Maksim Kabakou - Fotolia

Security Think Tank: How to manage software vulnerabilities

What is the most practical and cost effective way for organisations to identify and remediate high-risk software vulnerabilities?

Software vulnerabilities continue to be discovered on a daily basis, and it can often be a race against the hacker to apply relevant updates and remediate a vulnerability before the weakness is exploited. This is particularly the case for zero-day vulnerabilities, where hackers have the advantage of a newly exposed vulnerability for which a patch is not yet available.

Establishing and enforcing a robust process for managing vulnerabilities is imperative, but can demand significant resources and time, adding to the cost of software ownership. Core elements of vulnerability management include an accurate asset inventory (typically achieved using a configuration management database) and a vulnerability scanner.

There are several methods for organisations to identify software vulnerabilities that span two different types of scanning: authenticated and unauthenticated.

Authenticated scanning can identify individual patches on systems using valid credentials, whereas unauthenticated scanning provides the equivalent of a hacker’s view from the outside (such as open ports and applications running). While the latter may have less value, performing both types of scans on a regular schedule enables organisations to achieve maximum visibility.

For large organisations with a big IT estate, the duration of running a full scan can mean information gleaned is already out of date before scanning is complete. Scanning needs to be continual and a follow-the-sun approach can ensure that most systems are “on” at the time of the scan.

A vulnerability scanner can only ever be as good as the vulnerability information that feeds into it. Organisations will seldom be able to rely on a single source of information that covers all devices, applications and systems that may require patching. It is therefore important that organisations obtain updated feeds from relevant suppliers in addition to using external and internal threat intelligence.

Effective remediation requires organisations to triage vulnerabilities and prioritise those which are high risk. Suppliers will provide a risk rating for detected vulnerabilities, but these need to be interpreted taking into consideration the specific context of your organisation and its unique systems. In certain circumstances, a vulnerability described as low risk by a supplier may present a high risk for your organisation and vice versa.

To determine which patches to apply and the risk of doing so, a comprehensive knowledge of your organisation’s estate is necessary. Often systems can be set to update automatically, but in many cases, patches should be tested first and deployed to a pilot group to verify its impact before wider installation. The extent of testing can vary depending on the level of criticality of the service and the risk of applying a given patch.

In addition to testing, the process for installing patches should include a contingency plan if a patch introduces more vulnerabilities or causes problems. The capability to roll back updates and patches that do not perform properly is essential to ensure critical services remain available.

Even for those systems that update automatically, it should not be presumed that installation will be a success – there is always the potential for unintended consequences and updates may not install properly or fail, requiring some form of manual intervention.

Finally, it is important to recognise that it may not be possible to apply patches to all systems and infrastructure, whether due to age, incompatibility or reasons of practicality. Organisations should develop an approach to deal with systems that cannot readily be updated and therefore require implementation of compensatory controls to mitigate the risk of exploitation by adversaries.

The need to continuously detect and remediate software vulnerabilities will remain a core undertaking that must account for new and emerging threats to protect against harmful attacks. Keeping pace with the constant stream of new vulnerabilities is no easy task, but one that must be tackled in tandem with prioritising remediation to keep your organisation’s systems secure.

Read more on IT risk management

Data Center
Data Management