Vulnerability Management – A Best Practice
by Robert Bond
3 Keys to Effective SMB Vulnerability Management
Small and medium-sized businesses have been facing an increased number of threats from cyberattacks over the past several years. According to Verizon’s 2019 Data Breach Investigation Report, 43% of attacks are specifically aimed at small businesses. Since many smaller companies often have a lower budget and focus for security issues, these attacks can be particularly harmful; many even crippling for businesses. Although exact statistics are heavily debated on Capitol Hill, it was reported by Threatbrief and several other outlets back in 2017 that nearly 60% of small businesses close within 6 months after experiencing a cyberattack. Thus, SMBs must be vigilant to set up and maintain proper vulnerability management systems.
What is Vulnerability Management?
Vulnerability management exists for the purpose of identifying and remediating vulnerabilities in systems quickly before they are exploited. Vulnerabilities, which are essentially weaknesses within software can lead to a system or network that can be exploited by attackers. These vulnerabilities must be identified, assessed, and patched regularly to ensure ongoing security. In order to create and maintain a strong security posture, business owners and security officers must be keenly aware of the vulnerabilities on their systems, as well as the process by which they can be quickly patched. If vulnerabilities are not identified or remediated, companies leave themselves open to attacks.
Vulnerability Management vs Vulnerability Assessments
Vulnerability management is an ongoing process that encompasses scanning for vulnerabilities, assessing the risk involved with each one, and then prioritizing vulnerabilities for remediation. With commitment and an experienced IT security team, this cycle never stops. Scanning and assessment lead to remediation, which then leads to a new cycle of rescanning. It is a process that ensures new vulnerabilities are quickly found and eliminated to minimize the risk of an attack. This long-term vulnerability management process is different than a one-time vulnerability assessment, which gives the company a snapshot of its system vulnerabilities at a single point in time.
A one-time vulnerability assessment is the process of scanning for and identifying possible vulnerabilities and risks within the system. Although an ongoing vulnerability management system is far more effective than a one-time scan and assessment, there are reasons why companies might choose to only do a periodic vulnerability assessment. Reasons include cost savings associated with not having a full-time internal security team or they may have a security program in its early stages or they simply want some validation of current security efforts and processes. Finally, PCI compliance, other compliance requirements, and cybersecurity insurance providers may demand vulnerability assessments and some rudimentary vulnerability management processes.
Clearly, for successful, long-term protection, businesses must invest more in their security program than a one-time assessment. Each organization needs a continual and ongoing vulnerability management program. Software is continually being updated and thus, new vulnerabilities are consistently introduced to the IT environment.
If new vulnerabilities are created after a vulnerability scan is run, they will obviously go unnoticed until the next scan. Many organizations only scan quarterly, however, with 22,000 known vulnerabilities found by the CVE last year it is wise to scan much more frequently so as not to leave vulnerabilities left unpatched for any significant period of time. Frequent and consistent scans should be implemented to ensure quick identification of vulnerabilities.
Effective assessment and management systems will not only include vulnerability scans, but also proper firewall rules review, VPN configuration, wireless assessment, and infrastructure review. Security staff may choose between internal and external scans, which take into consideration vulnerabilities in different areas of the system. The more areas you are monitoring and configuring for protection, the better your security posture will be.
Scanning for Common or Known Vulnerabilities
According to Verizon’s 2019 Data Breach Investigation Report, “98% of security incidents and 88% of data breaches continue to occur within one of nine patterns.” Understanding and taking steps to guard against the common patterns and approaches attackers use to infect your system will greatly increase the security posture of your company. One way to do this is to frequently scan for known vulnerabilities. These common weaknesses often have patches available from the software manufacturer that will eliminate the vulnerability.
