A Perspective on Vulnerability Management

Gary Sprague , Director, Information Security, Compliance & Privacy Officer, Rent-A-Center

Gary Sprague , Director, Information Security, Compliance & Privacy Officer, Rent-A-Center

Thinking about Vulnerability Management it feels like this has been around for a while is not new and everyone should have a mature process in place. A few years ago, the number of vulnerabilities doubled in a year which may have been related to increased software, hardware, firmware, and ecommerce to include IoT technology, computers in vehicles, and automation. This may have changed the way vulnerabilities are looked at as it may not be possible as there are so many to fully review each and every one of them.

Let’s start from the same page: A vulnerability is a weakness in hardware, software, personnel or process. The process of uncovering, reporting, and fixing vulnerabilities is called vulnerability management. A vulnerability that does not have a way to fix it yet, is called a zero-day vulnerability. A threat is any type of danger, which can damage or steal data, in general create a disruption or cause harm. A risk combines the threat probability and the impact of a vulnerability. Risk is the probability of a threat actor successfully exploiting a vulnerability, which is defined by the following formula:

Risk = Threat Probability * Vulnerability Impact

Lots of things have vulnerabilities which can be physical, such as a publicly exposed networking device, software-based, a buffer overflow in a browser, human, as an employee social engineering phishing attacks or process, such as a patching process which has become complex because employees connect from many arenas. With a shift in work from remote, our applications are being run on many operating systems, devices that may or may not be protected. With devices existing off network, on network, in the office and on unknown networks it is difficult for visibility. A challenge for sure and hard to manage without consistently reliable asset information.

Third-party and fourth-party supplier’s vulnerabilities exist. Determining how they handle vulnerability management is key to understand before you let them handle your data or gain access to your network. So the cyber security function must be engaged as part of the third party onboarding. Cyber security needs to provide procurement and legal with the requirements that need to be in place in the contract, where is your company’s data, how it will be protected, what type of data it is, and will it be shared with your company’s supplier’s third (fourth) parties. There is much more but the key is to understand what they are doing with and how are they protecting your company’s sensitive data.

As a business direction, companies will add new technology like machine learning and Artificial Intelligence plus move to the cloud. These too have vulnerabilities and improper configurations plus they offer new risks. Make sure that your vulnerability management adapts to include the new technology, has a full inventory of the Artificial Intelligence and machine learning projects, and that security has a seat at the table.

Bad actors are regularly after your data but first they need to get into your systems, onto your networks, to compromise credentials, and get to your data to steal or corrupt. The challenge is in making sure that what assets are important to your company are always protected while the cyber criminals only have to be accurate once by finding the vulnerability and gaining access.

There is still an increased occurrence of company’s security compromise showing that many organizations are still unprepared for an attack. This year has required additional attention be paid to vulnerability management as companies attack surfaces typically are broader with the jump in workers being remote, unknown environments, and the potential for the multitude of devices used for remote access. You need to work towards establishing an effective vulnerability management program to manage the increasing number of vulnerabilities in today’s threat landscape.

Organizations struggle to identify and prioritize vulnerabilities for remediation. It is common to see patches as the only solution, when there are several ways to tackle the problem. Suggest that you review the vulnerabilities, see if they affect your environment and then assign the urgencies, make time to remediate vulnerabilities, and then work to improve your vulnerability management process so it will become more effective making your company better prepared.

If your company is like most you are always under attack with most not getting in. Be aware the bad actors hunt for vulnerabilities on websites, exposed servers in the cloud, and other systems and services that are connected directly to the Internet that may have been forgotten about, or that have little or no protection in place. It is important that you understand your attack surface, and all of the ways that your company is exposed and vulnerable to attack.

Employees should also be considered a vulnerability. They have the access and can steal sensitive data and assets. Their actions can be out of convenience, selling to a competitor, in leaving your company or accidentally disclose sensitive data. Most of the time exploiting a weakness is focused on an application or operating system but may focus on exploiting the human themselves or utilize an operating system feature that auto executes some code.

"Suggest that you review the vulnerabilities, see if they affect your environment and then assign the urgencies, make time to remediate vulnerabilities, and then work to improve your vulnerability management process so it will become more effective making your company better prepared"

Careful consideration is required for the different ways used to protect companies. If patches are not available then configuration changes or defense in depth can be implemented. There are situations when a patch is available you may not be allowed or want to apply it if compatibility is not there, downtime must be limited to certain times and you don’t have a test environment.

Your company should have a full asset inventory for your vulnerability management. This will be beneficial when new vulnerabilities are identified, they can be compared to your inventory in order to determine if you have any of those systems, applications, or versions. Asset locations will help to know where the data is in your company and the owners or persons responsible for the assets who will be remediating the vulnerabilities.

Keep in mind you are not doing this for yourself. Your auditors and assessors are looking to see how you are remediating your vulnerabilities. Several compliance and regulatory obligations require companies to have very good documentation of their vulnerability management process.

To wrap this up, it is recommended that both vulnerability scanning and penetration testing be used. It will improve your company’s security posture through regular risk reduction, improve your security program through testing of prevention, detection, and response. Utilize regular vulnerability scanning both unauthenticated and authenticated identifying gaps to fix and use penetration testing for a more thorough and validated assessment.

Your company’s cloud environment is just an extension of your own environment. Cloud environments need to have penetration testing conducted against them as well. The patch for human’s vulnerabilities is education. Not all vulnerabilities are technical.

Read Also

Fighting Fraud is a Combination of Effective Preventive Systems, Use of Skillful Staff and Employee Awareness

Fighting Fraud is a Combination of Effective Preventive Systems,...

Kim Siren, Head of Fraud Management at OP Financial Group
Intentionality Is The Key To Increasing Diversity In Information Technology

Intentionality Is The Key To Increasing Diversity In Information...

Rosemarie Lee, Vice President and Chief Information Security Officer at BlueCross BlueShield of Tennessee