How to Have an Effective Vulnerability Management Process
If you are going to do something, you may as well do it right. A poorly designed and constructed vulnerability management program is essentially like having no program at all. Why spend the time, money, and resources putting together a program that won’t meet or exceed the expectations you have in place for it? The more effort you put into setting up your vulnerability management program now, the less time you will have to allocate towards dealing with errors and potentially successful attacks by cyber thieves because you’ll have a sustainable security process.
Vulnerabilities can come in many different forms. Anything from breaches, defacements, loss of data, privacy issues, etc. are all common problems that organizations face when they don’t have an effective program. So, what are the characteristics of a great vulnerability management program?
The Importance of Remediation
We will start out by bringing to light arguably the most important part of an effective vulnerability management program. As you may be able to guess, this is the remediation process. You can have the best program up to this point, but if you don’t actually spend the time and necessary money to fix the problems that you discover then everything before this step is essentially useless. Improving the overall security of your organization’s systems is the end goal for any vulnerability management program. The remediation process will not be the same for every problem that the system scanning uncovers. The type of risk, the severity of the risk, and where the risk lives all help determine the necessary steps that need to be taken to get the problem resolved.
An important piece to finish off the remediation process is to rescan the system in order to ensure your fix was effective. One of the last things you want to do is fall under the impression that you have eliminated the risk while it is still secretly lurking in the shadows.
Sustainability and Repeatability
Vulnerability management programs are not a tool that you use once and then forget about it. If you truly want to get the most out of your program, then regular assessments of your systems are necessary. With the fast-paced advancement of technology, cybersecurity, and hacker’s skill sets, the importance of continuous threat scanning has never been greater. Discovering these threats, hazards, and weaknesses in a timely manner can be the difference between your organization spending a reasonable amount of time and money to fix them, or your system offline for weeks on end while you fork over hundreds of thousands or millions of dollars to repel the invaders and get things back up and secure again. Recovering from attacks such as ransomware and breaches can cause damages other than just those of monetary value. Recovering from a breach can include sending notifications, paying for credit monitoring services, reputation damage, and fines. A recent study that can be found here shows that the average cost incurred by a business per lost or stolen data record containing personally identifiable information (PII) ranges from $146 to $175. This same study also found that 8 out of every 10 attacks specifically targeted PII.
Intro to Common Vulnerability Scoring System (CVSS)
Once all systems have been scanned, a comprehensive vulnerability management program will assess the risks found and determine the severity of each vulnerability. Common Vulnerability Scoring Systems (CVSS) provides organizations with a way to classify the field of vulnerabilities so that everyone is talking about them with numbers instead of descriptors. For example, 1-10 instead of medium or highly severe. This eliminates the chance of a company not applying appropriate risk levels to vulnerabilities because of a lack of appropriate context. Properly prioritizing the risks in an order of greatest to smallest threat is how a great program will help determine which issues need to be addressed first. However, it is important to keep in mind that risks can come from anywhere. Desktop environments, power users, and admins are all susceptible to vulnerabilities just like specifically targeted servers. Attackers will frequently jump from different systems in order to get to their final target. This is where CVSS shines. CVSS provides context that includes base metrics, impact, temporal factors, and environmental factors. At the end of the day, you don’t want to be spending a great chunk of your time fixing issues that have no real threat to your organization while a vulnerability that’s a larger threat goes untouched in the background.
Program Best Practices
So what are some things that you should be sure to avoid when putting your vulnerability management program to use? Many vulnerability management programs fail because there is no structure to the process as a whole. Rather than creating goals and following policies, many teams simply view the program as less important than operational IT concerns with no justified purpose. A lack of cohesion between security teams and IT teams is a recipe for failure when it comes to your vulnerability management program. One goal should be to avoid issues where the IT team is blaming the security team for not doing their job or vice versa. If the different teams within your organization can’t act as a whole, then don’t expect your program to run at its full capability.
Oftentimes one of the biggest mistakes an organization can make is not prioritizing the discovered vulnerabilities in order of highest to lowest risk using CVSS. It is so easy to do, but yet it can turn out to be an extremely costly mistake. Prioritizing low-risk vulnerabilities over far more threatening problems has proven to be the downfall of many organizations. Another huge mistake is the failure to act during the remediation stage. Although vulnerability scanning is a huge aspect of the process as a whole, if you don’t proactively act to fix the uncovered problems then your security will never see any type of improvement. It doesn’t matter how many times you scan for vulnerabilities. The real enhancement of the system’s security comes in the remediation stage. Lastly, many programs fail to look at systemic ways of reducing their threat profile. For example, standardizing on a limited number of specific technologies like databases and operating systems, maintaining current versions and patches, disabling unessential services, reducing trust relationships, and implementing network segmentation.
With that said, it is also extremely important to understand when it is worth it to fix a problem and when it is simply to accept the risk and not act. As organizations and individuals rely more and more on technology, it is not unheard of to uncover thousands of vulnerabilities in a single week. Realistically it is impossible to fix this many problems in a timely manner. This goes back to the need for prioritizing the vulnerabilities so you know which ones pose the greatest threat. Many times organizations come to the conclusion that the less important issues are better to leave untouched. When companies make this decision it is more than likely because it would be more expensive to fix the problem than it would be to leave it and have it suffer a breach. Along with this, company leaders sometimes determine that the loss in revenue due to the time it would take to turn a system offline, get the problem fixed, and then get everything back up and running is far greater than it would be if the vulnerability was exposed.
Stay the Course
One last scenario that is a common mistake for vulnerability management programs is relying too much on headlines you see in the news. It sounds funny, but it is definitely not unheard of to have bosses or CEO’s come into the office worried about a new breach or vulnerability that was on the news the night before. Naturally, they will want to make the remediation of those vulnerabilities a top priority. However, that is actually one of the worst things your organization can do. Dropping everything to fix these types of issues can cause your team to miss critical vulnerabilities that actually pose a real threat to your organization’s online systems. Not all companies and their respective systems are the same, so just because one organization experiences a major vulnerability within their systems does not necessarily mean that yours will face the same threat. A great vulnerability management program will discover what the real threats are during the scanning and prioritizing stages of the process.
Asset Inventory Considerations
We would be remiss if we didn’t talk about the importance of asset inventories where vulnerability management is concerned. Knowing what needs to be protected is a huge part of an effective vulnerability management program. A top-tier program provides the organization with the appropriate tools that can be used to uncover security weaknesses and threats to the systems the company thrives on. If you are unsure where the greatest security threats live within your systems, then your vulnerability management program will lack the ability to protect what is most important. It’s important to understand where your organization’s risks live and which systems process, store, and transmit that information. In order to protect information, you must understand what needs to be protected and where it lives. Not all data is or should be considered equal and requires specific controls appropriate to its classification.
As you can see, the vulnerability management process can become quite complex over time. However, taking the time to understand which systems are most at risk, running scans on a consistent basis, and remediating problems as they arise are some of the best things that you and your organization can do to ensure you are making the most of your vulnerability management program.
Other Vulnerability Management Articles
Having the right group of people to run your vulnerability management program is just as important as the actual program itself. Let’s face it; not all companies can keep up-to-date with the latest security trends as technologies continue to advance, all while bringing on more threats.
If you are going to do something, you may as well do it right. A poorly designed and constructed vulnerability management program is essentially like having no program at all. Why spend the time, money, and resources putting together a program that won’t meet or exceed the expectations you have in place for it?
Year after year, cybercriminals take advantage of more opportunities to infiltrate a system’s vulnerabilities. These attackers feast on the systems that show no real signs of cyclical security maintenance and prevention techniques.