Vulnerability Management Best Practices to Combat Risk in 2021
Vulnerability management has multiple facets and is critical to incident response and remediation. However, many firms fail to guard against even known vulnerabilities, hitting relatively low benchmarks for risk management based on minimum requirements.
By correctly assessing risk and taking action to prioritize protection for prime attack vectors, you can reduce the chances of a serious breach and the accompanying reputational and financial losses.
Identifying Tangible Vulnerabilities
Traditional risk scoring is based on the application of common vulnerability scoring settings (CVSS.) This is a tolerable starting point for risk assessment but is not a stand-alone tool for an accurate vulnerability assessment.
CVSS were used to prioritize vulnerabilities and remediation and can provide a framework for identifying critical vulnerabilities, but risks with a comparatively low CVSS score may be just as critical. For example, anonymous file transfer protocol (FTP) will generally return a low score but could be a high-level threat, depending on what is on the system.
Asset management is key to appropriate threat assessment and evolution toward newer types of risk scoring. There are many nuances that can help you prioritize more effectively, and many of them have to do with your operating environments, types of data being stored, accessed, and moved around, and what types of attacks are being carried out successfully in the wild.
Security experts define tangible vulnerabilities by examining the underlying functionality of each vulnerability. This includes what the vulnerability allows by way of access or deployment, and which underlying assets are at risk.
Make security part of your design process instead of an afterthought with each new system, app, or tool you add to your firm’s infrastructure. If you think about security every time you add a user, a device, a dataset or a vendor, you’ll be putting risk mitigation in a place of proper importance.
Determining Important Systems and Prioritizing Remediation
Lots of organizations and individuals struggle with how to prioritize protection and remediation when it comes to vulnerability management. The most important thing to understand is what the underlying assets are, where they sit, and the impact on the firm if a breach should take place.
Externally facing, you should always prioritize vulnerabilities on systems that could allow unwanted remote access or harm critical services. Internally, focus on end-user systems, as these have the highest likelihood of being impacted.
Systems with browsers that your employees are using create an attractive attack vector for phishing campaigns. They are a critical need, yet vulnerable to remote code execution or remote access. Microsoft products and Windows are in the list of systems or programs used daily by many firms and are often targeted via phishing to gain unauthorized access.
When starting a vulnerability management initiative, don’t bite off more than you can chew. Start with external vulnerabilities, then move to internal ones. Identify at-risk assets and end-user systems.
From there you can move into credential scans, again starting with the more risk-prone end-user systems in browsers and office products, which are a popular attack vector for phishing attacks and drive-by downloads.
Be realistic and learn how to accurately prioritize assets and understand what the resources look like if you’re forced to remediate. A business impact analysis should be run to help identify areas of highest risk when it comes to data loss or system takeovers.
Evaluate whether your team is capable of hardening, patching, iOS upgrades, and reconfiguration, and implement automation wherever possible to proactively protect your assets and reduce chances of a critical incident.
Methods of Reducing Risk and Remediating without Patching
Zero-day threats can be mitigated proactively if vulnerabilities are identified before an attack happens and remedial action is taken. Leveraging local firewalls is a much overlooked but simple and effective way to protect against zero-day threats.
This is an appropriate line of defense whether or not patches are available. While patching should be a routine part of security, particularly with multiple endpoints, it shouldn't be your sole solution.
In particular, reacting to an incident with mass patching can cause system problems and potentially shut down user stations or entire networks as the impact of the patch is more damaging than the risk of a breach.
Evaluating the impact of patching should be as important as evaluating the impact of any specific threat. If there is a low risk of penetration and the data accessible through a vulnerability is nonsensitive, it may make more sense to find other ways to close the gap than to arbitrarily patch and run the risk of “blue screening” one or more consoles.
Combating Vulnerability Management in a Post-COVID-19 World
The shift to remote work created more vulnerabilities than ever, with additional access points, devices, and systems added into most firms’ already cluttered infrastructure. Unfortunately, cybersecurity was not essential for many organizations, since it is not a clear revenue driver.
COVID changed the entire threat landscape and drove home the need for vulnerability management in a decentralized environment. SaaS models can provide visibility into the at-home work environment, delivering more mobility and making it possible to monitor and protect at an agent level.
A key step is to centralize the identity provider, and authenticate all users and logins across platforms, systems and applications using the same IDP. This is honestly one of the simplest things you can do to mitigate risk with a remote workforce.
Look at datasets and impact across your organization and beyond. Don’t simply track threat impact, but remediation impact from system to system. Consider which highest-scoring vulnerabilities also have the greatest risk of exploitation, and identify the actual risks using threat intelligence to help you defend against the most likely and most impactful threats.
Finally, don’t view vulnerability management through a lens of compliance alone. Many standards touch on risk mitigation, but requirements are often vague at best and vary widely from framework to framework.
Instead, focus on identifying, assessing, and mitigating risk to reduce financial and reputational impacts in case of a breach. It is far cheaper to invest in a tool to help with vulnerability management than to suffer the breakdown of trust from investors if you suffer a cyberattack resulting in data loss.