“This is bad, really bad,” Jay Santos thought to himself. An email from Microsoft greeted him first thing in the morning with news of several new vulnerabilities, many that the software manufacturer had rated as critical. What troubled Jay was that the vulnerable software subsystem was the remote desktop protocol (see Exhibit 1). The use of this protocol was ubiquitous across the Microsoft using world to manage fleets of Windows servers. As was typical of recent large-scale vulnerability (see Exhibit 1) notifications, this one too had been given a clever name, Deja Blue. Microsoft named it thus because it followed closely on the heels of a previous critical vulnerability in the same subsystem called BlueKeep.
Jay was the duty handler that week for Techgenics’ Emergency Vulnerability Management Program. This meant that it was his responsibility to herd the various system owners and get them to patch as quickly as possible. Given that this vulnerability had just been released and the vendor had confirmed no active exploit code (see Exhibit 1) was available, convincing them to take a business disrupting reboot might be difficult.
The Vulnerability Management team had been leveraging a combination of both off-the-shelf and homegrown tooling (see Exhibit 1) to deliver their services. At the core of their tooling was a database that contained all of the vulnerability information for the entire enterprise. This database and the interface to it had implemented role-based access and discrete permissions to the data, but ultimately the database was supported by a potential team of dozens of IT support people, both onshore, offshore, United States citizens and foreign nationals. The sensitivity of this data was not lost on either Jay or his manager Dean Wheeler. If this data was to land in the hands of a malicious actor, it would be a virtual roadmap and how to guide to compromising Techgenics.
Right before the announcement of Deja Blue, Jay’s manager, Dean, had informed Jay that the program was going to be underfunded. While the business understood the criticality of the program, the full budget request was going to be denied. The vulnerability team was, however, still expected to continue to deliver the same level of service to the business and with an expansion of the business into the Federal space, the data store had to be brought into compliance with the Federal Risk and Authorization Management Program (FedRamp). How would they deliver these critical controls while still staying within their now reduced budget?
Authors: Gary Holland, Chelsea Nauta, Ryan Pusins, Alberto Socorro, Chris Teodorski
Cite As: Holland, G., Nauta, C., Pusins, R., Socorro, A., & Teodorski, C. (2020). Techgenics’ data security compliance. Muma Case Review 5(5). 1-27. https://doi.org/10.28945/4563