In the eyes of some, managing vulnerabilities is considered one of the specialized security management activities. Others believe that it is merely a necessary process that Microsoft must undertake to release monthly updates. Additionally, many view it as just a “common marketing term” used by business professionals.
Through the following article, we aim to highlight some common mistakes that organizations should pay attention to in order to achieve excellence in vulnerability management from both technological and procedural perspectives.
1. Scanning without taking any action
The first common mistake is performing scans to identify security vulnerabilities but failing to take any responsive actions based on the results obtained. Security scanning and vulnerability detection experts have become mere “checklists” in many organizations. Vulnerability scanning technology has indeed seen significant advancements in recent years, evidenced by improvements in accuracy, speed, and safety of the tools used.
However, modern commercial tools or open-source scanners still suffer from a problem similar to that of Intrusion Detection Systems (IDS). First, these tools generate excessive alerts for various reasons, making them too noisy. Furthermore, they do not inform you about how to address the generated security alerts, much like IDS do not tell you which specific intrusion alert to focus on.
Thus, vulnerability management is not merely about scanning and detecting; what is crucial is the actions taken after performing the scanning process. This includes asset inventory, prioritization, and researching remediation activities, as well as practical actions such as patching, reconfiguring, or securing systems.
2. Considering patching vulnerabilities as equivalent to vulnerability management
In reality, patching vulnerabilities is merely a method of repairing known security flaws. Some industry experts even suggest that vulnerability management is as simple as just fixing all the troublesome issues.
However, many security vulnerabilities cannot be simply patched by updating to the latest version of applications; they often require changes or reconfiguration of various system parameters. Therefore, vulnerability management necessitates prioritizing and intelligently remediating identified vulnerabilities using patches or other methods.
Thus, if you are busy every minute on the third day of the month but do not take any action to eliminate security vulnerabilities in your organization for the remaining 29 days, you are not genuinely engaging in vulnerability management.
3. Assuming that vulnerability management is solely a technical issue
If you believe that vulnerability management is simply a technical issue, that is quite surprising. To achieve effectiveness in this task, it requires attention to improving policies and processes. In fact, focusing on processes and the “soft” aspects of vulnerability management often yields more benefits than a high-tech patching system. Many weaknesses still exist in policies and IT infrastructure. We will not address weaknesses in policies here, as these can sometimes be considered vulnerabilities. For example, if you do not enforce a policy requiring passwords of a certain length, that is a weakness or vulnerability in your policy, which scanning and detection experts may not uncover, resulting in no solutions for the issue.
Therefore, weak passwords, lack of awareness regarding data security, and absence of workstation configuration standards can inflict more damage on your security posture and increase the risks you face.
According to analysts at Gartner: “The vulnerability management process should include tasks such as defining policies, identifying environmental boundaries, prioritizing, protecting, mitigating losses, as well as monitoring and maintaining.”
Thus, according to this understanding, the vulnerability management process should begin with a document defining policies regarding issues such as organizational resources – applications or systems – along with user considerations. Such a document, along with other security processes, should define the scope of vulnerability management and the “acceptable” stages of IT resource maturity.
4. Assessing a vulnerability without considering the bigger picture
Individuals attempting to adhere to a logical vulnerability management process often commit this common error. When facing serious challenges in prioritizing the remediation of vulnerabilities, they frequently overlook the dangerous aspects of that prioritization. For instance, they may try to assess the importance of vulnerabilities based solely on the vulnerabilities themselves without considering the overall security threat landscape and the business roles of the affected systems.
The only way to avoid this fourth common mistake is to use the formula Risk = Threat x Vulnerability x Value and apply the results of this calculation to decide which vulnerabilities to prioritize for remediation.
However, to establish a smart prioritization of vulnerability remediation, you must consider other factors in your IT environment as well as external factors. These factors include:
– The severity of vulnerabilities
– Information related to security threats
– Business value and information about targeted systems
Recently, a new standard for classifying the severity of vulnerabilities has been introduced to help organizations prioritize which vulnerabilities need to be fixed. The Common Vulnerability Scoring System (CVSS) evaluates various characteristics of vulnerabilities such as priority, exploitability, and impact. CVSS is expected to provide a unified method for scoring vulnerability assessments and will soon be adopted by many security information providers. However, CVSS data still requires updates to include information on business value and threats.
Business information is crucial in prioritizing vulnerabilities because it can integrate technical threats and data vulnerabilities into a business function. Different organizations vary in every aspect, thus possessing different critical assets and applications. Attacks affecting some organizations can lead to bankruptcy, while for others, it might only mean a temporary disruption. However, in real life, the situation is not that straightforward, and lower-priority vulnerabilities can sometimes pave the way for exploiting more critical vulnerabilities.
5. Failing to adequately prepare for the unknown – Zero-day security vulnerabilities
The fifth common mistake is related to “zero-day exploits.” This type of vulnerability is a significant concern for many security managers. There is still a lot of confusion about what constitutes a “zero-day exploit.” Simply put, it is the exploitation of a vulnerability that has not been previously disclosed. Therefore, even if you have patched all known vulnerabilities, you still need to prepare for attacks by adversaries utilizing previously unknown vulnerabilities.
What should you do? In addition to a sensitive vulnerability management program, you should have a comprehensive set of tasks in place that can protect you from “zero-day exploits” and carefully monitor server security. Additionally, you need to ensure that all response plans are ready in case of an attack. Such situations should be addressed using the principle of “defense in depth” in security infrastructure designs.