In any kind of system, a vulnerability points to a “state of being exposed to the possibility of attack or harm.” In the age of information, we have – by the very nature of the way we share, store and secure information – opened ourselves up to a tall stack of incidents that come up because of open communication ports, insecure application configurations, and exploitable weaknesses in the system and its environment.
As one might aptly think, vulnerabilities are not as easy to eliminate as viruses. They are systemic issues that arise due to outdated lines of code, human error, malicious actors (intruders), and other factors that can’t readily be “fixed”.
So IT professionals usually document, consolidate, and report their findings. The severity of the report usually depends on the extent of the vulnerability discovery scan and the number of discovered vulnerabilities. A meeting is usually held soon after, with the cybersecurity professionals and key stakeholders who convey their responses, to discuss the findings and how to move forward with eliminating, mitigating or accepting the risk.
In this atmosphere of uncertainty and discovering vulnerabilities that require different levels of urgency, what does managing them look like? Vulnerability management is a cyclical process of discovering IT assets to identify threats, misconfigurations, and vulnerabilities and adding them to a vulnerability database categorized based on type of vulnerability. After which, each vulnerability is assessed to determine the urgency and impact each of them might have, based on various risk factors.
Since vulnerabilities can affect all types of assets, they are classified according to the asset class they are related to. Here are the various types of vulnerabilities and their causes:
Vulnerabilities in this category arise due to environmental factors such as susceptibility to humidity or dust, unprotected physical storage, age-based wear that causes system failure, and oftentimes, overheating.
Software vulnerabilities due to erroneous lines of code. Intruders are always on the lookout for buggy software that they can exploit and attack the system via these flaws.
They commonly perpetuate through human inattention to insufficient testing, insecure coding, lack of an audit trail or an inherent design flaw.
Network vulnerabilities usually boil down to being caused by unprotected communication lines due to lack of cryptography and insecure network architecture
These vulnerabilities can be found on various layers of a network. Unsecure wireless access points can be a major vulnerability as they provide the attacker with unmonitored access to the company’s network.
IT professionals and the cybersecurity could be introducing errors or point-of-failure into the system through inadequate authentication and authorization mechanisms. These personnel shortcomings need to be met with alerts when any irregularities are detected in the network and determining whether action or investigation should follow.
An inadequate checklist or training could be responsible for misconfigured settings, such as weak-access controls or passwords, lack of security awareness and a potential insider threat.
Physical factors such as the area’s exposure to natural disasters, the most critical and costly of which are floods and earthquakes. Interruptions to the power source are important as well because the battery backup function may only operate for a few minutes.
Lack of awareness regarding vulnerability management is the most serious vulnerability risk to the organization. Failure to achieve some degree of cyber-resilience by performing regular audits, setting up continuity plans, prioritizing actions, and fortifying the organization’s security posture is fuel for fire from all the other vulnerability classes.
What is the difference between a Vulnerability and a Threat?
The term vulnerability refers to a soft spot in infrastructure and an outside malicious actor looking to leverage that weakness for attack is the threat, but there’s a lot more to it.
|A vulnerability is a known weakness of an asset (resource) that can be exploited by one or more attackers. In other words, it is a known issue that allows an attack to succeed.||A threat is usually a new or newly discovered incident that has the potential to harm a system or your company overall.|
|A vulnerability is basically an unprotected / unmonitored point in a system that is weak and can be exploited.||A threat is usually the perpetrator that exploits and attacks a system through one or more of its vulnerabilities.|
|Vulnerabilities can be known or unknown. An effective vulnerability management program is designed to encompass all possible vulnerabilities and their impact to the business.||These threats may be uncontrollable and often difficult or impossible to identify in advance.|
|Example: When a team member resigns and their access to external accounts is not cut off, logins are not updated, or their names still exist on company credit cards, this leaves your business open.||Example: Viruses and other malware are considered threats because they have the ability to cause harm to your organization through exposure to an automated attack, as opposed to one perpetrated by humans.|
Before we even get started with implementing Vulnerability Management, a series of vulnerability assessments take place where early and reliable identification of IT weaknesses are used to gather knowledge about how to adopt effective measures in treating the risk and impact.
This process will include tracking and documentation of:
- Business Operations & Personnel
- Technologies & Updates
- Policies & Compliances
- The efforts involved in mitigating new vulnerability risks
Vulnerability management relies heavily on advanced technology to identify vulnerabilities and communicate optimal and timely actions for IT personnel to follow.
According to a recent Forrester Global Security Survey, “49 percent of organizations have suffered one or more breaches in the past year, and software vulnerabilities were the largest factor in those breaches.”
