Maksim Kabakou - Fotolia

Security Think Tank: Adopt a proactive approach to software vulnerabilities

What is the most practical and cost-effective way for organisations to identify and remediate high-risk software vulnerabilities?

According to recent research, only 16% of companies are clear of vulnerabilities that could be exploited in an external cyber attack. Looked at the other way round, that means 84% of organisations are leaving the doors open for hackers to access their IT systems and all that they contain.

There is no doubt that today’s IT environment is complex, and the connected world in which most enterprises operate widens the risk landscape. Bad actors know this only too well, and continually devise new tools and methods to exploit it.

However, there is much that can be done to prevent breaches in the first place, as well as minimise the consequences should an attack happen – with the general rule of thumb being that an occurrence is a case of “when” not “if”.

Adopting a security mindset

The first tactic to avoid attacks on software has little to do with the technology itself – it is rooted in business strategy.

Despite heightened awareness about cyber attacks and their consequences, IT security is often an afterthought for many organisations, added on after the system architecture has been designed, or regarded as an overhead and therefore not prioritised for investment. This risks it being less effective, as well as indicating a lack of maturity in the overall enterprise mindset around protecting systems and data.

IT security needs to be given the same importance as the business functions it is installed to operate on, designed in from day one. Making system security a business – and boardroom – consideration means that other risk management procedures follow. 

Despite heightened awareness about cyber attacks and their consequences, IT security is often an afterthought for many organisations

Security by design

The first of these is undertaking key security hardening activities to ensure systems and software are protected from day one. For example, commercial off-the-shelf software might have default settings that require passwords to be eight characters, but if the organisation’s password policy specifies they should be more complex, this needs to be modified before the tools are used.

Similarly, a database used in conjunction with an application also needs to be hardened. Passwords provided when the database is shipped need to be changed, for example, while privileged access must be managed.

A commitment to security hardening at the outset is also cost-effective as it negates the need to then continually check for vulnerabilities that, because they are already known about, can be prevented.

Patch management

Proactive patch management goes a long way to reducing software vulnerability, and should therefore be part of this strategy.

Patch schedules

Security patches to correct flaws as they are discovered are continually developed by software suppliers and researchers. Organisations need to set and adhere to a business process that makes patching a scheduled activity, rather than an ad hoc add-on.

This requires responsibility to be allocated to ensure consistent and ongoing effort in identifying the systems that require patching and knowing the patch schedule for relevant suppliers – Patch Tuesday for Microsoft, or the second Tuesday of the month for SAP, for example.

Once patches are released, they need to be evaluated and, if required, applied as soon as possible. Failure to do so exposes the enterprise to weaknesses.

Streamlining the process

A fast-track approach helps to prioritise the security patches that it is most critical to apply. Less intensive than a full support pack upgrade, it is therefore not as comprehensive, but it is a useful tactic for large organisations with complex software landscapes that need to streamline their security patching process to prioritise the most critical.

Patch support packs contain every single fix that a system may require, but applying the whole pack every time is not feasible as it introduces too much change too quickly. An organisation needs to assess what has been provided and prioritise the elements that are most critical to its own systems.

A set level of integration testing is performed, backed up by in-depth analysis of the likely impact. By placing security-critical patches into its own enterprise track, which can be independent of wider functional patching or service-level upgrades, an organisation can reduce the level of testing required.

Proactive defence

Resilience is significantly improved in organisations that have awareness of the potential threats they face.

The impact of an attack, should it happen, can be minimised if an organisation is well prepared from the outset, having armed itself with as much knowledge as possible about any potential breaches.

Adopting a proactive defence strategy helps to pre-empt as many threats as possible. Activities include: looking at threats faced by other enterprises; staying up-to-date with information security developments and discussions; sharing information that could be useful to other organisations; keeping track of developments in the hacking community.

Periodically performing an application security assessment is another critical component of a proactive defence strategy. This tests the key security settings that have been put in place to harden applications to ensure they are working and up to date. This can be supplemented by penetration testing to ensure as many routes as possible into enterprise systems are closed off to hackers.

It is also worth considering subscribing to a cyber threat intelligence service, which shares details of vulnerabilities and whether they have been exploited.

Monitoring for breaches

No matter how well an organisation protects itself against exploitation, as referenced above, the likelihood of its systems being breached is high. Identifying an attack early on means it can be shut down more quickly, so the damage it does – whether to data, finances or reputation – is limited.

IT systems therefore need to be monitored so that the first signs of a breach are acted on quickly. Many core products are shipped with effective monitoring capabilities, although these are often not optimised.

It’s also important to continuously improve monitoring activities, with new vulnerabilities added to the process as they are discovered.

In conclusion, the reliance of today’s organisations on sophisticated technology for business activities also makes them vulnerable to cyber crime. A proactive approach to IT security is the best protection.

Read more on IT risk management