heavily on their supply chain and partners, the Scanning Made Easy project can enable large organizations to better secure their supply chain by referring their partners to the initiative," he says. "The NCSC has to be once again applauded for how it is putting many cybersecurity tasks and disciplines within the reach of all businesses."