Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Jim Souders
Jim Souders
Connect Directly
E-Mail vvv

The Hunt for Vulnerabilities

A road map for improving the update process will help reduce the risks from vulnerabilities.

In 2018, 16,515 new common vulnerabilities and exposures (CVEs) were published. By November of last year, more than 300 vulnerabilities per week were being reported, and we're on pace for an even bigger 2019. That means updates and patching must be seen as security imperatives.

But keeping every OS, application, and browser version across every machine and device configured exactly right all of the time is a huge, seemingly impossible job. To even get close, enterprises need strategies that make it easier to find, prioritize, fix, and report on vulnerabilities in ways that make sense for their business and existing resources.

To help, let's lay out a road map for improving the update process required to reduce the security risks posed by vulnerabilities.

Change the Culture
Instead of viewing updates and patching as something tedious that should be done but perhaps not urgently, it's important that employees understand the role vulnerabilities play in company security and how their management is part of the larger security strategy. This mindset should extend beyond just the IT department to every employee.

The Center for Internet Security (CIS) recommends gap or risk-based training, in which IT staff try to identify where the bulk of security issues are — whether it is with people sharing passwords, updating their own machines, or putting sensitive data on a USB drive that could get easily lost or mishandled — and provide training against the biggest challenges. This helps employees understand important practices, why they should be implemented, and provides them with relevant, real-world situational guidance. It should be a partnership where all employees feel supported so that cooperation happens when it is vital, even if this means rebooting an employee's machine right in the middle of a project in order to patch a critical issue.

Security awareness training also should be more than one-and-done during onboarding to be effective. Employees are so bombarded with new information related to their specific job functions that security is likely not top-of-mind. For culture to shift, training needs to be ongoing. It doesn't have to be overwhelming or threatening but rather as simple as spending a few minutes in an all-hands, a quarterly email of best practices, or a biannual seminar.

Utilize Standards
In addition to getting employees on board with basic practices, teams have to actually find existing vulnerabilities. There are a number of open standards to help identify the ever-expanding list of vulnerabilities as well as proper configurations to guard against them. Security Content Automation Protocol (SCAP) is one of the most common and provides a framework of specifications that support automated configuration, vulnerability and patch checking, compliance, and measurement. It is highly useful for definitions of common exposures and in determining what situations are applicable to your environment. There are a number of other standards that are useful in establishing a baseline for configuration as well: CIS (mentioned earlier) provides guidance, and the technical information guides released by the Defense Information Systems Agency are also quite useful.

Once you establish a baseline, the CVE database and the National Vulnerability Database, which pull from a wide range of sources, can assist in identifying vulnerabilities. Microsoft also posts its own authoritative security updates. But a quick look at these databases will spark fear in the heart of anyone charged with vulnerability management based on the complexity and sheer volume of vulnerabilities involved.

Seek Automated Solutions
Automated vulnerability management solutions have emerged to help. These solutions pull from the respective databases to identify and analyze the vulnerabilities affecting your endpoints. Automated products on the market can be slow and interfere with network performance, which has not won them a legion of fans, but with advances in technology, a new generation of vulnerability management solutions is poised to rapidly accelerate the speed of detection and increase the number of vulnerabilities they can search — and they do it without negative impacts on performance. As a result, scans don't need to wait until the end of the day or the weekend, and remediation can occur much, much faster than the industry average of 38 days.

If you have the option of adding an automated vulnerability management solution to your arsenal, be sure to do your research to find a product that fits your needs. No automated solution will get you to 100% detection, but the prospect of reaching 80% to 90% detection in a fraction of the time should have team members rejoicing.

The Process Is Just Beginning …
Now that you've found vulnerabilities, the job is just getting started. You still have to figure out how to assess and prioritize, remediate, and report on what you've found. As you can see, today's world of vulnerability management is anything but simple; however, there is an opportunity to turn the tide by paying attention and addressing the little things that become big problems. Doing so will help keep your company as secure as possible.

Related Content:

Jim Souders is CEO of Adaptiva. A global business executive with more than 20 years' experience, Jim excels at leading teams in creating differentiated software solutions, penetrating markets, achieving revenue goals, and P/L management. Prior to Adaptiva, Jim led high-growth ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/21/2019 | 1:51:27 PM
Seek Automated Solutions
I recently did a presentation for an Infragard Chapter that focused on Vulnerability Management. Seeking automation was a recurring them in the presentation. Vulnability Management and Patch Management can be automated more than people realize. This reduces a great degree of the manual strain and TCO that a security professional can endure during their tenure and drastically reduces the corporate risk.
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Hunny, I looked every where for the dorritos. 
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...