Anxiety Free Vulnerability Management; Dream or Reality?
Like open locks on a safe, cyber vulnerabilities are weaknesses across people, process and technology (such as misconfigurations, broken process, human error, and technical weaknesses like buffer overflow in a system, network, application or asset) that can be exploited by cybercriminals.
After leveraging a vulnerability to gain unauthorized access into a system, these unsavory characters can proceed to run malicious codes, install malware/ransomware or steal sensitive data, which could bring an organisation to its knees.
New vulnerabilities are discovered daily and several databases have been established to keep track of reported vulnerabilities. As of 18th May 2022, the US government’s National Vulnerability Database (NVD) which is fed by the Common Vulnerabilities and Exposures (CVE) list has over 176,000 entries. (Source: https://www.comparitech.com/blog/information-security/cybersecurity-vulnerability-statistics/)
Some interesting and telling vulnerability facts highlighted in Aimee O’Driscoll’s article “25+ Cybersecurity Vulnerability Statistics and Facts of 2022” on Comparitech.com include:
. 75% of attacks in 2020 exploited vulnerabilities that were at least two years old (Check Point Cyber Security Report 2021)
· 60% of data breaches resulted from unpatched known vulnerabilities (2019 Ponemon Institute Vulnerability Survey)
· 84% of companies have high-risk vulnerabilities on their network perimeters, more than half of which could have been easily removed by installing updates (October 2020 study by Positive Technologies)
What can be deduced from this is that:
1. the average organisation has been rather tardy managing their vulnerabilities (or not managing their vulnerabilities as the case may be), and
2. a good chunk of successful attacks could have been prevented with adequate vulnerability management.
When a vulnerability has been identified and reported, most vendors would jump to patch it as soon as possible. This, however, is not always the case. In some cases, vulnerabilities may be left unpatched for months or even years on end; either because there is no patch developed by the vendor, or the company did not deploy the patch itself. And in the worst case scenario, a vulnerability might not be patched at all.
Why does this happen? And what are the consequences?
What is Vulnerability Management (VM)?
Not a one and done, VM is a strategy — it involves the iterative process of identifying, evaluating, categorising, prioritizing and remediating vulnerabilities.
1.Identifying Vulnerabilities — The first step towards identifying vulnerabilities is discovering and cataloguing all assets within the organisation’s network. After an exhaustive list has been compiled, comes the identification of vulnerabilities that exist for each and every asset.
How many vulnerabilities might an organisation discover?
In Mar 2022, Positive Technologies reported finding an average of 31,000 security vulnerabilities present in each organisation when they analysed data from government, scientific, education, financial and telecom companies.
There are a few different ways to identify vulnerabilities within your environment. One method is to conduct regular and thorough internal assessments, which can help you identify any potential weaknesses in your system. Internal assessments might use a tool like Qualys. Qualys is a cloud-based security platform that scans your organization’s networks for any known vulnerabilities. It also provides reports on how to fix them. However, this might be cumbersome, and certainly has its own challenges within a bigger asset list.
Another way to find vulnerabilities is to perform regular security audits. Security audits are essentially penetration tests, where you hire a professional team of white-hat hackers to try and break into your systems from the outside. This will help you identify any weak points in your security infrastructure, and will help you develop a plan to fix them.
Lastly, another way to identify vulnerabilities is to monitor external activity, such as attempts to access your system from outside sources. While this approach won’t necessarily uncover any inside weaknesses, it can alert you to potential threats from outside forces.
2.Evaluating, Categorising and Prioritising Vulnerabilities — If an organisation had just discovered 31,000 vulnerabilities in its ecosystem, obviously remediating every one speedily would be impossible. Therein lies the most challenging aspect of VM.
When categorising and prioritising vulnerabilities, an organisation should consider the business impact of a successful exploit, the likelihood of such an exploit being successful, and the ease with which such an exploit could be executed. A vulnerability that could allow a malicious hacker to gain access to confidential data or systems with high business impact would be categorised as high priority. A vulnerability that is unlikely to be successfully exploited but could cause significant damage if it were, would be categorised as medium priority. And a vulnerability that is likely to be successfully exploited but has little or no business impact would be categorised as low priority. An organisation should also consider how easy it would be for a malicious hacker to exploit a particular vulnerability.
