Maksim Kabakou - Fotolia

Security Think Tank: Four steps to managing software vulnerabilities

What is the most practical and cost-effective way for organisations to identify and remediate high-risk software vulnerabilities?

For me, the challenge of high-risk software vulnerabilities is not always remediation. In fact, technical vulnerabilities are almost always fixed in one of two ways – change a configuration, or apply a software update in the form of a security patch.

Chief information security officers (CISOs) face two fundamental challenges, which are applicable to both scenarios:

1. Visibility: It’s one thing applying a security update to an appliance or piece of software, but companies don’t always know where all their assets exist. In a world where users are spending as much time “off network” as they on the local area network (LAN), do companies even know where their vulnerabilities are?

2. Cyber inertia: The concept of cyber inertia is somewhat more comprehensive than just patch and configuration management. The truth is that companies are not keen on making configuration changes because they are unsure what will break as a result. Take WannaCry, for example. Everyone knew they needed SMB v1 (server message block protocol version 1) turned off, but I know many organisations that were unsure what this would break, if anything. Vulnerabilities cannot be remediated if we don’t understand the known good configuration with which we are operating.

Vulnerability management requires companies to follow a four-step process:

Step 1: Understand the assets

This sounds obvious, but it is often overlooked. It’s also not easy. The proliferation of device types in most enterprises means the number of assets grows exponentially, along with many more users of these devices and more types of data travelling through them.

Step 2: Profile organisational threat actors and their tools, techniques and procedures

Once we understand what we’re looking to protect, we need to better understand who is looking to obtain access to our assets and the capabilities they possess.

Here again, context is important. Many CISOs I know say that they cannot afford to protect themselves from nation states. But the fact is that many cyber criminals use tools formerly thought of as the exclusive domain of nation-state actors, such as encrypted communications and polymorphic malware. If many bad actors are using these tools, then organisations can’t ignore them.

Step 3: Identify your vulnerabilities

Vulnerabilities are weaknesses across people, processes or technology. Why do we identify vulnerabilities after we profile threats and classify assets? Because we live in a world where absolute security simply isn’t possible. Automated tools can only do so much in terms of unearthing the weak points, such as finding technical vulnerabilities in a software stack, but they can’t tell if your users need training so threats don’t get past them.

Pragmatism and prioritisation are two key tenets of good vulnerability management. We need to look at which systems house data we are concerned about, and in what volume. A few key questions to ask about these systems are:

  • Are the systems externally accessible?
  • Are the applications servicing the data running their most up-to-date versions?
  • Where and how are login details being stored?
  • Are you sending sensitive information within encryption?

Step 4: Apply controls and safeguards

Vulnerabilities will always crop up. However, controls and safeguards can lessen the impact or likelihood of a risk occurring. Controls do not have to be absolute. It’s unusual for a control to remove a risk entirely – we’re looking to lessen the risk to a palatable level. Who sets this bar? Again, it’s the business.

Read more on IT risk management