Cyber incidents are on the rise, especially those caused by software vulnerabilities. It is likely that a software product or a service will be targeted by a cyberattack at some point in time. Organizations need to be prepared. Given today’s rapidly changing security landscape, having a security incident response team is a must.
Insta DefSec’s Cyber Security unit has established a Product Security Incident Response Team (PSIRT), which is responsible for the vulnerability management and coordination of security incidents affecting our products or services. The focus on products and services differentiates PSIRT from other incident response teams such as CSIRT (Computer Security Incident Response Team) which is focused on the security of computer systems and networks of an organization.
The main focus areas of our PSIRT function are:
- Proactive identification of security issues based on published vulnerabilities
- Responding to reported security vulnerabilities and incidents
Proactive identification of security issues
Software products and services typically rely on 3rd party components such as Java or OpenSSL. A product may run on an operating system which in turn contains a large number of components. All of these external components – or assets – may contain exploitable, published vulnerabilities. It is essential to identify the presence of such vulnerabilities in a company’s software products and services and to be prepared to take the necessary actions.
Our PSIRT have implemented an automated system for scanning of published security vulnerabilities. There are several web services, such as the National Vulnerability Database (NVD), containing information about the vulnerabilities and fixes. By knowing all the 3rd party assets in our products, we can collect information about the published vulnerabilities automatically. The result is a database of potential security issues which need to be analyzed and processed by the corresponding product team.
The product team identifies potential security vulnerabilities and analyzes their impact and severity on the product. If necessary, the vulnerable components are patched and tested in all supported product versions. If a patch is not available for the vulnerability, the development team may need to take other actions to mitigate or lower the risk.
The product team releases a fix or a new version of the product, thus lowering the risk of a cyber incident. Communication is important: customers shall be notified about the issue and the availability of a fix.
Responding to security vulnerabilities and incidents
Since some software vulnerabilities get exploited before they are published, even effective proactive identification of vulnerabilities will not prevent all security incidents. It is also possible that a new or previously undisclosed security vulnerability is found after a product has been released.
Information about potential security vulnerabilities may come from various sources, including internal security testing. Regardless of the input channel, they all pass through the same incident response process.
Our PSIRT process consists of three stages:
- Alleged security vulnerability is received and recorded.
- Technical analysis of the potential security vulnerability. This includes the severity rating based on characteristics and impacts of the vulnerability.
- The decision about corrective actions based on the results of the technical analysis. This could be a software fix or other mitigation, such as a workaround, that prevents exploitation of the vulnerability.
Timely communication is important, especially in case of severe incidents. Customers as well as internal stakeholders need to be kept informed during the process.
Our PSIRT process ends with a lessons learnt step. The idea is to collect feedback from stakeholders to continuously improve the PSIRT process and also the secure software development practices and processes if needed.
Incident response plans should be rehearsed to make sure they work in real life situations. Simple tabletop exercises are beneficial, but more complex scenarios require specialized products and services such as Insta Trasim. Whatever method of rehearsal is chosen, the exercises should be carefully planned and agreed with all stakeholders. Good planning and execution will result in more realistic, lifelike cyber incident simulations.
Janne Ahlberg works as a Principal Security Specialist at Insta DefSec’s Cyber Security unit