Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Jim Souders
Jim Souders
Connect Directly
E-Mail vvv

The Hunt for Vulnerabilities

A road map for improving the update process will help reduce the risks from vulnerabilities.

In 2018, 16,515 new common vulnerabilities and exposures (CVEs) were published. By November of last year, more than 300 vulnerabilities per week were being reported, and we're on pace for an even bigger 2019. That means updates and patching must be seen as security imperatives.

But keeping every OS, application, and browser version across every machine and device configured exactly right all of the time is a huge, seemingly impossible job. To even get close, enterprises need strategies that make it easier to find, prioritize, fix, and report on vulnerabilities in ways that make sense for their business and existing resources.

To help, let's lay out a road map for improving the update process required to reduce the security risks posed by vulnerabilities.

Change the Culture
Instead of viewing updates and patching as something tedious that should be done but perhaps not urgently, it's important that employees understand the role vulnerabilities play in company security and how their management is part of the larger security strategy. This mindset should extend beyond just the IT department to every employee.

The Center for Internet Security (CIS) recommends gap or risk-based training, in which IT staff try to identify where the bulk of security issues are — whether it is with people sharing passwords, updating their own machines, or putting sensitive data on a USB drive that could get easily lost or mishandled — and provide training against the biggest challenges. This helps employees understand important practices, why they should be implemented, and provides them with relevant, real-world situational guidance. It should be a partnership where all employees feel supported so that cooperation happens when it is vital, even if this means rebooting an employee's machine right in the middle of a project in order to patch a critical issue.

Security awareness training also should be more than one-and-done during onboarding to be effective. Employees are so bombarded with new information related to their specific job functions that security is likely not top-of-mind. For culture to shift, training needs to be ongoing. It doesn't have to be overwhelming or threatening but rather as simple as spending a few minutes in an all-hands, a quarterly email of best practices, or a biannual seminar.

Utilize Standards
In addition to getting employees on board with basic practices, teams have to actually find existing vulnerabilities. There are a number of open standards to help identify the ever-expanding list of vulnerabilities as well as proper configurations to guard against them. Security Content Automation Protocol (SCAP) is one of the most common and provides a framework of specifications that support automated configuration, vulnerability and patch checking, compliance, and measurement. It is highly useful for definitions of common exposures and in determining what situations are applicable to your environment. There are a number of other standards that are useful in establishing a baseline for configuration as well: CIS (mentioned earlier) provides guidance, and the technical information guides released by the Defense Information Systems Agency are also quite useful.

Once you establish a baseline, the CVE database and the National Vulnerability Database, which pull from a wide range of sources, can assist in identifying vulnerabilities. Microsoft also posts its own authoritative security updates. But a quick look at these databases will spark fear in the heart of anyone charged with vulnerability management based on the complexity and sheer volume of vulnerabilities involved.

Seek Automated Solutions
Automated vulnerability management solutions have emerged to help. These solutions pull from the respective databases to identify and analyze the vulnerabilities affecting your endpoints. Automated products on the market can be slow and interfere with network performance, which has not won them a legion of fans, but with advances in technology, a new generation of vulnerability management solutions is poised to rapidly accelerate the speed of detection and increase the number of vulnerabilities they can search — and they do it without negative impacts on performance. As a result, scans don't need to wait until the end of the day or the weekend, and remediation can occur much, much faster than the industry average of 38 days.

If you have the option of adding an automated vulnerability management solution to your arsenal, be sure to do your research to find a product that fits your needs. No automated solution will get you to 100% detection, but the prospect of reaching 80% to 90% detection in a fraction of the time should have team members rejoicing.

The Process Is Just Beginning …
Now that you've found vulnerabilities, the job is just getting started. You still have to figure out how to assess and prioritize, remediate, and report on what you've found. As you can see, today's world of vulnerability management is anything but simple; however, there is an opportunity to turn the tide by paying attention and addressing the little things that become big problems. Doing so will help keep your company as secure as possible.

Related Content:

Jim Souders is CEO of Adaptiva. A global business executive with more than 20 years' experience, Jim excels at leading teams in creating differentiated software solutions, penetrating markets, achieving revenue goals, and P/L management. Prior to Adaptiva, Jim led high-growth ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/21/2019 | 1:51:27 PM
Seek Automated Solutions
I recently did a presentation for an Infragard Chapter that focused on Vulnerability Management. Seeking automation was a recurring them in the presentation. Vulnability Management and Patch Management can be automated more than people realize. This reduces a great degree of the manual strain and TCO that a security professional can endure during their tenure and drastically reduces the corporate risk.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...