Security Think Tank: No shortcuts to addressing software vulnerabilities

Successful cyber attacks exploit weaknesses in an organisation’s defences. Hackers probe networks, looking for gaps in firewalls, and users are duped into downloading malware.

These risks can be reduced through strong, consistent and regularly updated cyber security defences, alongside user education. However, many attacks also rely on another weakness that is often beyond an organisation’s immediate control – software vulnerabilities.

A software vulnerability is a flaw in code (unintentional or otherwise). Once the broader IT security industry is aware of a new exploit – either once discovered and notified or after its first use in an attack – software suppliers will create a patch for remediation, and enterprises must deploy the patch to mitigate the risk.

At this point, it is the speed of a given organisation’s vulnerability management capability that will ensure its ongoing protection. That said, all too many organisations remain exposed to long-known exploits where the underlying vulnerability has not been fixed, despite remediation being available.

Nearly all attacks exploit historic vulnerabilities rather than using newly found zero-days, the latter of which are rare and highly valued by hackers. As such, it is crucial organisations have a systematic approach to identifying, prioritising and remediating their high-risk, known vulnerabilities, while practicing cyber hygiene that will limit the impact of potential zero-day exploits.

Usually, vulnerabilities will be remediated using a patch management framework, which will include a process for testing and deploying the patch, and recording that the patch has been applied. Occasionally, a patch might be unavailable or cannot be applied, and an additional process to deal with this situation will need to be developed.

In addition to addressing published vulnerabilities, most organisations undertake Vulnerability scanning on a regular basis (for a point-in-time view), but rarely have the resources to address all identified vulnerabilities. As such, remediation must be prioritised.

Prioritisation is generally based on a series of risk assessments. A risk assessment will consider the likelihood of the vulnerability being exploited, and the anticipated business impact should the exploit happen. The combination of likelihood and impact will provide a risk rating, which can then be applied to vulnerability management and remediation.

There are no shortcuts to addressing vulnerabilities. Vulnerability scanning, prioritisation and a formal patch management program are recommended to protect the organisation from threats exploiting known vulnerabilities.