Vulnerability management is the process of identifying, analyzing, fixing, and reporting on security vulnerabilities in systems and the software that runs them. Once vulnerabilities are found, they must be prioritized based on which ones pose the most dangerous threat to the organization. This process can be performed in many different ways, from hiring a third-party security company, to training on best-practice implementations and filtering the threats on your own. In short, however, vulnerability management is the key to stopping attacks.
In the world of cybersecurity, vulnerabilities are a huge issue because if they didn’t exist, there would be very few breaches. Vulnerabilities aren’t an active threat on their own, however, so it’s a challenge for companies to know how to address and prioritize them. This becomes even more difficult when the number of vulnerabilities increases to massive levels, sometimes even up into the millions.
Vulnerability management proves to be a challenging task as virtually anything can become a vulnerability in the system, ranging from apps that are running old software versions and unpatched operating systems, to even users and employees themselves through email phishing schemes and targeted attacks.
Another reason why vulnerability management is so difficult is because it must be performed continuously in order to ensure all systems are constantly up-to-date and each new vulnerability is always discovered. This requires an almost impossible amount of energy and time from IT staff and can quickly become overwhelming for organizations, especially small businesses.
Companies are also faced with the challenge of having to coordinate and plan when these fixes will take place, reducing the amount of downtime and interruptions to service availability. Engineering teams must schedule practice runs of vulnerability patching in non-production environments beforehand to ensure there won’t be any issues when applying them to production environments, another process that takes time and effort.
The number of devastating attacks, like the recent one against Equifax, have exponentially increased in the last few years, resulting in the exposure of millions of confidential records and sensitive personal data. As hackers continue to learn advanced methods for discovering vulnerabilities and exploiting them, the direct and indirect cost of these attacks can be terrifying for organizations, and rightly so. The amount of money that Equifax lost right away was just the tip of the iceberg; they continue to see climbing expenses from loss of revenue, legal exposures, reduced investments, and costly investigation fees.
Businesses aren’t the only targets, however. A recent key installation attack vulnerability in the WPA2 WiFi protocol was discovered which affects virtually anyone with a wireless network. This attack works when the attacker is within range of a person logged into a wireless network. They are then able to bypass the network’s security and read any information that was originally thought to be securely encrypted, including credit card numbers, emails, photos, passwords, and more. Depending on how the network is configured, the vulnerability can also be open to manipulation and data injection, allowing the attacker to add ransomware or malware.
With all of this industry chaos, it would be a good idea for IT managers and corporate executives to be on the same page when it comes to understanding and responding to cyber attacks, however, recent survey results from BAE Systems reveal that this is all too often not the case.
As laid out in a BAE report titled “The Intelligence Disconnect”, there are many disparities between these two constituencies regarding costs, likely causes of attacks, and largest risks to the company, to name a few. One of the biggest worries that executives have concerning cyber attacks is sensitive and customer information being stolen, while IT decision makers are most worried about intellectual property theft, fraud, and business disruption.
While both groups recognize the detrimental effects of cyber attacks, the disconnect between their views of them could create gaps for attackers to exploit, further emphasizing the importance for organizations to have strong vulnerability management plans and processes to defend against these growing threats.
A risk-based cybersecurity approach can be used as one of the main methods of identifying specific security controls needed as well as where to apply them. Unfortunately, this type of approach is usually not properly implemented due to its complexity. In fact, a study found that 76% of enterprises lack a holistic vulnerability management strategy in general, while over 70% are in the dark entirely regarding their critical assets and vulnerabilities.
Having the vulnerability management program closely tied into the risk management program provides quality data to determine and prioritize associated risks. This entire approach is best broken down into three distinct areas: strategic, tactical, and operational. By moving to a risk-based approach, organizations can work to create assessment profiles and even partner with third-party security providers to perform risk assessments and identify vulnerabilities or conduct a cybersecurity posture assessment to understand the current posture of the company and know what needs to be done to improve it.
A proper vulnerability management program forms the backbone of a comprehensive security program. Our Cybersecurity Evangelist Andrew Kozloski argues that a well-implemented program has an impact on 7 of the 20 Critical Security Controls, including 4 of the top 5. More about this perspective in the webinar on security controls we co-organized with the SANS Institute.
On average, 53% of businesses in the United States have experienced some type of cyberattack in the past 12 months, costing over $11.7 million in known damages per organization. While these attacks all have various causes, a huge way for hackers to gain access to systems and infrastructures is through a vulnerability.
In the world of information security, a vulnerability is a weakness that allows an attacker to gain access to a system’s information and software. In order to exploit this vulnerability in the system, the attacker uses different methods or tools to connect to the weakness and command the software to act in a way that it’s not intended to, like sharing what types of security defenses are in place. Using this information, hackers will know exactly what they can get away with before their attack is noticed. Attackers who take advantage of vulnerabilities are consistently on the lookout for ways to gain access to corporate networks and infrastructures, financial data, sensitive information, and more.
Some of the largest recent cyber attacks involved hackers exploiting known vulnerabilities in which a patch or mitigating control was available, including the massive data breach Verizon experienced in 2016. As this type of cybercrime continues to become more advanced, it makes the need for strong vulnerability management even more urgent.