By Stephen Newman, Secureauth/Core Security
The September Equifax data breach that put more than 140 million people at risk of identity theft and financial fraud could have been prevented. A patch for the vulnerability that attackers exploited was available two months prior to the attack. Security teams are up against a lot, but sadly organizations are still making it very easy for attackers. Missing a patch of this magnitude points to a weak vulnerability management program. So, how do you avoid becoming the next Equifax? Here are five steps to building out an effective vulnerability management program.
Step 1: Set SMART goals.
The most effective vulnerability management programs work toward a goal—and it’s not “to better mitigate risk.” That is not a goal. That is your program’s reason for being. (Think about it: Everyone wants to mitigate risk. That’s why you have a security team in the first place.)
A true goal is SMART. In other words, it is:
Specific – The goal takes into account the most important assets that need protection as well as the path(s) an attacker could take to access them.
Measurable – The goal includes metrics against which you can objectively gauge your efforts. For example, you might set a goal that 100% of critical patches are applied within one week of their release.
Attainable – It’s okay for your goal to be challenging, but not so much so that it’s impossible to attain. You’ll set your team up for failure if the goal is unachievable.
Realistic – The goal should be both relevant and realistic for your current environment and available resources.
Time-bound – The goal should have a deadline. When do you want to reach the objective you’ve established? This will ensure that the goal is prioritized appropriately by those whose workloads are impacted by it.
Step 2: Prioritize
No one has the time to hunt down false positives or sift through hundreds of pages of scanner data to identify high-risk vulnerabilities. You need to equip your team to make the biggest impact possible. That means prioritizing vulnerabilities based on your company’s most valuable assets and the attack paths to them. A vulnerability management solution can help.
A vulnerability management solution can prioritize vulnerabilities based on industry-wide measurements like the MITRE and CVE scores, which identify the severity of a vulnerability, as well as the unique makeup of your organization. In addition to the vulnerability itself, the solution should take into account:
- The attack path to the vulnerability
- Whether an exploit exists for the vulnerability
- The exploit’s ease or difficulty of use
- Whether the exploit requires local access
Step 3: Patching
Once you have a prioritized list of vulnerabilities, you can begin your patching efforts, focusing on the most severe vulnerabilities.
At this point, it’s worth reiterating the importance of knowing what devices are on the network. You can’t patch it if you don’t know it exists. Every hardware and software vendor should agree to provide patches for keeping the assets you purchase up to date.
In addition, someone on your team must be responsible for applying patches when they become available. If no one owns the action item, it simply won’t happen.
Sometimes you run the risk of disrupting the business by patching a vulnerability. If this is the case, then schedule a maintenance window and, in the meantime, find a workaround. Finally, if the vendor no longer supports a device and patches are no longer available, it’s time to retire the device and replace it.
Step 4: Testing
You’ve gone through the effort to apply patches for the vulnerabilities that pose the greatest risk. Now you need to make sure they actually work, otherwise this effort’s all for nothing. It’s better for your team to discover that a patch fails than for an attacker to do so.
A network penetration test will enable you to determine whether the patches you apply prevent the associated vulnerabilities from being successfully exploited. A penetration test involves ethically hacking into the network using the same paths and methods that an attacker would use. This can be achieved by your team using a penetration testing solution or by hiring an outside consultant. Regardless of the approach you take, a pen test should be performed each and every time you perform a major upgrade, implement patches, or install new software or applications.
Step 5: Monitoring
Vulnerability management is an ongoing process. No sooner will you patch the top five biggest vulnerabilities in your network when there will be five more. And then five more after that.
In addition to regularly scanning the network for vulnerabilities, you should monitor devices for threats in real time. A threat detection solution can monitor network traffic in real time and alert you when a device becomes compromised. This allows you to shut down the device before an attacker can cause damage. Ensure that your threat detection and vulnerability management solutions work together to monitor and protect your network assets.
The Equifax data breach is yet another wake-up call that should cause companies and their security teams to re-evaluate their vulnerability management programs. Two months is a long time for a critical system to go unpatched. A lot can happen in that time—like the theft of the personal data of than 140 million people. Although vulnerability management is a standard operating procedure, negligence underscores the continual importance of these efforts today.
About the Author
Stephen Newman brings over 17 years of technology innovation and leadership to Core Security. He has designed products and product strategies for leading, innovative technologies throughout his career. Prior to joining SecureAuth, Stephen developed a range of security products for companies like Damballa, EarthLink, MegaPath, Secure Computing, and McAfee. Stephen is a frequent speaker at industry conferences and unique user groups, including
the Federal Reserve Bank and the US Embassy in Canada. His passion is to jointly whiteboard with prospects and customers to attack challenges and find solutions. Stephen holds a Master’s Degree in Electrical Engineering from Georgia Tech and a Bachelor’s Degree in Electrical Engineering from Johns Hopkins University.