Many common vulnerabilities can be found in Adobe Flash, Internet Explorer, plugins, and issues with web apps. Frequent scans with trusted security software, such as that from Saint, Nmap, Nessus, and TripWire IP360, can help you identify known vulnerabilities in your system. There are many professional vulnerability scanners available that do not require expert skills to use, however, to properly configure the scanner, evaluate the results and prioritize patching it is highly recommended that you hire a security professional if you do not have one on staff.
Prioritizing Vulnerabilities for Remediation
Scanning for vulnerabilities is the first step in an ongoing process. Once vulnerabilities are identified, they must be evaluated by your team according to the risk they pose to the company. Some vulnerabilities pose only small risks, which management may simply accept as a small risk and rank the vulnerability as low on the list of priorities to direct resources toward. Other vulnerabilities may pose a much higher risk, which management will want to quickly remediate in order to reduce the risk of having it exploited. The security team will evaluate the resources it has and choose how to use them with the highest priority vulnerabilities.
Speeding up Remediation through Communication between Teams
Once items are prioritized for quick remediation, it is essential for clear deadlines and procedures to be defined. The IT department will look for patches for the vulnerabilities or see if systems can be hardened, while asset owners should provide a timeline for the corrective actions they plan to take. The timeline and speed in which the remediation will occur is different for each system. However, steps should be taken to improve communication and organization to ensure each department or person involved provides clear input, times and guidelines for the actions they will take.
Spreadsheets and tracking modules within vulnerability scanners can be useful ways to track the remediation process within the team. If remediation is not possible within a reasonable amount of time for the level of risk involved, compensating controls may be an option. This might involve restricting access to the network for the specific vulnerable assets or finding virtual patches.
Assessing the Security Posture of the Company
The security posture of your company is comprised of the ongoing plan you have in place for identifying vulnerabilities as well as the speed and experience your team has in remediation and responding to threats as they arise. Simply having an expensive vulnerability scanner at your disposal is not enough to ensure that vulnerabilities are remediated in a timely manner.
Proper configuration of the scanner, firewall, VPN, and wireless systems are all essential to eliminating vulnerabilities. For most companies, a one-time assessment alone may fit the budget, however, it does not offer sufficient protection against new threats. To ensure your security dollars are not wasted when new vulnerabilities are exploited, run scans consistently and dedicate part of your team to remediating vulnerabilities. If you do not have a dedicated security team, consider hiring an outside source to not only assess the security posture of your company at this time, but also to recommend ongoing measures to actively protect the information and systems for your organization.
When implementing a vulnerability management process, experts recommend starting out with a small scope; perhaps several systems. The small scope will allow the stakeholders involved to focus on implementing a process and prevent the team from being overwhelmed with vulnerability information from hundreds or even thousands of systems.
Informing IT, specifically teams managing firewalls, IPS/IDS or other security monitoring systems, should be part of the vulnerability assessment and management process. The alerting on these systems is often triggered by vulnerability scanning tools, so it’s important to ensure the teams are aware of when the scans will take place.
The last step of the initial vulnerability management phase consists of planning the vulnerability scans. Depending on the scan configuration which includes the number of vulnerability checks, authentication scan type, and applications installed on the target, a vulnerability scan against a single IP address can take between a few minutes to a few hours. In case it is unclear how long a certain scan could last; it is recommended to perform a test scan on a similar test environment. This will provide an estimate on long these scans will take and their impact on the network.
Implementing a vulnerability management process
A vulnerability management process consists of five phases:
- Vulnerability scan
- Define remediating actions
- Implement remediating actions
Throughout the vulnerability management process, the security team will analyze the vulnerabilities, determine the associated risks and will provide input on risk remediation. Further, the team will analyze the vulnerabilities from a technical perspective and answer questions such as if patches are available or whether the configuration can be hardened. This ongoing process has proven to eliminate the vast majority of vulnerabilities that cybercriminals use to breach an organization.
Please call us if you have any questions. Our team is here to help you and each one of us is dedicated to keeping your customers, employees, and partners safe.
October 15, 2020
September 22, 2020