Security Think Tank: Eight controls to manage software vulnerabilities

To identify and remediate software vulnerabilities, I would advise any security professional to “do the basics brilliantly”. Namely, identify and contain the vulnerability before it metastasizes. This can be achieved through using eight controls against existing industry standards such as ISO 27001, which does not require any additional cost.

1. Where security expertise and testing are built in from the outset, follow an independently assured software development lifecycle. This will ensure any software vulnerabilities are identified early and prevented from entering the production environment where an external attacker could exploit.

2. Patch systems regularly. Due to resources, it may not be possible to patch every piece of software. It is possible, however, to follow a defined patching procedure and fix effectively where you can. This will prevent vulnerabilities that can be exploited.

3. Disable untrusted macros. This will help prevent malicious executables from being executed.

4. Perform application whitelisting. Only approved applications can run – preventing individuals from intentionally or negligently installing malicious/untrusted software on the corporate network.

5. Authenticate emails. Deploy authentication protocols such as DMARC. This will help prevent emails with spoofed addresses and so remove one of the largest attack techniques at the perimeter. Email risk scoring tools then can be used to identify suspect emails and quarantine them for analysis.

6. Ensure antivirus and anti-malware controls are up to date. Based on unusual behavioural activity, more advanced products can help prevent attacks before they manifest.

7. Phishing awareness campaigns. It only takes one user to open an infected link on an email for a system to be infected; this remains the primary vector for an external attacker to gain network access by exploiting a software vulnerability. Reduce this risk by ensuring employees are aware of the threat and periodically tested via online training and periodic phishing campaigns.

8. Incident response. Should the worst-case scenario materialise, ensure your incident responders are well trained and qualified, frequently practice realistic scenarios, operate according to defined practices and procedures, and have an easy and high-profile reporting process. The “golden hours” following confirmation of a successful attack are crucial in limiting impact.

Depending on in-house expertise, additional cost may be justified in performing intelligence-led security testing. This should include Vulnerability scanning and penetration testing which is periodically executed on a risk-assessed basis according to the criticality of assets to business operations.

Both perimeter and internal network should be in scope to understand how a successful attacker may gain access and then move about the network. Identified vulnerabilities should then be treated as part of a risk register.