Tyler Morgan on System Vulnerabilities

system vulnerabilitiesTyler found his start primarily in I.T. operations and developed those skills for a number of years. Soon after, Tyler pursued of a career in transactional law after attending Law School. During and following law school, Tyler  concentrated on cybersecurity enforcement work, including NERC CIP work in the energy sector. With his legal foundation behind him, Tyler next dove into consulting work in cyber security that consisted of Pen Testing, Sarbanes Oxley 404 testing, general support of financial audits, I.T. control portions of those audits, and forensic work. With experience in both cyber and physical security Tyler is currently the Information Security Officer for Simmons Bank where he leads physical and cyber security operations.


LIFARS: What are your thoughts on security researchers exploring the locks on your Networks?

Tyler: Certainly, research is a great thing. It is a great academic exercise and I’d rather these researchers identify vulnerabilities rather than adversaries identify an opportunity for themselves. The center focus is the openness of the relationship between the institution and the one doing the ‘research.’ What would be an ideal situation would be having a straightforward relationship with the researchers, which means knowing of their presence, actions, and motives. To compose such a profile, institutions must look at the organizations researchers are affiliated with and the purpose of their research. We should not want to discourage that type of behavior, but in terms of the cybersecurity world as it stands today, there is a lot of extreme pressure to properly vet all external or third party relationships you have connections with. Overall, you have to have a system of checks and balances and clarified relationship with the outside party. Otherwise, institutions will be unwilling,  or too apprehensive to work with you.

LIFARS: What should a company do when the vulnerability is presented to them by the researcher?

Tyler: The Company has a responsibility at that point to assess the vulnerability. It is similar to having a customer finding a flaw with one of your systems, just not to such a detailed level as in the case of a security researcher perhaps. If customers have security concerns on how we were doing things with a portal, or any form of external facing customer item or software, I would welcome them to reach out to us to begin communication. However, if you don’t have any relationship with us and we do not know you are there and we find out you’ve been poking around, we’re going to be more on guard than if we would have had some kind of established relationship.

In any case the answer is the same; we have been presented with vulnerability that may require mitigation. We have to do our homework to see what the real risk of that vulnerability is, areas of liabilities that are incurred, and systems or data that could be continually impacted. So really there is no difference between any vulnerability that we would receive via some trusted organization such as the Financial Services
Information Sharing and Analysis Center or that of an unknown player. We have to tackle it in the same way. Now the difference is, there is probably not going to be a patch available so you are going to have to take some other mitigating action while vendors are given time to prepare a patch or other solution.

LIFARS: When should the company respond to the discovered exploit and what does the time frame look like?

Tyler: You scale the response based on what the discovered exploit is. If it poses a significant risk and you think it could have immediate impact, you have to escalate that the same as you would any major vulnerability. If you do not respond adequately, then you run the risk of having legal liability associated with not doing your appropriate due diligence or risk assessment and taking the proper actions to protect your sensitive systems or data. It becomes an act of balancing the significance of the risk posed. There has to be a quantitative analysis associated with the compromise to make sure that you have a sufficient understanding of the risk in relation to your organization. If you do not act immediately, you need to document why you are not acting and document what mitigating measures you are going to put in place in the interim until you have some more solidified solution down the road.

LIFARS: Could you expand on what implications could arise from not responding?

Tyler: It can get a little murky at that point. If it turns into consumer compromise of sensitive data, then the part of what’s going to be looked at is your resourcefulness that you brought to the scenario. How reasonable were you in your actions. I vaguely recall a case not too long ago that essentially came down on the side of the company do to the fact that the company had done some due diligence and taken the lot of mitigating actions. In contrast, there was also a recent case where a company was found to be deficient with regards to how they presented themselves. They stated their controls in place were up to standard when they actually did not have sufficient controls in place. It comes down to the behavior of reasonable person or reasonable company in response to the information that is or should have been known regarding the risk. That’s why documentation becomes so important in making sure if you don’t act immediately to patch the exploit or mitigate it, there are records that provide clear evidence that you were working towards it, and that your conduct was reasonable.

LIFARS: What are the components of your best practices from a vulnerability focus?

Tyler:  You have to begin with any changes in configurations, from networking devices, all the way down to the  endpoint PCs. You want to have a hardened configuration of your systems. You need to limit the ports or services on those machines from the outset. That significantly reduces the surface area upon which these potential vulnerabilities could exist. It is easier to break into a house if I have 3 or 4 doors and 20 windows, but if I board those 20 windows up and two of those doors, I am left with the single door. If that is the only point of ingress/egress to a house, it becomes much more difficult for you to break into that house. It is the same thought process in terms of hardening systems because we eliminate all those ports and services that aren’t used in daily activities and everything else must have  a business justification supporting why it is enabled. Once you have done that exercise you apply patches timely to your critical systems or any pathway to those critical systems. Notably, there needs to be an understanding on how these systems interrelate so you can understand a vulnerability, such as what your firewall means to your internal systems, or what impact a vulnerability on your end points might have on one of your servers that are connected to those end-points. Also, you should conduct regular and routine vulnerability scanning to make sure you have not missed anything in terms of a patch or other configuration and hardening steps that you need to take.  You also need to have a good relationship with you peer organizations, as you get firsthand knowledge in terms of what they are seeing and what kind of vulnerabilities they are faced with. Then, keep any external facing portals, or anything of that nature, to a minimum, and funnel all your traffic through a single point of ingress or egress whenever possible, similar to the door scenario we talked about earlier. Of course, make sure that you maximize the tools that you have in your arsenal.

There is so much stuff that you can buy out there and in many cases people go out and they purchase all these tools that are supposed to do various actions, but they really do not have the resources to utilize all of it or don’t invest the time. I would say to have a tool is one thing, but if you do not really make good use of it then you really do not get the value from it. Having too many tools can be just as bad as it is not having any, if you do not use them properly. Lastly, when you’re choosing metrics to measure your security performance/response use common sense. There’s no point in working on a metric if it has no real world value. You’re simply wasting your time and others’ time, as well.

Contact Tyler Morgan on LinkedIn.