Technology and vulnerabilities go hand in hand. New tech is released, weaknesses in the code are found, patches are made, and new weaknesses are found. It’s an endless cycle. I described it as an arms race between hackers and software developers in our article about the recent end of support for Windows 8.1. Sometimes that’s just how it feels, a constant back and forth between the two.
Unfortunately, the vast majority of corporate networks are vulnerable to attack. When I say “vast majority”, I basically mean everybody. The real stat is 93% of networks can be breached within 2 days. It’s staggering. Overwhelming really.
The statistic is real, but there’s additional nuance to it of course. What the number doesn’t show is how organizations prioritize their security. Managing computer networks takes a lot of time and work. That doesn’t always take a front seat in the task list for them. Because of that, many breaches are simply due to poor vulnerability management.
What do I mean by that? I mean that taking the time to patch and update every device on your corporate network isn’t always done. While there are consistently new threats and patches for those threats, a majority of vulnerabilities are not new – they are old, but just never patched. Over 60% of security vulnerabilities are at least 5 years old. 5 years!
If it has been 5 years and your systems aren’t patched, then clearly there is no priority in managing vulnerabilities. This is why many cyberattacks simply go after known vulnerabilities and exploit them to gain access and control of company networks.
The solution is to create an effective vulnerability management process for your company. It can be as complicated or simple as you’d like, but you need to follow it.
Here are 6 steps to creating a vulnerability management process for your company:
- Identify Your Assets
- Perform a Vulnerability Assessment
- Prioritize by Threat Level
- Patch Weaknesses
- Document Actions
- Schedule Your Next Assessment
Identify Your Assets
You can’t protect what you don’t know. It seems like a simple first step, but it is the most important. You need to identify every device that accesses your network.
This includes workstations and laptops, smartphones, servers, IoT devices, and any cloud services. You’ll want a list of all of these devices and how they access your data so you can assess them properly.
Perform a Vulnerability Assessment
This is the meat of the matter. An IT company should use assessment software to perform its testing. Depending on your industry and/or sensitive data you have, penetration testing (pen testing) would be a good add on at this time. It brings greater peace of mind and quite possibly could be a compliance requirement.
This scan will detect software and versions in use and compare them to a database of known vulnerabilities. Anything found is a weak link in your security that can be exploited.
Prioritize by Threat Level
The assessment will find every weakness, but not all weaknesses are equal. The severity of each weakness should be ranked from highest to lowest. Then each rank should be prioritized further for the order they get addressed in.
Obviously, you want to rank according to severity. The IT company conducting the scan can advise on this rating, usually using the NIST framework of vulnerability scoring.
One other consideration is that of your business specific needs. Not all software or devices are used equally within your business, so they should be addressed as such. Perhaps you have a major security flaw in software rarely used, or contrary you might have a minor flaw that is in software used by everybody every day.
You should take these two factors into consideration to determine your plan of attack.
Follow the list you just created and begin remediating vulnerabilities in order. Remedies can vary greatly. It could be as simple as downloading and applying patches or updates to software. It might also mean upgrading hardware that is outdated and can’t be updated.
If there is no patch or fix for a vulnerability, you’ll need to determine why and act accordingly. This might include segregating an application or device from your network to minimize its contact and potential impact from a breach.
On top of fixing current issues, this is a good time to review your existing threat protection. Do you have any advanced threat protection in place? Do you have monitoring services? Do you follow a patching schedule?
Now that all threats are remedied, do not just stop and move on. Document everything that was completed. It keeps eyes on when the assessment was done, what was vulnerable, and the fixes applied. This is important for the management of your network as well as for compliance or insurance. These logs are also vital in the case of an actual breach, confirming what was remedied and when.
Schedule Your Next Assessment
Just as the logs are needed for looking back, you need to look forward. It’s too easy to perform all your fixes and put it all to bed, but this is not a one and done action. Vulnerability Assessment is ongoing and should be done regularly.
That schedule is something you can decide for yourself, as each business is different. Some companies make it an annual occurrence (and even some determined by compliance regulations). The key here is to determine your schedule and then schedule it. Get it on the calendar so it doesn’t get forgotten or pushed back.
If you need some help getting started with your assessment, get in touch. We can help organize and fortify your network against attacks. We offer managed services so can take on the day to day monitoring, maintenance, and security scans to make this a turn key solution for you.