For several months now, the topics of the NIS2 and DORA directives, which set cybersecurity guidelines, have been gaining more attention. In the age of information warfare and high-profile security incidents in both the public and private sectors, cybersecurity is a priority. However, we should focus on the significance of vulnerability management in the context of these regulations.
NIS2 (Network and Information Security Directive) aims to extend and clarify regulations regarding IT infrastructure security. Adopted in 2016, it is mandatory for all EU member states. The new directive came into effect in January 2023, with mandatory compliance required by October 18, 2024. Member states have 21 months to implement its provisions into their legal systems.
The main goal of NIS2 is to specify the entities subject to the new regulations, expand these regulations, and define the conditions under which they must comply. Key requirements include:
These measures should be proportional to the size and risk exposure of the organization, considering factors like economic or social impacts.
DORA (Digital Operational Resilience Act) is an EU directive that defines cybersecurity requirements for entities in the financial sector. It will take effect on January 17, 2024, and applies to a wide range of entities, not only those directly in finance but also their contractors, suppliers, and third-party collaborators. This includes institutions offering payment services, granting loans, engaging in investment activities, and their IT service providers.
Similar to NIS2, entities required to comply with DORA must meet various requirements related to their resilience to cybersecurity threats. Risk analysis and management, as well as incident management, are crucial. DORA also emphasizes resilience testing through regular penetration tests. The directive includes guidelines on ensuring business continuity and supply chain management for ICT infrastructure.
The purpose of these directives is to align legal regulations and compel entities to adopt a mature and responsible approach to cybersecurity risks and threats.
Regarding previously mentioned security risks, various branches and types of threats can be highly classified for each entity. These include proper management of software vulnerabilities within an organization. This involves endpoints used by employees, intermediary devices in the organization, and software used in server or network infrastructure.
The scale of software usage and the risk of vulnerabilities increase with the size of the organization. Different risks are associated with vulnerabilities classified by standards such as CVSS. For decades, exploiting software vulnerabilities has been a popular attack vector for criminals to breach organizational security, infiltrate infrastructure, and achieve goals like data theft or destruction. Publicly accessible services and systems on the internet, such as web servers, VPNs, corporate email, or data hosting, are the most vulnerable to attacks. Many companies use such services to support their business activities, especially in the era of widespread remote work.
It's easy to imagine the large scale of publicly accessible servers and services available to attackers. However, it's also important to consider software "hidden" behind a company's publicly accessible infrastructure. Unfortunately, this issue is often neglected by IT administrators, and companies realize the consequences when they face malware infections or targeted attacks by criminals.
Vulnerability management comes naturally with organizational maturity and the need to mitigate associated risks and threats. This is often enforced by directives like NIS2 or DORA. However, dealing with vulnerabilities is not overly demanding, even for medium-sized enterprises.
The main principle is to classify and assess the criticality of different infrastructure segments. Criteria such as the sensitivity of data processed on a system, its accessibility to potential attackers, and its criticality for business continuity should guide this process. Based on this classification, appropriate software update policies and rules should be adopted to significantly reduce the lifespan of vulnerabilities. This classification is also beneficial in other cybersecurity areas recommended or required for implementation, such as asset management and risk management.
To verify the effectiveness of implemented vulnerability management mechanisms, dedicated tools and software testing methodologies are used. This includes vulnerability scanners that can verify whether software in the scanned infrastructure, network, or system is vulnerable and identify configuration gaps.
Another approach is conducting penetration tests, which can involve automatic vulnerability testing but primarily focus on manual testing. Experienced security experts can verify the vulnerability of applications, services, or software based on user interface communication. This involves manipulating communication between software and users, testing behavior by injecting commands not anticipated by the developers, and validating input data by the software.
A hybrid approach can also be implemented, based on continuous automatic scanning of the infrastructure. Complementary and in-depth penetration tests are conducted periodically. More and more companies are adopting this model to continuously monitor, identify, and manage vulnerabilities using two complementary testing methods. Achieving this model also supports responding to potential incidents that could result from early-detected anomalies. Overall, this approach comprehensively meets the expectations and requirements of directives and security standards. It also allows for ad-hoc generation of security reports on infrastructure monitoring for vulnerabilities.
Both penetration tests and vulnerability scanners are regularly used solutions for ensuring and verifying organizational security. Depending on the applied mechanisms and methodologies, they enable vulnerability management for small companies and extensive corporate infrastructure. However, effectiveness can be ensured by an experienced team of security experts, measured in projects focused on software testing.