To our detriment, new software vulnerabilities are discovered on an almost daily basis. This becomes a serious issue for security professionals and organizations alike. There must be a process that companies can use to ensure they will not fall victim to these vulnerabilities. The best way to do this is to institute both vulnerability and patch management programs. This blog provides five key areas security professionals can focus on for establishing these programs.
The Vulnerability Management Process: Summarized
According to the SANS Institute, vulnerability management is the means of detecting, removing and controlling the inherent risk of vulnerabilities. The purpose of an organization’s vulnerability assessment program is to establish controls and processes that will help the organization identify its vulnerabilities within the firm’s technology infrastructure and information system components. This is essential because these vulnerabilities can potentially be exploited by attackers who seek to gain unauthorized access to the organization’s systems, disrupt its business operations, and steal or leak sensitive data.
Once vulnerabilities are found, the best way to mitigate the vulnerability is to deploy patches that address the vulnerabilities, if any exists. The purpose of an organization’s patch management program and policy is to identify controls and processes that will provide the organization with the appropriate protection against the vulnerabilities and threats identified by the vulnerability assessment program. These vulnerabilities and threats could adversely affect the security of the organization’s information system and data entrusted on the information system.
6 Tips to Secure Against Known Vulnerabilities
Following are five tips that can be used to effectively implement controls that can assist organizations to create a consistently configured environment that is secure against known vulnerabilities.
1) Implement a threat intelligence and monitoring process that will allow your security team to constantly gather information about the newest or emerging threats that may affect your organization
It is imperative that your security team stay current on these threats. They do this by reviewing vender notifications of threats, patches and system updates as well as getting information from US CERT, which is always kept up to date with the latest information. Any threats the team uncover need to be addressed by vulnerability remediation management.
2) Conduct regular vulnerability assessments
This is not something you do once and forget. Assessment is a continuous process because the vulnerability assessment is only a point in time snapshot of your situation and can change as new vulnerabilities are discovered. Therefore, you must ensure that you establish a formal program with defined roles and responsibilities that focus on developing and maintaining good vulnerability processes and procedures.
3) Establish and enforce baseline configurations
Standardize the configuration of similar technology assets within your organization based on documented configurations in accordance with applicable policies. Your security team must ensure that they document all baseline configurations within your environment and also ensure that these documents are kept up to date and are integrated as part of your system build process and is enforced throughout your organization.
4) Remediate vulnerabilities
This is the practice of evaluating the vulnerabilities you have identified, assigning risk to those vulnerabilities, planning responses to the vulnerabilities and then tracking any actions taken towards mitigating the vulnerabilities you find. Discovering faults and doing nothing about them is useless and will leave your organization susceptible to many threats.
5) Patch vulnerabilities
Vulnerability and patch management is best conducted in the following manner:
- First you must have processes in place to identify and confirm vulnerabilities using appropriate tools and services that will help you identify suspected or confirmed threat to your organization.
- Next you analyze your finding in order to thoroughly understand what the risks are. Without a true understanding, how can you put the correct measure in place to deal with them.
- After you perform your analysis, you fix the problems.
- Once your “fix” is in place, you must rescan or retest to first ensure your fix took and then to ensure that it was effective.
6) Remove admin rights and enforce least privilege
According to the annual Microsoft Vulnerabilities report, roughly 3 out of 4 Microsoft vulnerabilities could be fully mitigated simply by moving admin rights, which is a testament to the awesome power of least privilege.
By following these recommendations I have provided you here, you are well on your way to securing your organization again vulnerabilities and threats that can cause serious harm if not checked.
Additional Resources on Mitigating Vulnerabilities
Derek A. Smith, Founder, National Cybersecurity Education Center
Derek A. Smith is an expert at cybersecurity, cyber forensics, healthcare IT, SCADA security, physical security, investigations, organizational leadership and training. He is currently an IT Supervisor at the Internal Revenue Service. He is also owner of The Intercessors Investigative and Training Group (www.theintercessorgroup.com). Formerly, Derek worked for several IT companies including Computer Sciences Corporation and Booz Allen Hamilton. Derek spent 18 years as a special agent for various government agencies and the military. He is also a cyber security professor at the University of Maryland, University College and Virginia University of Science and Technology and has taught for over 25 years. Derek is retired from the US Army and also served in the US Navy, and Air Force for a total of 24 years. He is completing his Doctorate Degree in Organizational Leadership and has completed an MBA, MS in IT Information Assurance, Masters in IT Project Management, and a BS in Education. Derek has written several books including Cybersense: The Leaders Guide to Protecting Critical Information, and its companion workbook, and he has contributed to several other books as an author and technical adviser.