Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Jim Souders
Jim Souders
Connect Directly
E-Mail vvv

The Hunt for Vulnerabilities

A road map for improving the update process will help reduce the risks from vulnerabilities.

In 2018, 16,515 new common vulnerabilities and exposures (CVEs) were published. By November of last year, more than 300 vulnerabilities per week were being reported, and we're on pace for an even bigger 2019. That means updates and patching must be seen as security imperatives.

But keeping every OS, application, and browser version across every machine and device configured exactly right all of the time is a huge, seemingly impossible job. To even get close, enterprises need strategies that make it easier to find, prioritize, fix, and report on vulnerabilities in ways that make sense for their business and existing resources.

To help, let's lay out a road map for improving the update process required to reduce the security risks posed by vulnerabilities.

Change the Culture
Instead of viewing updates and patching as something tedious that should be done but perhaps not urgently, it's important that employees understand the role vulnerabilities play in company security and how their management is part of the larger security strategy. This mindset should extend beyond just the IT department to every employee.

The Center for Internet Security (CIS) recommends gap or risk-based training, in which IT staff try to identify where the bulk of security issues are — whether it is with people sharing passwords, updating their own machines, or putting sensitive data on a USB drive that could get easily lost or mishandled — and provide training against the biggest challenges. This helps employees understand important practices, why they should be implemented, and provides them with relevant, real-world situational guidance. It should be a partnership where all employees feel supported so that cooperation happens when it is vital, even if this means rebooting an employee's machine right in the middle of a project in order to patch a critical issue.

Security awareness training also should be more than one-and-done during onboarding to be effective. Employees are so bombarded with new information related to their specific job functions that security is likely not top-of-mind. For culture to shift, training needs to be ongoing. It doesn't have to be overwhelming or threatening but rather as simple as spending a few minutes in an all-hands, a quarterly email of best practices, or a biannual seminar.

Utilize Standards
In addition to getting employees on board with basic practices, teams have to actually find existing vulnerabilities. There are a number of open standards to help identify the ever-expanding list of vulnerabilities as well as proper configurations to guard against them. Security Content Automation Protocol (SCAP) is one of the most common and provides a framework of specifications that support automated configuration, vulnerability and patch checking, compliance, and measurement. It is highly useful for definitions of common exposures and in determining what situations are applicable to your environment. There are a number of other standards that are useful in establishing a baseline for configuration as well: CIS (mentioned earlier) provides guidance, and the technical information guides released by the Defense Information Systems Agency are also quite useful.

Once you establish a baseline, the CVE database and the National Vulnerability Database, which pull from a wide range of sources, can assist in identifying vulnerabilities. Microsoft also posts its own authoritative security updates. But a quick look at these databases will spark fear in the heart of anyone charged with vulnerability management based on the complexity and sheer volume of vulnerabilities involved.

Seek Automated Solutions
Automated vulnerability management solutions have emerged to help. These solutions pull from the respective databases to identify and analyze the vulnerabilities affecting your endpoints. Automated products on the market can be slow and interfere with network performance, which has not won them a legion of fans, but with advances in technology, a new generation of vulnerability management solutions is poised to rapidly accelerate the speed of detection and increase the number of vulnerabilities they can search — and they do it without negative impacts on performance. As a result, scans don't need to wait until the end of the day or the weekend, and remediation can occur much, much faster than the industry average of 38 days.

If you have the option of adding an automated vulnerability management solution to your arsenal, be sure to do your research to find a product that fits your needs. No automated solution will get you to 100% detection, but the prospect of reaching 80% to 90% detection in a fraction of the time should have team members rejoicing.

The Process Is Just Beginning …
Now that you've found vulnerabilities, the job is just getting started. You still have to figure out how to assess and prioritize, remediate, and report on what you've found. As you can see, today's world of vulnerability management is anything but simple; however, there is an opportunity to turn the tide by paying attention and addressing the little things that become big problems. Doing so will help keep your company as secure as possible.

Related Content:

Jim Souders is CEO of Adaptiva. A global business executive with more than 20 years' experience, Jim excels at leading teams in creating differentiated software solutions, penetrating markets, achieving revenue goals, and P/L management. Prior to Adaptiva, Jim led high-growth ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/21/2019 | 1:51:27 PM
Seek Automated Solutions
I recently did a presentation for an Infragard Chapter that focused on Vulnerability Management. Seeking automation was a recurring them in the presentation. Vulnability Management and Patch Management can be automated more than people realize. This reduces a great degree of the manual strain and TCO that a security professional can endure during their tenure and drastically reduces the corporate risk.
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.