3 (Not-So-)Simple Rules of Vulnerability Management

By David Lam, Partner / CISO,CISSP, CPP, Miller Kaplan

You would think in 2021 that keeping your computer systems and applications up-to-date and protected against attacks would be simple—turn on automatic updates for your operating systems and applications and all would be well. In reality, the advancement of technologies that help businesses operate around the globe also brings larger surface areas for attacks, making it highly complex for professionals to manage threats and vulnerabilities. The process of updating your machines to protect against flaws, whether automatic or otherwise, is called software vulnerability management, and to protect themselves, organizationsmustimplement holistic strategies and leverage tools that comply with commercially reasonable standards to reduce threats.

One of the most critical things that you should do to protect your systems is to run authenticated vulnerability scans to see what is happening under the hood and know, as best as you can,whether or not your software is up-to-date and protectedfrom an attack. It answers the deceptively simple question—what is the state of my vulnerability management system?

Without these scans, there’s just too much going on with every single system to be certain that everything wasapplied properly.I constantly see systems not patched (properly),not updated (properly), and open to attack.

The problem is exacerbated for small and medium businesses because those organizations often do not have the means to install a full-fledged enterprise-level vulnerability management tool. All is not lost, however, because by finding the right vendor partner, even small and medium businesses can have the appropriate coverage from a vulnerability scanner.

Some rules to live by; I like to call these the Lam Laws of Vulnerability Management:

  1. No Scan = Not Patched:If you or your IT vendor are not running authenticated vulnerability scans from a reputable vendor, then your systems are not fully patched.
  2. Emergency Preparedness: If you aren’t ready to patch your systems in an emergency and/or you don’t have an incident response team with an appropriate plan, you are at significant risk from a zero-day vulnerability (a vulnerability for which there is no available patch or a patch has just come out).
  3. Trust the SMEs:If you don’t have information security and forensics subject matter experts (SMEs) readily available, you are at significant risk of not being able to adequately respond to a vulnerability or a breach.

It is up to the governing body in your organization to require that an authenticated vulnerability scan runs as part of your patch management program.An authenticated vulnerability scan reports threats exposed by authenticated users of the system. If your IT department or vendor is not running one of the major players in this space, then you should require it. It’s like a doctor assuming that a patientis healthy withoutconducting any diagnostic or blood tests—it’s bestto dothe blood work and know what’s actually going on inside.

More and more, we see systems that need patching on an emergency basis. The recent Microsoft “PrintNightmare” scenario is one such situation. Even though the security researchers properly notified Microsoft of the vulnerability so that Microsoft could prepare a patch to fix the issue, a miscommunication between the researchers led to the vulnerability being released in advance of a patch being available—a true information security nightmare. As a result, we saw companies racing to apply patches, many of them manually, as opposed to already having an automated solution in place. The time to react to this type of incident is not at the time of the incident; rather, it requires careful preparation and practice of how to apply patches—preferably with one of the many tools available for automatically deploying software and updates. The more automation that’s leveraged when needing to react quickly, the better.

Finally, in the event of detecting a vulnerability,the team needs to be ready to respond to that incident. Establishing an incident response team does not need to be complicated; however, it needs to be done in advance, with an accompanying plan, and practiced in advance. Companies need to make sure that they have subject matter experts on retainer or available through their insurance to react quickly. As the proliferation of attacks increase, and even as your experience in dealing with vulnerability management gets better, it’s more and more likely that eventually you will need to deal with some sort of breach, and expert preparation is key.

Hot Topics

Related Articles