For me, the challenge isn’t always remediation. In fact, technical vulnerabilities are almost always ‘fixed’ in one of two ways: change a configuration or apply a software update in the form of a security patch. CISOs face two fundamental challenges, which are applicable to both scenarios:
1) Visibility. It’s one thing applying a security update to an appliance or piece of software, but companies don’t always know where all their assets exist. In a world where users are spending as much time ‘off network’, as on the LAN, do companies even know where their vulnerabilities are?
2) Cyber inertia. The concept of cyber inertia is somewhat more holistic than just patch and config management. The truth is that companies are not keen on making configuration changes as they are unsure what will break. Take WannaCry; everyone knew they needed SMB v1 turned off, but I know many organisations that were unsure what this would break, if anything. Vulnerabilities cannot be remediated if we don’t understand the known good configuration with which we are operating.
Vulnerability management requires companies to follow a four step process:
Step 1: understand the assets
This sounds obvious, but it is often overlooked. It’s also not easy. The proliferation of device types in most enterprises means that the number of assets grows exponentially, along with many more users of these devices and more types of data traveling through them.
Step 2: profile organisational threat actors and their tools, techniques and procedures
Once we understand what we’re looking to protect, we need to better understand who is looking to obtain access to our assets and the capabilities they possess. Here again, context is important. Many CISOs I know say that they cannot afford to protect themselves from ‘nation-states’. But the fact is that many cybercriminals use tools formerly thought of as the exclusive domain of nation-state actors, such as encrypted communications and polymorphic malware. If many bad actors are using these tools, then organisations can’t ignore them
Step 3: identify your vulnerabilities
Vulnerabilities are weaknesses across people, processes or technology. Why do we identify vulnerabilities after we profile threats and classify assets? Because we live in a world where absolute security simply isn’t possible. Automated tools can only do so much in terms of unearthing the weak points, like finding technical vulnerabilities in a software stack. But they can’t tell if your users need training, so that threats don’t get past them.
Pragmatism and prioritisation are two key tenets of good vulnerability management. We need to look at which systems house data we are concerned about and in what volume. A few key questions to ask about these systems are:
- Are the systems externally accessible?
- Are the applications servicing the data running their most up-to-date versions?
- Where and how are login details being stored?
- Are you sending sensitive information within encryption?
Step 4: apply controls and safeguards
Vulnerabilities will always crop up. However, controls and safeguards can lessen the impact or likelihood of a risk occurring. Controls do not have to be absolute. It’s unusual for a control to remove a risk entirely – we’re looking to lessen the risk to a palatable level. Who sets this bar? Again, it’s the business!