When a large Public Sector Financial Services organization was audited, it was discovered that there were thousands of unresolved security scan findings highlighting its security and privacy vulnerabilities.
The organization had no documented Vulnerability Management Strategy or plan of actions for addressing these vulnerabilities in its technology platforms.
Their vulnerabilities spanned a broad scope of attack surfaces including weak password policies, access controls that didn’t enforce least privilege, and a broad range of application vulnerabilities resulting from out-of-date software components and security errors in code across:
• Cross-site scripting
• SQL injections
• Unencrypted storage and communications
In the federal government space, maintaining security standards is a matter of regulatory legislation.
The necessary public discovery brought undesired attention to the agency, threatening the reputation of leadership and senior management for exposing their massive userbase to possible security breach or privacy information spillage.
Enterprise Iron’s Cybersecurity practice took the results of these audits and worked with the Client on a cybersecurity assessment to tailor and document a set of requirements based on the NIST 800-53 Security and Privacy controls framework, which formed the baseline of its previously undocumented Vulnerability Management Strategy.
Scan results were consolidated and organized by application, and EI’s security engineers worked with each application development team to prioritize and plan for the remediation of the vulnerabilities.
Common security control capabilities were analyzed, and products and services were selected for routine scanning, vulnerability case management, and security appliances including web application firewalls and other intrusion detection solutions.
While working with the application architecture teams, common security patterns were documented, and development team leads were trained in their use.
Plans of action and milestones (“POAMs”) were defined that established the timeline and sequence in which vulnerabilities were to be mitigated in order of severity of the results.
RESULTS & CLIENT BENEFITS
Thanks to the joint accomplishments of this assessment and the subsequent cybersecurity strategy implemented, our Client witnessed their massive catalog of vulnerabilities reduced quarter after quarter.
Within a year, the vulnerabilities were brought to a level that was well within the organization’s capacity to manage promptly leveraging its own newly documented policies.
In a year where other bad actors were quite active and other federal agencies experienced large reputation-damaging breaches, this organization turned around its large security debt and plugged serious holes in their Vulnerability Management Strategy.
The Client established a standardized procedure for discovering and reacting to threats going forward, as well as re-tooling their platform to build cybersecurity best practices into the DNA of their application development and operations strategies.