Every year, cybercriminals find and take advantage of a corporate system’s vulnerabilities. They feast on open communication protocols and exposed databases that show no sign of regular security maintenance or prevention techniques.
While vulnerability management won’t stop 100% of these attacks, it is a solid preventative measure in anyone’s security arsenal. If you’ve been curious about implementing an official vulnerability management, keep reading.This post covers the basics and explains why today’s organisations should have one.
What is vulnerability management?
In the IT world, vulnerability management is the “proactive approach to managing network security” by identifying, assessing, managing, and mitigating flaws in code, design, workloads, systems, and endpoints before criminals exploit them. Managing vulnerabilities is typically done through automated detection tools, regular reviews of IT and business operations, and human effort. The proactive approach helps organisations identify and prioritise risks appropriately and then address the vulnerabilities as quickly as possible. Organisations remediate and address identified vulnerabilities through patching and other security configuration measures.
Before we get too deep into the details of vulnerability management, let’s take a step back and review some concepts and definitions.
The difference between vulnerabilities, risks, and threats
Many people and organisations use the terms vulnerability, risk, and threat interchangeably. However, subtle differences between them can affect processes and remediation activities.
- A vulnerability is a weakness in an asset or group of assets that can be exploited by one or more threats.
- A threat is something or someone that can exploit a vulnerability.
- A risk is what happens after a threat exploits a vulnerability. Simply put, it’s the damage caused by an open vulnerability being exploited by a threat.
Generally speaking, organisations should be concerned about vulnerabilities since they’re the starting point for all the damage that could happen. For example, an open communication port that’s Internet-accessible can be used to enter a corporate network. Insecure software or operating system configurations could allow criminals to gain privileged access through approved interactions with that software or system. Even seemingly innocuous system services like the Unix “finger” service or the Linux “pipe” tool can be exploited for criminal use and are therefore considered vulnerabilities that were mitigated.
The main types of vulnerabilities
Today’s organisations face four main types of IT vulnerabilities:
- Network vulnerabilities: These are hardware, software, or operational process weaknesses that bad actors use to access your network.
- Operating system vulnerabilities: Cybercriminals use bugs or flaws in the operating system software code to access other parts of an asset or network.
- Configuration vulnerabilities: Incomplete installations, poorly executed system changes or updates, and default deployments make it easy for cybercriminals to exploit the flaws and attack networks and devices.
- Application vulnerabilities: These flaws compromise the application’s security for anyone using it, which criminals could use as an entry point into a network or system.
Mitigating these vulnerabilities is a challenge since organisations use so much technology throughout their businesses. That’s why a robust vulnerability management process is vital. Yet each business and organisation is different, so learning how to prioritise vulnerabilities can be an important first step.
Ranking and categorising vulnerabilities
There are several open industry standards that organisations can use to identify, assess, and communicate the severity and characteristics of vulnerabilities, such as the security content automation protocol (SCAP) standard developed by the National Institute of Standards and Technology (NIST) and the Common Vulnerability Scoring System (CVSS.) Combining the two standards can be helpful to organisations looking for more quantifiable rationales for vulnerability management. Here is a general overview of how that works:
- Common vulnerabilities and exposures (CVE): CVEs define the specific vulnerability by which an attack may occur.
- Common configuration enumeration (CCE): This list of system security configuration issues can be used to develop guidelines and processes to prevent attacks.
- Common platform enumeration (CPE): The standard method of describing and identifying applications, operating systems, and devices within an IT environment. CPEs are used to describe what a CVE or CCE applies to.
- Common vulnerability scoring system (CVSS): A scoring system that assigns severity scores to each defined vulnerability from 0 to 10, with 10 being the most severe. It’s used to prioritise remediation efforts and resources according to the threat and risk it poses.
Protecting your systems with vulnerability management
Cybercriminals look to exploit discovered vulnerabilities to cause financial or reputational damage to a business. Vulnerability management can protect your systems, networks, and data by seeking to close existing security gaps before they’re exploited. Many organisations will patch their systems, reconfigure insecure settings, and think they’re done. And they’d be wrong.
Formal vulnerability management processes go beyond patching and reconfiguring. It requires a more active and regular approach to vulnerabilities that demands an organisational mindset shift and collaboration across multiple teams and business areas. Guidelines and processes must be defined, developed, and deployed so the entire organisation can be ready to mitigate any vulnerabilities found and reduce the threat and risk they pose.
Organisations often err by thinking a vulnerability assessment is the same thing as vulnerability management. An assessment is a one-time evaluation of a system, host, or network that is done regularly but is only part of the entire vulnerability management process. Organisations will often run multiple assessments to get more information for their vulnerability management action plan.
Why is vulnerability management vital today?
Cybersecurity is essential since businesses and organisations rely heavily on technology for regular operations. Any disruption could lead to financial and reputational fallout, so they must do all they can to guard against attacks or failures. And it’s not just technology companies that are at risk from their vulnerabilities. Just look at this quick list of breaches from last year alone:
- 3.3 million Audi and Volkswagen customers had their data stolen and put up for sale on a cybercriminal forum due to an unsecured and exposed database.
- Colonial Pipeline was struck by ransomware that disrupted fuel delivery across the US because of an exposed remote access service (a legacy VPN service the company no longer used.)
- It took three months for Microsoft to develop an emergency patch to several remote code execution and server-side request forgery vulnerabilities that affected over 30,000 Microsoft Exchange customers.
Any business or organisation that uses web applications, APIs, and connected devices is a target for criminals looking to create damage. Over 20% of the vulnerabilities are reported to be critical or high for organisations today, so vulnerability management is fast becoming an essential part of any incident management and security posture.
The benefits to vulnerability management
Managing vulnerabilities helps businesses avoid unauthorised access, illicit credential usage, and data breaches by internal and external bad actors. A formal program provides structured guidelines that help you evaluate and secure your network. It helps conduct a thorough search and analysis of existing systems and provides a way to securely monitor and protect them as they change in the future.
A robust vulnerability management process helps ensure that any vulnerability you find has the shortest possible life span possible and reduces the threat and risk to your business. It can help your organisation comply with regulations and standards globally, such as GDPR in Europe and UK, and provide proof of due diligence for any incident management process post-mortems you do if your network is compromised despite your best efforts.
The main phases of vulnerability management
While each organisation’s vulnerability management process will be unique to their situation and tech stack, they generally follow these four phases:
- An asset identification and assessment to determine the asset’s criticality, find or assign asset ownership, establish the frequency of asset scanning, and identify timelines for asset remediation.
- The discovery and inventory of the assets on the network.
- The discovery and identification of vulnerabilities on the identified assets.
- The scanning, reporting, and remediation processes for the identified assets.
Phase 1 is more concerned with building a process for the subsequent phases. Phases 2-4 build on that by developing the processes and procedures needed for each one and the continuous improvement of them going forward.
While breaches and other attacks will happen even with a vulnerability management program, an organisation’s network, data, and systems are more secure than without one. Cybercriminals will always be more creative at finding ways in. A robust vulnerability management program will help any business mitigate the gaps through standard processes even if they are breached.
No process is foolproof, but having a documented vulnerability management program and approach will help set a solid foundation for better cybersecurity. It’ll help any business do the necessary regular scanning, identifying, and mitigating vulnerabilities proactively, reducing downtime and risk.
For help with your vulnerability management program, contact Redcentric today. Whether it’s your first one or you need help updating your existing one to handle the added vulnerabilities your network has, Redcentric can help.