Vulnerability management is a foundation for any mature cybersecurity program, which is why it is required by so many common security frameworks (CSFs), including ISO 27001 and SOC 2. According to ISO 27001, a vulnerability is defined as “a weakness of an asset or control that could potentially be exploited by one or more threats.” A threat is defined as “potential cause of an unwanted incident, which may result in harm to a system or organization.” Therefore, a sophisticated vulnerability management system must also consider how to manage threats.
When you think of vulnerabilities, you probably think of Common Vulnerabilities and Exposures (CVEs), which are a catalog of publicly disclosed cybersecurity vulnerabilities. There are a record-breaking number of vulnerabilities disclosed each year, which are directly correlated with a constant increase in data breaches. It can be challenging to patch vulnerabilities before they are exploited in an attack.
It takes an organization an average of 205 days to fix critical cybersecurity vulnerabilities – that’s more than six months. Yet malicious actors begin to exploit these vulnerabilities merely days after they are disclosed. That means that many organizations are at risk as they struggle with patch management.
The most fundamental aspect of vulnerability management is to catalog corporate assets (e.g., software manifests and device inventories). Automated solutions can help provide continuous visibility into these assets and third-party audits can help reveal any blind spots. You can’t protect what you don’t know exists.
Obtaining this information enables organizations to make informed decisions about potentially vulnerable systems. For example, an organization may be able to isolate or harden a vulnerable device with additional security controls until it is patched.
That it takes more than six months to fix critical cybersecurity vulnerabilities is partly because patch management is such a rigorous process, including validation of the software, country of origin analysis, malware scanning and testing to ensure nothing breaks in production. These challenges become even more complex on industrial control systems, which are typically isolated from IT networks.
Vulnerability management begins with patch management, but it cannot end there. Ultimately, the gap between zero days until they are patched suggests that a more proactive approach is required in parallel for effective vulnerability management.
Beyond Patch Management
When we expand our understanding of risk beyond vulnerabilities, then we must likewise expand our approach beyond patch management to include other threats. Insecure communication and misconfigurations are two of the most common sources of threats beyond vulnerabilities. Insecure communication and misconfigurations are easily exploited by malicious actors, so proactively discovering them and remediating them (or mitigating them when remediation is not possible) will go a long way toward reducing your attack surface – which is the goal of vulnerability management.
Examples of insecure communication include using telnet instead of HTTPS, unencrypted traffic, invalid certificates and plain text credentials, just to name a few. Part of the challenge is that web servers, applications and other infrastructure rely on machine-to-machine connections that are more difficult to authenticate and authorize without breaking how they work. What makes this really dangerous is that many of these service accounts use the default username and password, making them susceptible to brute force attacks.
There are far too many examples of misconfigurations to cover them all here, but the most pertinent are related to Active Directory and firewalls. Active Directory misconfigurations can result in users with privileges and permissions that are unintended and unknown, and almost certainly not being managed properly. Firewall misconfigurations can result in network segmentation errors, such as an inability to limit or contain traffic, devices and groups.
The first step to resolving issues with insecure communication and misconfigurations is to be aware that they exist. Again, an automated solution to continuously monitor network traffic for threats can go a long way and a third-party audit can help identify outstanding issues. This is why proactive threat hunting is so important to discover vulnerabilities beyond CVEs and patch management.
The State Department Emphasizes Proactive Threat Hunting
In July 2022, The State Department Bureau of Intelligence and Research (INR) published its cybersecurity strategy that emphasizes proactive threat hunting. According to Brett Holmgren, Assistant Secretary of State, “This is a comprehensive approach to shifting from a reactive cybersecurity posture to a proactive one where we’re constantly hunting for potential threats in our environment rather than just waiting for alerts to fire and then we’re investigating.”
Likewise, vulnerability management is not just about patching vulnerabilities. Organizations should adopt a proactive approach to threat hunting for common misconfigurations that can be easily exploited during an attack. Continuous and automated visibility can help enable a proactive approach to threat hunting, as can partnering with a third-party service provider to audit your systems.