Why Fixing One Flaw at a Time is Flawed
If Security Professionals Want to Effectively Identify and Manage Vulnerabilities They Must Take a Holistic View, Commit to a Three-Year Program, and Act on Expert Advice, Says Towerwall Founder Michelle Drolet.
Ensuring that your company is secure in the digital age is no easy task. Doing business online today typically involves a complex network of interconnected public, private and hybrid cloud systems. Employees and customers connect to your networks and databases from all over the world via a wide range of devices, including smartphones, tablets, laptops, and traditional desktops. Increasingly they engage through mobile apps, built with aesthetics and usability in mind rather than security.
Your organization’s security is only ever as strong as its weakest link. The only way to gain an accurate insight into potential vulnerabilities is to take a big picture overview. Comprehensive vulnerability assessment also requires a commitment to remediating and mitigating any vulnerabilities that are identified. A “tick box” approach to compliance can mask a multitude of security gaps that cybercriminals will be only too ready to exploit.
Taking the Right Steps
An annual penetration test and regular external scans are no guarantee that you’re safe from breaches. You need to consider a complete program of vulnerability management. Combine external vulnerability scanning with application scanning and penetration testing. Mobile apps are a soft target that represent a serious potential risk today. A Cenzic report found an average of 14 vulnerabilities in 96% of all the apps tested in 2013.
Any system that is exposed to the internet should be continuously monitored, otherwise it could be weeks or even months before you discover a potential network intrusion. Internal vulnerability scans must not be neglected. Where vulnerabilities are uncovered, dig deeper, and prioritize remediation according to business risk.
It’s also important to gain a full understanding of the assets under your control. This can have other benefits, enabling you to unlock the business value in under-employed hardware, or take full advantage of a system that you’ve already paid for. It might also be prudent to improve training, or allow under-used licenses to lapse.
Call in the Experts
You also need the expertise that only experienced engineers can offer in order to verify the usefulness and depth of your testing, and to correctly interpret the results and create a workable remediation roadmap.
Buying an expensive software package for vulnerability scanning and then expecting your existing IT department to administer it and extract maximum value is optimistic at best.
An outside perspective with no vested interest is vital. As far as possible you need security consultants to view and attack your network the way a determined hacker might from inside and out. There is no substitute for years of specialist knowledge and the right mindset.
Get Proactive
Compliance may be what compels vulnerability assessments for many companies and there is always a cost-benefit analysis to be done, but too many organizations are commissioning the reports and then failing to act on remediation advice.
Recent research from WhiteHat Security found that the average time it takes for a serious vulnerability to be resolved from first notification is a staggering 193 days. We’re talking about more than six months to fix serious vulnerabilities. These are defined as those “in which an attacker could take control over all, or some part, of the website, compromise user accounts on the system, access sensitive data, violate compliance requirements, and possibly make headline news.”
If you don’t take steps to mitigate the risks identified then your vulnerability management is failing. If the reports are throwing up the same vulnerabilities three quarters in a row, then you need to take more decisive action. You should commit to a three-year program that will identify issues, give you a chance to act on them, and then retest your systems to ensure the necessary steps have been taken.
Don’t Delay
Changing your network security policy, installing patches, reconfiguring software, updating systems, or even just educating your staff and customers are all elements that require action. Get them signed off and empower the right people to enact them, and remember to test again so you can verify that vulnerabilities have been neutralized.
You only have to look at the rate of growth in the National Vulnerability Database to see the abundance of new vulnerabilities being identified every week. Vulnerability management should not be an annual snapshot of your security health; it should be an ongoing process that examines every facet of your organization. A holistic approach is the only effective way to manage vulnerabilities.
About the Author
Michelle Drolet is founder of Towerwall, a data security services provider in Framingham, MA with clients such as PerkinElmer, Smith & Wesson, Middlesex Savings Bank, Brown University and SMBs. You may reach her at michelled@towerwall.com.