Every network is vulnerable to attack, but not every network is vulnerable in the same way. Your unique IT security risk profile depends on several things:
- the systems you’ve deployed: hardware, software, networking, etc.
- your processes, such as how often you patch your systems
- the applications you use to protect your systems from attack, e.g., WAFs and next-gen firewalls
- your organizational culture, e.g., how security conscious your employees are and how good they are at following the security protocols you set
- your industry - some types of businesses are just more vulnerable than others
The major components of a vulnerability management strategy
Vulnerability management is a core responsibility of the IT manager, and especially of the CISO or Chief Security Officer. In this post, I’ll cover four core components of an effective vulnerability management strategy and share a few best practices.
Read our recent Forbes Tech Council article: Conquering Fear Is Essential For IT Security
#1 Regular Vulnerability Scans
A vulnerability scan is performed using a specialized software application that inventories all of the systems on your network and looks for vulnerabilities that can be exploited by hackers.
It’s essential to run these scans periodically as known threats change rapidly. Advanced vulnerability threat scanning applications incorporate threat feed analysis from major OS developers, regulatory agencies, and other sources, sometimes updating scanning algorithms as frequently as twice a day.
That’s not to say you need to scan your systems twice a day. It’d probably take too long anyway. However, some key industry regulations require scans be run at specified intervals. For example, PCI DSS requires a vulnerability scan to be run every 90 days. As a best practice, we run scans against our clients’ systems every 30 days unless the announcement of a critical vulnerability triggers an ad hoc scan of either a specific component or the entire network.
Remember, hackers watch those vulnerabilities closely. They know that only a small portion of businesses pay attention to them. A vulnerability announcement tells them exactly what they should try to exploit.
Scans for a single machine can take an hour and are usually performed in response to a known exploit. We usually run scans for our entire infrastructure over a long weekend. The scan doesn’t affect network performance, but if we start on Friday evening, the scan is usually complete by Sunday morning or Sunday afternoon at the latest. This lets us generate reports first thing Monday morning and get them out to the groups that are in charge of those systems.
#2 Penetration Testing
It’s important to understand that doing a vulnerability scan does nothing to protect your systems. It simply tells you where your vulnerabilities are. The vulnerability scans we do against our clients’ systems give us a baseline for how well they are secured against known threats.
We then take the results of the scan and highlight all the critical flaws, i.e., those that are easily exploited by hackers, including those that aren’t highly skilled. There’s a good reason for this. By the time a critical flaw shows up, there’s probably a threat analysis posted on the dark web, with step-by-step instructions showing non-skilled hackers how they can exploit a known vulnerability to gain access to their targeted victim’s systems.
After we run a routine vulnerability scan, we pick the top ten vulnerable components and run what’s known as a penetration test. That is, using available tools, we try to exploit our infrastructure to see how vulnerable we are to critical threats.
If we were going to try to run these exploits against every system manually, we would need 100 employees just for a company the size of TierPoint. By helping us identify which components are most open to being hacked, vulnerability scans allow us to focus our efforts when dealing with a large infrastructure like TierPoint’s.
Penetration tests are non-destructive tests that validate what the vulnerability scans are telling us. A penetration test goes all the way into the infrastructure to the point where it could run the exploit, but it doesn’t. In essence, it simply provides direction that says, for example, these ports are open, this is a known vulnerability for these ports, and these are the tools that hackers might use to exploit these open ports.
While this seems simple, this direction is incredibly helpful. There are over 65,000 ports that could be opened or closed. Some applications require specific ports to be open, so keeping them all shut isn’t a viable option. When you install a piece of software, you may not even know it’s opening a specific port. A vulnerability scan at least tells me where to focus my efforts, and penetration testing tells me how much effort to put into closing a vulnerability.
And that’s what we need to do next...fix the vulnerabilities identified by the vulnerability scan and prioritized by the penetration testing. The first actionable step is patch management.
#3 Patch Management
Hardware. Operating systems. Applications. All of these components need periodic patching regardless of which vendor created them. For most components, we maintain a 30-day rolling patching window, meaning we don’t patch everything at once, but we do apply patches at least every 30 days. A vulnerability scan and follow-up penetration test can help you identify patches that need to be applied immediately.
Traditionally, many IT leaders have been somewhat wary of applying patches as soon as they are released because their neck is on the line if an application becomes unusable. Vendors can’t possibly test their patches against every commercial application before they release them. It wouldn’t even be worth attempting as the same application can have different vulnerabilities based on how it is configured. So, these IT leaders wait, hoping someone else will uncover any issues before they apply the patch.
That leads to the problem we talked about earlier. When a manufacturer releases a patch, they usually give pretty explicit details on the vulnerabilities being addressed. IT leaders can use this information to assess any potential issues before applying the patch. Hackers will use this information to identify which vulnerabilities to exploit.
#4 Vulnerability Remediation
This cornerstone can cover any number of actions. For example, reconfiguring network components to eliminate a vulnerability is one of the simplest actions to take.
But what if your production environment needs to be configured a certain way for an application to run? If this is a mission-critical application, you might not be able to fix a vulnerability, but you can still lessen the threat by creating a perimeter of security around your network using a variety of threat detection and remediation tools. This would include tools such as WAFs, next-gen firewalls, and log management tools. It would also include best practices in areas such as password management, especially of edge devices, and credentials management.
Manage vulnerability management yourself or get help?
Each of the four cornerstones of vulnerability management can be executed well with the right tools. The good news is that the average security professional should be able to run these tools. They aren’t all that difficult to use. The harder part is analyzing the results and using the data to prioritize your efforts.
That leads us to the bad news. The majority of organizations apparently haven’t even mastered the basics of vulnerability management. For example, on February 11, 2020, Microsoft released security updates to address a Microsoft Exchange Server vulnerability. In early March, the Department of Homeland Security even issued an alert about the vulnerability and encouraged organizations to go back and review Microsoft’s recommendations.
Apparently, their warning went unheeded. On March 24, Rapid7 ran a scan of public-facing Exchange Outlook Web App (OWA) services and found that at least 82.5% were still unpatched.
If you don’t know where your network vulnerabilities are and which ones are most critical, it’s difficult to focus your vulnerability remediation efforts where they can do the most good. I’ve seen companies spend millions on the latest IT security solutions over the years, thinking if they just applied enough ‘name brands’ to the problem, they’re bound to fill all the gaps in their security perimeter.
Maybe, but it’s an expensive approach with few guarantees.
We can help you identify your IT security vulnerabilities
As a managed security provider, we help businesses address their biggest cloud and security concerns with our secure, reliable, connected IT infrastructure solutions and a nationwide network of 40+ data centers. Contact us today for more information on how we can help you get a good night’s sleep by securing your systems and data.