Maksim Kabakou - Fotolia
For me, the challenge of high-risk software vulnerabilities is not always remediation. In fact, technical vulnerabilities are almost always fixed in one of two ways – change a configuration, or apply a software update in the form of a security patch.
Chief information security officers (CISOs) face two fundamental challenges, which are applicable to both scenarios:
1. Visibility: It’s one thing applying a security update to an appliance or piece of software, but companies don’t always know where all their assets exist. In a world where users are spending as much time “off network” as they on the local area network (LAN), do companies even know where their vulnerabilities are?
2. Cyber inertia: The concept of cyber inertia is somewhat more comprehensive than just patch and configuration management. The truth is that companies are not keen on making configuration changes because they are unsure what will break as a result. Take WannaCry, for example. Everyone knew they needed SMB v1 (server message block protocol version 1) turned off, but I know many organisations that were unsure what this would break, if anything. Vulnerabilities cannot be remediated if we don’t understand the known good configuration with which we are operating.
Vulnerability management requires companies to follow a four-step process:
Step 1: Understand the assets
This sounds obvious, but it is often overlooked. It’s also not easy. The proliferation of device types in most enterprises means the number of assets grows exponentially, along with many more users of these devices and more types of data travelling through them.
Step 2: Profile organisational threat actors and their tools, techniques and procedures
Once we understand what we’re looking to protect, we need to better understand who is looking to obtain access to our assets and the capabilities they possess.
Here again, context is important. Many CISOs I know say that they cannot afford to protect themselves from nation states. But the fact is that many cyber criminals use tools formerly thought of as the exclusive domain of nation-state actors, such as encrypted communications and polymorphic malware. If many bad actors are using these tools, then organisations can’t ignore them.
Step 3: Identify your vulnerabilities
Vulnerabilities are weaknesses across people, processes or technology. Why do we identify vulnerabilities after we profile threats and classify assets? Because we live in a world where absolute security simply isn’t possible. Automated tools can only do so much in terms of unearthing the weak points, such as finding technical vulnerabilities in a software stack, but they can’t tell if your users need training so threats don’t get past them.
Pragmatism and prioritisation are two key tenets of good vulnerability management. We need to look at which systems house data we are concerned about, and in what volume. A few key questions to ask about these systems are:
- Are the systems externally accessible?
- Are the applications servicing the data running their most up-to-date versions?
- Where and how are login details being stored?
- Are you sending sensitive information within encryption?
Step 4: Apply controls and safeguards
Vulnerabilities will always crop up. However, controls and safeguards can lessen the impact or likelihood of a risk occurring. Controls do not have to be absolute. It’s unusual for a control to remove a risk entirely – we’re looking to lessen the risk to a palatable level. Who sets this bar? Again, it’s the business.
Read more from the Computer Weekly Security Think Tank about managing software vulnerabilities
- Follow good practice to reduce risk of software vulnerabilities.
- Eight controls to manage software vulnerabilities.
- How to achieve software hygiene.
- How to manage software vulnerabilities.
- No shortcuts to addressing software vulnerabilities.
- Balancing cost and risk in software vulnerability management.