In its 2018 “Global Risks Report,” the World Economic Forum – a prominent international policy think-tank – ranked cyber threats just below extreme weather events and natural disasters.
Cyber risks "...are so structural and interconnected that they threaten the very system on which societies, economies and international relations are based,” noted Alison Martin, Group Chief Risk Officer, Zurich Insurance Group. “Effective risk management requires us to take the interdependencies between risks into account and demands a truly holistic risk management approach with an awareness of our cognitive biases," she continued.
To help you get started on tackling the complexities of lowering cyber risk – here are five initial steps you should be taking in the area of vulnerability management:
The Five Steps
STEP #1: Focus on Coverage
Conduct an in-depth review of what areas exactly your scans are covering, with the aim of finding scanning gaps. Make sure you have a clear understanding of what percentage of your infrastructure is actually scanned. It’s often assumed that scanning is universal, covering every single asset on and off-premise. This is far from the case. Networks are highly-complex and highly-dynamic. The reality is that many new servers or instances, and even cloud accounts, get passed over.
Don’t forget that vulnerabilities are patched in production, but are often not updated in the deployment template thus creating the vulnerability for new servers.
STEP #2: Scan Continuously
There’s no question that continuous vulnerability scanning puts a strain on resources and systems – although this can be mitigated with the right tech. There’s also no question as to the absolute necessity of continuously scanning for existing and new vulnerabilities. Continuous vulnerability assessment enables organizations to not only understand which areas of their ever-changing environments may be exposing them to risk, but also the extremity of the risk and the priority of remediation. To lower the burden on infrastructure and staff, without compromising on vulnerability scanning frequency or efficacy, try scanning in the shortest time frames possible. Also, be sure to trigger the scan after either changes are made or a patch has been applied, ensuring the expected security posture.
STEP #3: Update Your Inventory
Maintaining constantly-updated assets, hardware, and software inventory including a list of all software installed on the various computers, devices, and servers in your network – is one of the most challenging technological problems we face. Making the extra effort to keep this data handy and updated is an excellent starting point for risk mitigation. For example, an updated inventory can be checked regularly against related vulnerabilities in the CVE (Common Vulnerabilities and Exposure) database, which is publicly available and maintained by the MITRE Corporation. Make sure you’re signed up to your vendor feed for new product patches and updates.
STEP #4: Identify Critical Assets
A network ecosystem is comprised of assets that vary in real-world importance. In order to effectively manage and mitigate the risks associated with vulnerabilities, it is crucial to differentiate critical assets – those that impact your core business integrity, customer confidentiality, brand availability or support mission-critical functions such as intellectual property (patents and copyrights), and financial data. References to critical assets should include customer facing systems, network backbone, and credential stores.. Identify these critical assets with risk assessments, service or hardware inventory, and network traffic monitoring.
STEP #5: Beyond Patch Management
Patch management is an important part of any vulnerability risk regime. However, it is not the holy grail. The problem is that patch management alone cannot provide broad-spectrum coverage of reported vulnerabilities. Two good reasons? Not all vulnerabilities even have fixes, and even those that do have fixes may not actually need to be immediately remediated. The key problem with relying on patch management alone is that remediation needs to be prioritized based on infrastructure, resources, and most importantly, business impact considerations. For example, it’s crucial to remediate exposures like configuration changes to the WAF, FW, and areas that are hard to patch – but possibly less so for less-used assets.
The Bottom Line
Reducing cyber risk is on the mind of practically every security and business stakeholder in every organization. The first steps to impacting these very real risks need to be on the road of understanding – ensuring optimal scan coverage, continuously assessing vulnerabilities in highly-dynamic environments, maintaining a constantly-updated hardware and software inventory, understanding which assets are most critical, and looking beyond traditional approaches like patch management. Remember: just because Microsoft make industry news on Patch Tuesday doesn’t mean that weekly patching should be high on your priority list.
As CSO Online expert Kacy Zurkus has noted that “security practitioners…become fluent in the language of business so that they can convey the actual risks in a way that enables them to build a better security posture".