Why Vulnerability Management Is Important

Introduction

Year after year, cybercriminals take advantage of more opportunities to infiltrate a system’s vulnerabilities. These attackers feast on the systems that show no real signs of cyclical security maintenance and prevention techniques. While vulnerability management is not a sure fire way of fighting off these attackers, it is without a doubt one of the best preventative measures one can take to protect their network from the malpractices of cyber thieves around the world. However, before we can understand why vulnerability management is important, we must know what it is. 

A padlock on Java program code. Symbol of software / application and computer security. High key photo. Can be used as background.

Vulnerability Management is the identification, classification, prioritization, and treatment of software vulnerabilities. The combination of these recurring information security processes alongside other security tactics is a major key behind the success of many information security programs. Security vulnerabilities themselves are weaknesses caused by normal software development practices.

Even the most mature software development procedures with well-defined security practices can and regularly do leave us with software vulnerabilities. Software that is routinely exploited by attackers to breach many of the organizations we continue to see in the daily news. Bad threat actors don’t need weeks and months to scan the entire Internet looking for vulnerable systems. Today’s tools, like Zmap, for instance, allows this to happen daily. As you are probably already putting together, vulnerability management is the process of finding these weaknesses and treating them before attackers can take advantage of these threats.

It is important that the resolution of these threats is specific to the root cause. Patching, disabling unnecessary services, and managing configurations in such a way to not allow a misconfiguration to cause a security vulnerability are all possible treatments for potential security threats. So, what can these attackers do if they were to exploit these holes in your system before they are patched?

The Unfortunate Impacts of Breaches

Unfortunately, it would be easier to answer this question if it were “what CAN’T these attackers do if they were to exploit these holes in your system before they are patched”. The list can go on and on but to shorten the list, attackers exploit these vulnerabilities to damage network assets, cause a denial of service, or most commonly, steal potentially sensitive and private information.

Private information such as credit card details, social security numbers, email addresses, and passwords are all stolen by attackers and sold on the dark web on a regular basis. Any of these outcomes can be detrimental to an organization’s daily operations or business. Along with the long-term pain that comes with getting information back or sometimes even starting over from scratch, the monetary loss is what really takes a toll on a company that experienced a breach.

This can be seen in recent years when one of the largest data breaches in history took place. In 2017, Equifax suffered a breach which led to over 147 million people’s personal information being stolen and in possession of the wrong hands. This monumental breach could have been avoided if their security team had proactively patched a well-known vulnerability in their consumer complaint web portal. However, deficiencies in their vulnerability management program are why this breach has cost Equifax close to $1.4 billion in fines and lost business. To even a company as large as Equifax, $1.4 billion is a large chunk of change. Considering that Equifax is a publicly-traded company, the impact on shareholders was immense! In fact, the company’s CEO, CIO, and Chief Security Officer all stepped down after the breach was publicly announced.

But you might be thinking, “there’s no way that most organizations leave well-known vulnerabilities open long enough for attackers to exploit, right?” You may want to think again. 

Why Vulnerability Management is Important

According to recent studies, 60% of all breaches involved vulnerabilities where a patch was available, but it had not yet been applied. That is insane!

Imagine you are sitting in a busy coffee shop with important personal information pulled up on your laptop. Then, you need to go to the restroom, so what do you do? More than likely you either change screens, close your laptop, or even bring your laptop to the restroom with you. You do this because you don’t want other people seeing the personal content on your screen that you were viewing just seconds before. It’s just common sense!

However, this is the same scenario but in terms of network security and vulnerability management. Some organizations store tons of data and personal information within their network, but for some reason leave it open and unsecured for any wandering eyes to see. Although, just because you have a proper program in place does not guarantee that your systems are completely safe.

Well known companies such as Home Depot and Target have experienced breaches in the past. Even though they are both large organizations with well-funded cyber-security efforts, attackers were still able to find a way into their respected systems and unleash their malicious tactics. Just because these companies did experience breaches even while taking great precautions should not undermine the value of a great vulnerability management program.

A system with a great program is certainly more secure than the same system without. Vulnerability management is integral to not only identifying unsecured access points, but also mitigating the level of risk that comes with these holes in the system. How does a vulnerability management program go about solving these issues, though?

Threat & Vulnerability Management Programs

The first step in an effective vulnerability management program is to identify all of your IT assets and determine where the risks live. However, keep in mind that not all organizations are the same and the nature of the business can help you where the risk could be.

For retail companies, it’s their Point of Sale systems (and all systems that support them). For online retailers such as Amazon, the threat is more likely to exist in web applications, inventory systems, partner payment systems, etc. These points are not to take away from the importance of other systems.

Hackers do often compromise secondary systems first before working their way over to the system they actually intend to attack. A good program will scan all systems in a network looking for open ports and running services that can be correlated back to known vulnerabilities. This is just the first step in the process. The second step in an effective vulnerability management program is identifying the vulnerabilities that may exist within your network. After all, you can’t fix what you don’t know is broken.

Next, a good vulnerability management program will prioritize the vulnerabilities it finds in the order of greatest risk to lowest. Obviously, the vulnerability with the highest risk factor should be dealt with first and as quickly as possible. Next comes the step where many organizations fail to take the appropriate approach and like Equifax, this can turn into a costly mistake if not done correctly. Once the vulnerabilities are prioritized in order of importance, it is crucial to determine if they should be fully patched to avoid exploitation, mitigated to decrease the risk of exploitation until a better fix is possible, or simply brushed to the side and make the decision that no action will be taken.

The last option is generally only taken when it will cost more to patch the vulnerability than it would for it to be exploited. One other reason a business would take this route is if they can’t afford to take a production system out of service to apply any necessary changes. The time spent fixing the system may result in a loss of revenue greater than what would be caused by the vulnerability being exploited by an attacker.

Finally, a good vulnerability management program will report on its findings so that for future cases, the process can be sharpened and take less time as well as possibly even less money to fix problems. Good programs also include multiple stakeholders and technical owners. Oftentimes vulnerability management programs fail when there is only one person doing the work. Having a combination of all relevant business owners, security owners, and technical owners is a great way to strengthen your system as a whole. 

Conclusion

There is no guaranteed way to prevent hackers from making their way into your network. However, there are ways that organizations can slow them down and implementing a great vulnerability management program is undoubtedly one of the best investments a company can make. The risks that come with a breach in a network’s system can have a far greater financial impact than the small cost that comes with a top-tier vulnerability management program. Rather than assume a breach will never happen to you and your organization, now is the time to be proactive and implement the appropriate preventative measures to further secure your information, your organization’s information, and your customer’s information. 

Other Vulnerability Management Articles

Having the right group of people to run your vulnerability management program is just as important as the actual program itself. Let’s face it; not all companies can keep up-to-date with the latest security trends as technologies continue to advance, all while bringing on more threats.

If you are going to do something, you may as well do it right. A poorly designed and constructed vulnerability management program is essentially like having no program at all. Why spend the time, money, and resources putting together a program that won’t meet or exceed the expectations you have in place for it?

Year after year, cybercriminals take advantage of more opportunities to infiltrate a system’s vulnerabilities. These attackers feast on the systems that show no real signs of cyclical security maintenance and prevention techniques.

Vulnerability Management is essential. It needs investments in tactics, techniques, and procedures to be a successful program.