Find Your Own Vulnerabilities - Before Attackers Do
Networks today are continually evolving landscapes where systems, applications, and the other “things” of IoT can be connected in an instant. While each of these can help an organization realize any number of its business goals, each can include vulnerabilities that provide attackers with a pathway in which to gain access to a company’s systems and data. Often, to help find these vulnerabilities and understand the potential associated impact, organizations can engage outside parties to perform costly vulnerability assessments and penetration tests. While bringing in outside parties to perform these types of security testing does have its place, such as in supporting compliance efforts or obtaining an outside measurement of an organization’s overall security posture, often businesses do not put enough effort into finding and remediating their own vulnerabilities across authorized and unauthorized systems within their own environment.
Attackers Will Eventually Get On Your Network– Limit and Detect Them!
If one of your team members was to fall for a phishing attack and provide an external attacker with access to the internal network, how easily would the attacker be able to find other vulnerabilities to spread their control throughout the environment?
"To help find these vulnerabilities and understand the potential associated impact, organizations can engage outside parties to perform costly vulnerability assessments and penetration tests"
Whether a malicious attacker from the outside or a well-intentioned internal employee circumventing security controls, there is someone on your network at this moment doing something they shouldn’t which presents a real threat to the organization. Vulnerabilities can be exploited in order to gain initial access to the environment and then to spread control to other aspects of the enterprise. By proactively finding and addressing vulnerabilities before an attacker can find and exploit those, organizations limit the ability of hackers to gain access to other systems. At the same time, delaying an attacker’s success provides security teams with the time needed to detect the attackers, remove them from the network before any further damage can be done and prevent the same issue from re-occurring in the future.
Master the Basics of Vulnerability Management – Proactively Perform a Self-Assessment
Even if an organization only performs one task in addressing cyber security risk, it should be to put into practice. The basics of vulnerability managementwhich are outlined in the National Institute of Standards and Technology’s SP 800-40 document – Creating a Patch and Vulnerability Management Program.
Start by using an automated vulnerability scanner to perform a vulnerability scan across your known networks, both external and internal. If you haven’t performed vulnerability scan before, conduct a scan without administrative credentials to see exactly what an attacker would– whether they were scanning your external-facing network from the Internet or had gained a foothold on the internal network.
A number of automated vulnerability scanners exist to choose from, including open source, free to use solutions such as OpenVAS and paid versions with more sustainable, enterprise-class solutions from companies such as Tenable, Rapid7, and Qualys.
The challenging part of vulnerability management is remediating any discovered vulnerabilities with limited resources. While a scanner can detect vulnerabilities, it’s our team members that have to invest their time and effort in fixing discovered issues. Understanding that the time of our team members is limited, we cannot simply fix everything at one time. To help channel our efforts, organizations should focus on addressing those vulnerabilities that present the highest amount of risk (represented by a vulnerability’s CVSS score) to the organization first, followed by fixing those issues which present the next highest level of risk and so on. While a base CVSS score might not be perfect for your organization’s particular environment, it’s a great place to start and can be very effective in helping companies prioritize their remediation efforts.
Remediation requires communication between the system owners and those performing vulnerability scans in order to remediate any discovered issues which should be fixed. In certain situations, discovered vulnerabilities might not be fixed at all or resolution could be delayed. If the cost associated with fixing vulnerability outweighs the perceived risk associated with the vulnerability, the business can decide not to fix the issue. In this case, the known risk and the decision not to address it should be documented for future reference.
Once remediation work is completed, any fixed vulnerabilities should be re-tested to ensure it was indeed addressed. Unfortunately, not all remediation work is successful the first time and, if not checked, could still present risk to the environment.
Performing vulnerability management can help organizations greatly strengthen their overall cyber security posture by limiting the options hackers have for attacking an organization, while also providing security teams the time needed to detect and defend against such attackers. Make sure to take the time to find your own vulnerabilities and address those that present risk to your organization – before an attacker does.