An effective and efficient strategy needs to involve evaluating each vulnerability and categorising them in terms of the severity and criticality of impact to the organisation that would result if they were successfully exploited. For example, you might have server vulnerabilities, application vulnerabilities, network security issues, and so on. Once you have a good understanding of the various vulnerability types, you can then begin to categorise them, and prioritise them. This can be a difficult process.
Having to evaluate and prioritise thousands of vulnerabilities is no small task and several systems, such as the Common Vulnerability Scoring System (CVSS) have been established to assist organisations do this.
But, and there is a but, it is still not an easy task even with CVSS indicators.
3.Remediating Vulnerabilities — There are many ways to remediate vulnerabilities within an organization, but it ultimately depends on the specific vulnerability and the organization itself. Some of the most common methods for remediating vulnerabilities include implementing security controls, updating software and hardware, and training employees on security best practices.
Updating software and hardware is another common way to remediate vulnerabilities, especially if the vulnerable software or hardware is no longer supported by the manufacturer. This might appear challenging when the updates are not available, or require further licensing.
Once an organisation has prioritised its vulnerabilities in order of severity and impact, it can begin taking remediating action, starting on the exploitable vulnerabilities which could potentially cause the most damage if left unchecked. Where corrective action has been taken, verification needs to follow to ensure that the patches have been successfully implemented, and that new vulnerabilities have not been created during remediation efforts.
Why does VM need to be a continuous process?
Because threats are always evolving and new vulnerabilities are constantly being discovered, it is important to have a continuous vulnerability management process in order to identify and address any potential security risks.
This process includes identifying which systems and applications are most at risk, assessing the severity of the risks, developing and implementing mitigation plans, and monitoring the effectiveness of these plans over time. By ensuring that your organization’s vulnerability management process is ongoing, you can help to reduce the risk of a security breach or data loss.
In summary, we can list two good reasons to ensure a continuous process:
1. New vulnerabilities are found daily. In Dec 2021, Redscan.com reported more than 50 new vulnerabilities logged daily during the year. Effective VM therefore needs to be an iterative process — assets and patched vulnerabilities need to be constantly monitored to ensure that any newly published vulnerabilities within an organisation’s ecosystem are identified, prioritised and updated in its vulnerabilities list to be remediated.
2. In Aug 2020 Palo Alto Networks published research that discovered that 80% of exploits* had been circulating on average 23 days before their respective CVEs were reported. *An exploit is kryptonite specific to each vulnerability; it is a piece of software developed to take advantage of a vulnerability for malicious purposes.
Vulnerability Management (VM) is not an option. Vigilant and effective VM is what organisations require as a minimum to not fall prey.
In order to protect yourself from exploits, it is important to understand the different types of vulnerabilities and how they can be exploited.
Join us for our upcoming webinar with Cymulate where we will discuss in detail some of the most successful strategies to manage and remediate vulnerabilities.
Register today and don’t miss out on this valuable learning opportunity!
To watch on LinkedIn: https://www.linkedin.com/video/event/urn:li:ugcPost:6933497107622281216/
By Magda Chelly
Chief Security Officer | TEDx Speaker | Author & Keynote Speaker | IFSEC Global Top 20 Cybersecurity Influencer | Entrepreneur | PhD, S-CISO, CISSP, Cert SCI (General Insurance)
Find out on magda-on-cyber.com
Follow Magda on Twitter: https://twitter.com/m49D4ch3lly
Awards
- The IFSEC Global influencers in security and fire 2021
- Top Women in Security Asean Region 2021 Awards https://www.asiapacificsecuritymagazine.com/winners-and-judges-of-the-top-women-in-security-asean-region-2021-awards/
Follow Magda on her Social Media Accounts:
- LinkedIn: https://www.linkedin.com/in/m49d4ch3lly
- Twitter: https://twitter.com/m49D4ch3lly
- Facebook: https://www.facebook.com/m49d4ch3ly
- Instagram: https://www.instagram.com/m49d4ch3lly
