Why Vulnerability Management is ImportantPublished October 6, 2020 by Sherry Jones • 5 min read
We are all vulnerable, and becoming more so, it seems. Data breaches and system disruptions due to cyberattacks just keep rising, year after year. Finding and strengthening your cybersecurity weak spots, or vulnerabilities, is key to thwarting these attacks.
A Big Problem, and Growing Fast
Cybercrime has proliferated to such an extent that it hardly makes headlines anymore. Data leaks, defined as “the unauthorized transmission of information from inside an organization to an external recipient(s),” skyrocketed in 2020 by 492%, reaching 27 billion in the first half alone–an all-time high. Typically, data leaks happen from within.
Atlas VPN reported 2,037 publicly reported data breaches in the first half of 2020. In the same period in 2019, 3,800 publicly reported breaches exposed 4.1 billion records, according to Norton. Clearly, vulnerabilities abound.
Managing Your Weaknesses
The most common cybersecurity vulnerabilities, Kaspersky says, occur in technologies and user behaviors.
Breaches occur, the security company writes, in the following ways:
- Accidental insiders who inadvertently leak information to an outside location;
- Malicious insiders who leak data intentionally;
- Lost or stolen devices containing unencrypted information;
- Malicious external criminals such as hackers, who may install malware on your systems.
Vulnerability management can help you avoid data leaks and breaches before they start–but to do it right, you must be vigilant. The process begins with vulnerability assessments and it never stops; as soon as you complete one vulnerability assessment, you must begin another.
A vulnerability assessment helps you identify, evaluate, classify, remediate, and report on security vulnerabilities in operating systems, enterprise applications, browsers, and end-user applications.
Mind Your Patches
Every year, organizations discover thousands of new cybersecurity vulnerabilities requiring them to patch their operating systems and applications and reconfigure their network security settings. Too often, though, they lack a robust patch management program and fail to apply these patches in time.
Nearly 60 percent of cybersecurity breaches in 2019 may have been completely avoidable, according to the Ponemon Institute–they resulted from companies’ failure to patch known vulnerabilities using readily available patches.
Of course, the typical corporate network contains thousands of vulnerabilities. Keeping them all patched is an impossible task–but having a vulnerability management plan can ensure that you’re addressing the highest-risk vulnerabilities.
Vulnerability management gives you a process and the tools to regularly identify and remediate your most critical and high-risk vulnerabilities.
Compliance Requires It
Vulnerability scanning and vulnerability management are required to achieve compliance with such regulations and industry standards are the International Organization for Standardization’s ISO 27001, Information Security Management Systems (ISMS).
One of the most widely used standards in the extensive ISO family, ISO 27001 provides guidance on cybersecurity management, including vulnerability management as well as information security risk assessment and risk management.
What Vulnerability Scanning Does
Vulnerability scanning aims to identify any systems that are subject to known vulnerabilities. But it’s not a one-and-done task. You must schedule scans to occur regularly to detect new weaknesses and threats.
A vulnerability scanner scans a network or system, including operating systems, for known weaknesses. A vulnerability scanner can also uncover such issues as improper file sharing, system misconfigurations, and outdated software.
You should use vulnerability scanners to conduct vulnerability scans at least once a month, but more frequently as needed for critical or high-risk systems. When you conduct vulnerability scanning, you should do so in a random order to ensure potential threats can’t use your schedules to plan cyberattacks.
More frequent scanning will give you greater clarity on the progress of your remediation efforts and help you identify new security risks based on updated vulnerability information. If you don’t scan for vulnerabilities and proactively address any flaws that you discover, it’s likely that your systems will be compromised.
The data these scans produce can be invaluable for your risk management program if you evaluate scan results and remediate accordingly.
The Vulnerability Management Process
Each new vulnerability introduces a security risk to your company. So, it’s important to put a process in place to identify and address vulnerabilities quickly and continually.
Typically, there are four stages to a vulnerability management program:
First, identify all the vulnerabilities that exist throughout your IT environment. To do so, you must define your IT assets and find the right vulnerability scanner for each asset.
