Critical vulnerabilities (i.e., those that must be addressed by installing specific software updates) are the bane of existence for most IT and security shops. In an ideal world, major vulnerabilities — such as those that have plagued Microsoft’s Server Message Block (SMB) over the years — could be fixed more quickly and effectively.

Unfortunately, that’s not how things typically play out. When hundreds, if not thousands, of computer systems, operating systems and third-party applications blanket the average enterprise, it’s a daunting task — and it’s certainly not going to get any easier.

How to Shut Down Critical Vulnerabilities

In the spirit of prioritizing prevention over response, there are some things you can do to minimize your window of exploitation. Now is the time to address this issue and make some headway. Here are four steps to close the window on critical vulnerabilities.

1. Take Command of Patching

Regardless of your level of network complexity and resources available to address software exploits, you can’t just bury your head in the sand and ignore the problem. Leaving enterprise vulnerabilities untreated has gotten many of the largest and best-known brands into a pickle. To shorten the timeframe between vulnerability discovery and remediation, you will want to make software patches more routine.

Many servers are critical, and software patches certainly need to be tested. However, there is no reason workstations can’t be updated immediately. After all, that’s where the real risk lies.

Why not push out patches as soon as they’re available or shortly after that? Sure, some won’t stick, and not all will receive necessary reboots right away. But don’t rely on users to update their systems. That’s a common practice, and there’s no reason for it.

2. Maintain Good Intel

Actionable insight requires good information. Many larger enterprises have internal teams exclusively committed to gathering vulnerability intelligence and still get hit.

Small and midsized businesses tend to struggle in this area because they’re only doing vulnerability scanning once or twice a year (if that). These scans aren’t done in real time (and this is an area where there’s a massive opportunity for improvement). This is especially important for critical endpoints or certain click-happy users who tend to get themselves into trouble. Commercial vulnerability scanners can significantly expand risk awareness.

Some people aren’t willing to run the necessary vulnerability scans — and argue that the budget is not available. A few thousand dollars for a network vulnerability scanner may be tight, but it’s still a fraction of the cost of the consequences of insecurity.

You don’t have to have an expensive product to get the information you need. For example, for Windows systems before Windows 10 and Server 2016, you can use Microsoft Baseline Security Analyzer (MBSA). MBSA is a free scanner that can show you practically everything that you need to know to discover and respond to major vulnerabilities that are causing a lot of the Windows-related security problems. You can scan local systems and others on the network. It doesn’t have the features of the paid commercial scanners, but it gets the job done (and there’s no reason not to run it if that’s your only option).

3. Know Your Network

Vulnerability awareness also requires good network visibility and information on what network hosts are doing. Organizations with insight at this level are rare, but it can be very beneficial to see who your top talkers are, know what they’re doing and understand whether or not you’re seeing normal behavior.

Most organizations would benefit from outsourcing this function. Leverage a vendor who has the tools and, more importantly, the expertise to know what to look for and how to respond to network events.

4. Be Prepared

Most widespread vulnerabilities and subsequent exploits boil down to a lack of preparation in terms of getting proper security alerts from vendors; ongoing vulnerability testing; technical controls, such as compensation controls, that can minimize the impact of exploits that do occur; measured response efforts, such as a formal incident response plan; and putting the right people in IT and security. Most, if not all, organizations are deficient in at least one of these areas.

Think about it: If you had one computer system, one piece of software to manage — and no barriers to make sure that it stayed 100 percent secure all the time — you could do it. Anyone could do it. It’s your job to determine the factors that are blocking this exact same thing from happening at scale across your network.

There will always be people and business processes that you cannot change or overcome. But there are steps that can be taken — regardless of your situation. There are things that should be done, and they really won’t cost that much to address. If you don’t end up doing the right things yourself — starting today — then someone else is going to come along and do them for you or compel you legally to figure it out.

With vulnerability management, you don’t have to aim for perfection. That’s how people get sidetracked. Instead, follow the Pareto principle and aim for the 20 percent of the security flaws that are creating 80 percent of your problems.

Focus your efforts on improving processes and systems, and there’s no doubt that you’ll improve your security posture and not become a statistic like so many others.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Intelligence & Analytics

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today