Developing an Effective Vulnerability Management Program

Developing an Effective Vulnerability Management Program
No piece of software is perfect. No coder writes software that is 100 percent free from errors. Time and budget constraints exacerbate the problem, with developers often racing against the clock to get software finished to an anticipated release date that would be too costly to change. Particularly in an age of over-the-air updates, oftentimes companies will elect to release an initial version of a piece of software and then release security updates or “patches” to plug the gaps at a later date. At a certain point, when software has outlived its financial or other usefulness, developers will stop supporting it altogether — meaning that patches will no longer be released.

The fact that there are bugs in every piece of software (the bigger and more complex the software, the more bugs will typically exist) opens the door for vulnerabilities — and emphasizes the need for organizations to practice proper information security.

The risk of vulnerabilities

Vulnerabilities in software are weaknesses that can be exploited and leveraged by bad actors with malicious intent. Vulnerabilities almost always involve crossing the expected privilege boundaries in a piece of software, allowing a potential attacker to do more than they should ordinarily be able. A software exploit is a bit like the crowbars or other tools a burglar might use to force open an improperly secured window or door in order to gain access to a house they plan to burglarize.

Many new software vulnerabilities are discovered each year. Much of the time, this is software that is developed by a reputable developer and being actively supported. When vulnerabilities are discovered or disclosed by security researchers, developers will quickly spring into action and fix the problem with a push that they can then make available immediately to users of their software. In a growing number of cases, companies will financially reward security researchers who disclose potential vulnerabilities so that they can be patched. By acting quickly, developers try and correct these flaws before anyone has a chance to exploit them.

But patches aren’t a perfect solution. A patch isn’t automatically installed in most cases. It requires that users elect to apply it. Patches may be complex or time-consuming to apply. They can cause downtime for certain systems. With so many vulnerabilities found on a constant basis, certain problems may not be patched by some customers — even when the developer responsible for the software has identified a problem, fixed it, and made the patch available to customers.

Returning to the analogy of a house, it’s a bit like the difference between you knowing all the things you’ve got to fix around the house and actually getting around to doing it. Even if you know a certain window could do with being replaced, there’s no guarantee that you’ll fix it right away.

Prioritizing patches

When it comes to patches, organizations need to carry out intelligent patch prioritization. That means choosing which patches to apply. This should be done based upon potential risk. One way to do this is to use lists of vulnerabilities such as the recently published US National Security Agency (NSA) list showing the 25 publicly known vulnerabilities that are most commonly targeted by attackers funded by China. This list of flaws includes (but isn’t limited to) well-known systems and software like Windows, Windows Server, Pulse Connect Secure, Citrix Gateway, Oracle WebLogic Server, Adobe ColdFusion.

The NSA says that these are the products that should be the priority of users for urgent patching. The vulnerabilities mentioned can be used by attackers to access target networks over the internet, and use this to delve deeper into internal networks. This means that they represent a major risk for users if not properly secured.

Lists such as this are a helpful starting point when it comes to patching vulnerabilities. However, they are far from a comprehensive solution. The threat landscape is changing all the time as new vulnerabilities are discovered and targeted by attackers.

Help is at hand

Fortunately, there is an answer available. Calling in the cybersecurity experts can give you access to threat intelligence technology for patch management. These threat intelligence tools identify high-impact patches so that you always know exactly which patches you should prioritize for the wellbeing of your business or organization.

This is just one of the threat intelligence systems which can play a key role in protecting your systems. Good information security practices will protect you not only against software vulnerabilities, but against the attacks that can result from them — whether it’s viruses, ransomware, or any other damaging form of cyber attack. Ensuring that you can detect, quickly respond to, and prevent in a proactive manner these attacks is crucial. Organizations must endeavour to identify poorly secured systems, then take the necessary steps to either secure them, decommission them, or isolate them.

It’s a tough job — but ensuring that you are making use of the latest threat intelligence tools will give you a valuable weapon on your side in the battle against bad actors looking to exploit vulnerabilities.

Related posts