5 Steps to Find and Eliminate Security Vulnerabilities
It’s unavoidable today. Personal computers, smart phones, tablets, and other network and Internet connected devices run software from multiple sources. That’s great and it makes us pretty happy most of the time. We get great software, communicate fluidly and quickly, and work more efficiently. The problem is that software can be terrible 5% of the time even when it’s awesome the other 95%.
Software developers have made real improvements over the years, but the sheer number of programs required to make even a smartphone useful today means they can’t be completely tested in advance. Tablets, Laptops, PCs and servers are no different. The results are exploitable flaws or misconfigurations in devices we rely on every day.
“The electronic equivalent of an unlocked door or a window left ajar, these vulnerabilities create risk at work and at home.”
If we’re lucky, the vulnerability merely interrupts our day. Unexpected reboots, slow response, and crashing applications are annoying but often only require a restart. In more serious cases, vulnerabilities provide criminals, hacktivists or disgruntled former employees the opportunity to access sensitive information about customers or our business.
“Left unchecked, our personal data can be stolen, our company trade secrets revealed. We lose business in data breaches and suffer very public consequences.”
What do companies like mine do?
Our goal is finding only the specific issues in our network environment. Unfortunately, there are tens of thousands of known vulnerabilities. Modern vulnerability scanning tools test for over 50,000 uniquely identified vulnerabilities. While we never see this many issues in a single environment, we always find a subset of Critical, High, and Medium vulnerabilities. These are the issues organizations focus on before they become security incidents.
To avoid breaches, for regulatory compliance, for peace of mind, or just to prioritize future I/T projects, most organizations actively search for vulnerabilities on their systems following a simple process:
- Scan networks and Internet facing systems (including firewalls, VPNs, web and email servers)
- Eliminate any unnecessary vulnerable software
- Replace or disconnect systems that can’t (or shouldn’t) be patched
- Using a prioritized approach, patch everything that’s left
- Repeat the process
Each step is critical, but understanding individual vulnerabilities and prioritizing the work are the keys to making progress and avoiding wasted time. While most responsible manufacturers release security patches for their products, they are often difficult to find. Keeping up with multiple products can be daunting. Even when those alerts come directly to our inbox, most of us are left asking:
- Are these vulnerabilities important? Do they apply to me?
- Do I need to patch now? Can I wait? How long?
- Will it break other things?
- What are my options?
DIY and Experts
For small environments or our homes, reviewing software patches on a few PCs can be done by anyone. Microsoft, Apple and Linux operating systems can be automatically updated and individual software programs can notify you of available updates. This step alone can close many critical vulnerabilities. In addition, anti-virus and personal firewall software can "hide" many issues on a PC.
For more complex environments, engaging an expert helps an organization quickly assess and efficiently prioritize the right vulnerabilities for remediation. Trying to fix every vulnerability without a well thought out remediation plan can result in unnecessary work, unplanned outages, and missed alternatives. Dumping the process onto an existing I/T organization with significantly competing priorities, can result in slow progress. An expert provides the insight into vulnerabilities and options that help remediation “fit” into an I/T organization's existing plans and operations. When security and I/T teams coordinate, organizations see the best progress in eliminating vulnerabilities and keeping ahead of new vulnerabilities.