The vulnerability scanner you’ll use for your web applications will differ from the scanner used to uncover network vulnerabilities. For application security, you will likely need at least two technologies to detect vulnerabilities in open source libraries and in your proprietary code.
Identification is a critical part of vulnerability management that is becoming increasingly challenging as companies’ IT environments grow more extensive, complex, and interconnected.
After you’ve identified your system’s vulnerabilities, you must evaluate the risks they pose and determine how to manage them. It’s important to understand the risk ratings that your vulnerability management tool provides, such as the Common Vulnerability Scoring System, which provides a numerical (0-10) representation of the severity of a vulnerability.
However, you will also want to understand other real-world risk factors, such as:
- How easily can someone exploit a particular vulnerability? Is a published exploit code available?
- Does the vulnerability directly affect the security of your network?
- What would be the impact to your business if a bad actor exploited the vulnerability?
- Do you have any existing security protocols that would decrease the likelihood and the consequence of a malicious actor exploiting the vulnerability?
It’s also important for you to know whether any vulnerabilities that you’ve identified are false positives. There are tools and techniques that enable vulnerability validation, such as penetration testing, that can identify false positives so you can focus on the vulnerabilities that pose the biggest risks to your company.
After you’ve identified and evaluated the vulnerabilities, you have to determine how to prioritize and address them.
Your vulnerability management tool will likely recommend which remediation technique you should use for each vulnerability. You should check with your security team, system owners, and system administrators to determine the right strategies.
There are three general ways you can remediate the identified vulnerabilities:
- Remediation: Preventing exploitation by patching, correcting, or replacing code that contains a vulnerability.
- Mitigation: Reducing the probability or impact of a vulnerability. This is typically a temporary fix that you can use until you can totally remediate the vulnerability.
- No action: Acknowledging and accepting the vulnerability. Generally, you should only do this when the cost of remediating the vulnerability is much higher than the effect it would have on your business if it was exploited.
After you’ve finished the remediation process, you should perform another scan to determine if the vulnerability was completely resolved.
If you routinely conduct vulnerability assessments, you’ll gain greater insight into the effectiveness, speed, and cost of your vulnerability management program.
Most vulnerability management systems let you export the data from your vulnerability scanners so your security team can better understand the security posture of each asset and track it to identify trends, such as increased vulnerability detection.
Consistent reporting will help your security team comply with your company’s risk management key performance indicators as well as with regulatory requirements.
Continuity is Key
Vulnerability management is hard. You have to perform it continually to ensure that all of your systems and applications are always up-to-date and that you identify each new vulnerability as soon as possible.
You may need to change the mindset of your security teams. The best way is to implement continuous processes that will affect their day-to-day work. Periodic testing and remediation just aren’t enough if you want to ensure that you keep on top of your security status. And the most reliable and effective way to manage vulnerabilities continuously is with automation.
The Importance of Prioritization
The goal of security teams is to fix all the vulnerabilities detected in your company’s assets. However, it’s just about impossible to achieve that goal. Prioritization, therefore, is the key to a successful implementation of a new vulnerability management program.
You need to ensure that you set clear guidelines for each asset, i.e., which vulnerabilities should be remediated and which should not. Vulnerability management consultants can help define a risk-based prioritization procedure based on your assets and the market.
Under a strong vulnerability management program, each process is viewed as a continual lifecycle aimed at helping to improve security and reduce organizational risk found in a company’s network.
Get Help if You Need It
Today’s tools can simplify and automate the process of vulnerability management. ZenGRC works with other tools and technologies to collect and store data on your vulnerabilities and tells you what you need to do to resolve them. It tracks tasks so you always know what’s being done and by whom, shows your compliance (including for ISO certification) and risk management stature on user-friendly dashboards, allows unlimited self-audits in a few clicks, and much more.
Worry-free cybersecurity risk management is the Zen way. Contact us today for your free consultation.