Minimalist Guide to Vulnerability Management

Be honest… you’re worried.

You have a firewall, an antivirus, and fancy intrusion detection systems… but something doesn’t feel quite right.

Every week another high-profile hack hits the headlines.

So you sit through long meetings about enterprise security and spend thousands (or even more) on top-notch software to keep you safe, but all the while a single thought is nagging in the back of your mind…

What if we have a vulnerability we don’t even know about?

That’s easy: You do. Sorry.

Put simply, building a perimeter around your networks without implementing a solid vulnerability management process is like fitting your house with a state-of-the-art security system but leaving all the windows unlocked.

So… What is Vulnerability Management, Anyway?

According to the International Organization for Standardization, a vulnerability can be described as a weakness of an asset or group of assets that can be exploited by one or more threats.

In our context, vulnerability management is the process of identifying, evaluating and mitigating IT vulnerabilities.

To be clear, though, this isn’t just about finding issues with your IT security. It’s about identifying any vulnerability in any IT system that could be exploited by a person or process with malicious intent.

Nor is it simply the process of vulnerability scanning, though that is certainly important.

Every piece of hardware, every software suite, every open port… literally everything attached to your network must be scanned on a regular basis if you’re to have a realistic chance of preventing a serious security breach.

But it’s more than that. Vulnerability management is the (largely human) process surrounding vulnerability scanning, concerned with assessing risks and then defining and implementing the actions necessary to mitigate them.

The Top 3 Reasons Why You Should Care About Vulnerability Management

If you’re already paying attention, feel free to skip to the next section. For everybody else…

1. Cyber crime is exploding

$445 billion per year. That’s the global cost of cyber crime according to insurance giants Allianz.

But let’s look more closely.

According to an October 2015 Ponemon Institute report, based on a representative sample of 252 organizations in seven countries, the average cost of cyber crime to individual businesses was $7.7 million per year.

And if you’re thinking that couldn’t possibly be true for your small or mid-sized company, you might be right… but don’t be too happy about that. The total cost of cyber crime is (of course) much lower for SMEs, but it’s proportionally much more significant: $1388 per employee, as compared to $431 for larger companies.

Finally, the report found that insider threats, dedicated denial of service (DDoS) attacks, and web-based attacks were among the most expensive to resolve… and all of these can be severely mitigated by a tightly controlled vulnerability management process.

2. Perimeter defenses just aren’t enough

Earlier I described vulnerability management in terms of a house with unlocked windows, and in some ways this is quite accurate.

The simple matter of having security systems will be enough to dissuade many would-be invaders, even if in reality there are vulnerabilities ready to be exploited.

But the problem comes when an attacker is truly dedicated. If someone with a moderate degree of skill is determined to gain unauthorized access to your systems, they will.

Consider the most common types of security:

Firewalls – A hacker’s first choice will always be to use legitimate network access, which is often facilitated by phishing or spear phishing attacks. Modern phishing emails have become unbelievably sophisticated, and having personally read some successful cases from the last 12 months I really can’t fault the unfortunate employees who fell for them.

In one 2015 case, a company was hacked purely for the purpose of gaining information to perform a spear phishing attack against one of its partners. By gaining access to confidential emails, the hacking group was able to construct phishing emails so plausible that over 80% were successful.

Needless to say, a firewall will do nothing to protect against this form of attack.

Intrusion Detection & Prevention Systems (IDPS) – The most stringent, carefully maintained IDPS installations will stop 99.9% of malicious packets. Sadly, with even modest networks receiving thousands every day, this isn’t enough to stop everything.

Worse still, these strict rules will also stop much higher numbers of legitimate packets (false positives), leading most companies to relax their IDPS rules. The result? Even more malicious packets successfully finding their mark.

Antivirus – Traditional antivirus packages rely on blacklisting to identify and eliminate malware. The problem? Nearly half of all data breaches are the result of new or customized malware, which wouldn’t be picked up by an antivirus package.

Actually, that’s just the first of many problems, but we won’t go into all of them now.

The point here is not that perimeter defense systems are a bad idea. They aren’t. The point is simply that it’s not enough.

A dedicated hacker will get inside your network if they really want to, so it’s your job to ensure they can’t do any major damage when they arrive. That’s where vulnerability management comes in.

3. You ARE at risk

One of the most damaging beliefs in modern organizations (particularly SMEs) is the old favorite “We’re not an attractive target”.

You are.

And more to the point, even if you weren’t an attractive target that isn’t a good enough reason to dismiss proper security practices.

Apart from anything else, not all attacks are targeted. A lot of malware is simply created and released into the wild (OK, the Internet) to spread organically. This includes all manners of keyloggers, man-in-the-middle programs and Ransomware that you really don’t want exploiting weaknesses in your network.

Remember CryptoLocker? It spread through seemingly legitimate email attachments and has infected over 625,000 machines and networks worldwide.

Finally, it’s vital to consider the insider threat. Do you think it’s possible one of your employees might be disaffected? Someone who was passed over for promotion, has a beef with the HR department, or just flat out hates their job?

And do you think someone, somewhere might be willing to pay them to cause mischief inside your network? Or that they might cause mischief just for the fun of it?

When it comes to insider threats, all the perimeter defense software in the world will be completely useless. You’re locking the doors and windows, but the mischief-maker is already inside.

The Zen of Effective Vulnerability Management

If you’ve made it this far, hopefully, the point has sunk in: Vulnerability management is essential to maintaining a secure network.

So what does an effective vulnerability management process look like? Well, in simple terms, something like this:

1. Preparation

• Select and install a suitable vulnerability scanner
• Attribute responsibility for each phase of the process
• Decide acceptable levels of risk

2. Vulnerability scan

3. Define actions

• If a risk is unacceptable, identify remediating steps
• If a risk is deemed acceptable, gain formal sign-off

4. Implement actions

5. Rescan

6. Repeat...regularly

And… that’s about it. Simple, no?

Of course, there’s more to it, and we’ll be covering each aspect of vulnerability management in more detail as this series progresses, but in essence, the sequence described above is the ‘secret’ to excellent vulnerability management.

As with all aspects of cyber security, the big challenge is one of culture, not difficulty. If your organization doesn’t currently have a formal vulnerability management process in place, it can seem daunting to implement one.

However, through the course of this series, we aim to demonstrate that a solid process can be implemented with minimal effort, and more importantly that it can dramatically improve your chances of avoiding expensive breaches.

See you there.

Check out other posts in this series:

Post 2: Vulnerability Management Research: How to Invest Your Resources for Maximum Results

Post 3: How to Approach Vulnerability Management: The View from 10,000 Feet

Post 4: How to Start Your Vulnerability Management Off With a Bang: Roles and Responsibilities

Post 5: The 10 Step Checklist for Pain-Free Vulnerability Management

Post 6: 5 Common Vulnerability Management Mistakes... and How to Avoid Them