With a prioritized checklist, your IT team can assess the amount of effort they need to put in, as well as monitor those vulnerabilities that have a high probability for attack and apply the required patches.
Vulnerability Management Lifecycle
A vulnerability management program consists of several stages that are built into a management process helping to ensure a tight fit to the system environment. This approach helps ensure that the discovered vulnerabilities are given attention and addressed appropriately.
All assets across the network must be inventoried and host details including operating system and open services must be gathered to identify vulnerabilities. Develop a baseline for the network and then proceed to making discovery an automated routine.
2. Prioritize Assets:
Categorize assets into groups of riskiness or by operations, and assign a business value to assets based on how vital they are to your business operation.
A baseline risk profile can help eliminate risks based on asset criticality, vulnerability threat, and their asset classification.
It’s crucial that we measure the level of business risk associated with the assets found above according to the organization’s security policies. We must establish an official document detailing a security plan – plans of monitoring suspicious activity and describing those known vulnerabilities.
Prioritize and attend to vulnerabilities in order of the business risk they pose to the organization and its data.
Perform follow-up audits to verify that the vulnerabilities have been removed.
Risk mitigation is defined as the process of reducing exposure to risky operations and minimizing the likelihood of an incident. It requires IT personnel to constantly address the organization’s top risks and concerns to ensure your business is fully protected and alert.
An organization under a risky footing requires controls and an important objective of IT personnel is to prevent certain risks from materializing. This leads to developing preventive policies and procedures and this is what IT professionals refer to as “risk mitigation”.
Who is responsible for vulnerabilities?
The ITSec team deals with cyber intelligence, incident response, incident handling, and threat management operations apart from vulnerability management itself. They help the organization make better and more informed security decisions that protect and defend them from external threats, cyber risks, and gather the information required to adopt adequate measures.
IT Security teams perform vulnerability assessments and penetration testing to identify and resolve security issues in an organization’s IT networks, infrastructure, applications, and other areas. They also address the issue through patch management or take up preventive measures such as a mitigation plan.
IT Security personnel define the number of participating teams and assign the required team members to conduct vulnerability assessments.
After a thorough vulnerability analysis and risk assessment has been completed, the IT Ops team goes on ahead and applies most of the mitigation solutions.
An important point to note: IT Ops is responsible for maintaining an accurate and up-to-date inventory of the configurations of all components and applications in the organization’s IT estate. Usually this information is stored in a Configuration Management Database (CMBD)
That is why it is crucial for there to be an accessible line of communication established between IT Security and Operations for faster response times, efficient security investigations, and improved visibility through improved data integration.
The main challenge for SecOps and IT Ops is to make the right information about ongoing vulnerability assessment available, followed up with a fast and effective remediation process. This gap is closed only when the right insights are promptly available to appropriate decision-makers.
Why is having a Vulnerability Management program important?
Let’s face it – the digital age means every organization has vulnerabilities. It’s a cost of doing business. These vulnerabilities represent exploitable flaws that could lead to cyberattacks by damaging various assets, trigger a denial of service (commonly referred to as DDoS attack), and/or extract sensitive financial or personal information. Attackers are always on the lookout for such weaknesses and many vulnerabilities don’t require a sophisticated bad-actor to be exploited.
According to data cited in an Infosecurity Magazine survey, among organizations that “suffered a breach, almost 60% were due to an unpatched vulnerability.” In other words, 60% of the breaches could’ve been prevented by having a vulnerability management plan.
How can IT Sec and Ops work together
The objective of the Security team is to secure and maintain a safeguard over the organization while the Operations team is always hard at work establishing a firm ground for the growth of the business and making it highly available to always provide a stable quality output.
This situation creates a gap between Security and Operations known as the SecOps Gap: Two groups on opposite ends motivated by competing priorities which end up in long lag times to close security vulnerabilities, business-system downtime, excessive labor costs and challenges in meeting regulatory requirements.
Effective vulnerability management includes finding the right mix of technology to help perform vulnerability assessments and produce risk mitigation strategies. Managers and operators from both IT Security and Operations need a clear dashboard that highlights what’s likely to be exploited and what represents the biggest risk so the most urgent flaws can be attended to first.
Vulnerability Management has just gotten out of the shop here at Virima. Our unrivaled Discovery, CMDB and ViVID service mapping provides the foundation to help you quickly identify, prioritize, assign and monitor for vulnerabilities that exist in your vast IT estate. We also generate comprehensive reports that are found to be helpful to the IT Sec and IT Ops team that can thwart further attacks.