How To Invest Your Vulnerability Management Resources

June 07, 2018

In the last article, we went over the basics of vulnerability management and explained why you should care. Long story short: It’ll be much cheaper in the long run if you do.

This time, we’re going to take a critical look at what the research tells us about where and how your energies should be focused.

But before we continue, here are a few more sobering thoughts for you.

Vulnerability Management: The Case for Investment

Most companies believe they’re able to identify and respond to breaches in a timely fashion… but the reality is quite different. Research conducted by Varonis last year found that the average time taken to discover a breach was 275 days.

That may seem incredible, but it may be easier to believe in the context of the following vulnerability stats.

And let’s not forget, even Edward Snowden had to tell the U.S, Government what he’d done.

A 2015 study conducted by WhiteHat Security found that more than half of retail trade (55%) and healthcare (50%) websites are always vulnerable. The same is true for 35% of financial websites.1

And those vulnerabilities stay open for a disturbingly long time.

The transportation industry enjoys the smallest average vulnerability open time at 299 days, with public administration bringing up the rear with a staggering 1033 days. That’s nearly three years.1

But it’s not just an issue with websites. Time and time again, research finds that nearly every organization has assets with serious vulnerabilities that haven’t been discovered.

According to a study by Edgescan, 10% of scanned assets had critical risk vulnerabilities, most of which were operating system or software related (e.g. OpenSSL, Apache, PHP, etc.)2

Wondering what a critical risk vulnerability is? It’s one that can be easily and remotely exploited using resources found freely on the Internet.

Yes, you may well have vulnerabilities that could be exploited by a teenager using his parents’ laptop.

First Things First: Stick a Patch On It

Remember those assets with critical risk vulnerabilities? Over a third (34%) could have been completely mitigated with a robust patching procedure.

And it doesn’t have to be a difficult and arduous exercise. All it really takes is willingness, awareness, and a sensible maintenance schedule.

All major vendors have mailing lists to inform of patch availability, and smaller partners will be more than happy to inform you when new patches have been released for their products. If you’re ready to commit (and I hope you are) you could simply setup a ‘patching’ email account and direct all patch notifications to it.

Once you have the information at your fingertips, it’s simply a case of scheduling regular maintenance windows that business operations can be planned around.

If server farms can maintain 99.9999% uptime (that’s just over 30 seconds of downtime per year) whilst still conducting regular maintenance, you can find time to install a few patches.

Of course, if you’re in a larger organization it can be a little more complex. Patch management systems are readily available and will substantially reduce time and labor requirements, prevent most errors, and dramatically improve reporting capabilities.

Oh, and be sure to have a rollback plan ready. You can thank me for that later.

Believe it or not, simply following the above suggestions will place you far ahead of most organizations.

According to Verizon’s 2015 Data Breach Investigations Report, for the overwhelming majority of attacks exploiting known vulnerabilities the relevant patches had been available for months.

In 71% of cases, the patch had been available for more than a year.3

Remediation: From Pen Testing to Prioritization

Of course, patching isn’t the only thing you can do to keep your organization secure.

One route that has received a lot of attention in the past couple of years is penetration testing, which has some very real business applications.

A lot of research has been done into the business value of penetration testing, and it has repeatedly found that organizations conducting pentration tests on a regular basis (at least quarterly) have dramatically (up to 75%) fewer open vulnerabilities.

Another option is to conduct ad-hoc code reviews of high-risk applications. Returning to the website security research mentioned earlier, it found that organizations regularly conducting these reviews reduced their number of open vulnerabilities by a whopping 83%.1

That’s a big pay-off for a relatively simple task.

Finally, perhaps the simplest thing you can do to mitigate your risk is to simply produce a prioritized list of the most important assets to assess and remediate. Companies that do this have been found to have slightly fewer open vulnerabilities, but more importantly, their average fix time was 17% faster.

And prioritizing your assets in this way might make even more sense than you’d think. In 2014, the ‘top 10’ vulnerabilities accounted for 97% of all exploits.

Sadly, that doesn’t make life quite as easy as you might hope. An incredible seven million other vulnerabilities were still exploited during the year.3

Prioritization is helpful, but it’s not a cure-all.

Closing Thoughts

I hope this article has left you optimistic about the task ahead. Vulnerability management is an ongoing battle, but it doesn’t have to be an uphill one.

But before I leave you, there’s just one more thing I’d like to suggest.

Don’t over obsess on new threats and vulnerabilities.

You may be familiar with the ‘horror’ factor (particularly if you’ve read the wonderful book Freakonomics). It describes the odd tendency of humans to worry more about awful (but highly unlikely) risks than about their mundane (but far more likely) alternatives.

And just like parents who worry more about gun crime and terrorism than they do about backyard pools, there’s a tendency for IT professionals to focus on the wrong risks.

So just remember, most breaches aren’t the result of sophisticated, targeted attacks. The sad fact is that most organizations are still vulnerable to malware from years gone by.

So before you start worrying about state-sponsored cyber espionage, just make sure you have a robust patching procedure in place and you’re keeping an eye on your critical applications.

Once that’s taken care of, feel free to go to town.

Check out other posts in this series:

Post 1: The Minimalist Guide to Vulnerability Management

Post 3: How to Approach Vulnerability Management: The View from 10,000 Feet

Post 4: How to Start Your Vulnerability Management Off With a Bang: Roles and Responsibilities