Critical vulnerabilities (i.e., those that must be addressed by installing specific software updates) are the bane of existence for most IT and security shops. In an ideal world, major vulnerabilities — such as those that have plagued Microsoft’s Server Message Block (SMB) over the years — could be fixed more quickly and effectively.

Unfortunately, that’s not how things typically play out. When hundreds, if not thousands, of computer systems, operating systems and third-party applications blanket the average enterprise, it’s a daunting task — and it’s certainly not going to get any easier.

How to Shut Down Critical Vulnerabilities

In the spirit of prioritizing prevention over response, there are some things you can do to minimize your window of exploitation. Now is the time to address this issue and make some headway. Here are four steps to close the window on critical vulnerabilities.

1. Take Command of Patching

Regardless of your level of network complexity and resources available to address software exploits, you can’t just bury your head in the sand and ignore the problem. Leaving enterprise vulnerabilities untreated has gotten many of the largest and best-known brands into a pickle. To shorten the timeframe between vulnerability discovery and remediation, you will want to make software patches more routine.

Many servers are critical, and software patches certainly need to be tested. However, there is no reason workstations can’t be updated immediately. After all, that’s where the real risk lies.

Why not push out patches as soon as they’re available or shortly after that? Sure, some won’t stick, and not all will receive necessary reboots right away. But don’t rely on users to update their systems. That’s a common practice, and there’s no reason for it.

2. Maintain Good Intel

Actionable insight requires good information. Many larger enterprises have internal teams exclusively committed to gathering vulnerability intelligence and still get hit.

Small and midsized businesses tend to struggle in this area because they’re only doing vulnerability scanning once or twice a year (if that). These scans aren’t done in real time (and this is an area where there’s a massive opportunity for improvement). This is especially important for critical endpoints or certain click-happy users who tend to get themselves into trouble. Commercial vulnerability scanners can significantly expand risk awareness.

Some people aren’t willing to run the necessary vulnerability scans — and argue that the budget is not available. A few thousand dollars for a network vulnerability scanner may be tight, but it’s still a fraction of the cost of the consequences of insecurity.

You don’t have to have an expensive product to get the information you need. For example, for Windows systems before Windows 10 and Server 2016, you can use Microsoft Baseline Security Analyzer (MBSA). MBSA is a free scanner that can show you practically everything that you need to know to discover and respond to major vulnerabilities that are causing a lot of the Windows-related security problems. You can scan local systems and others on the network. It doesn’t have the features of the paid commercial scanners, but it gets the job done (and there’s no reason not to run it if that’s your only option).

3. Know Your Network

Vulnerability awareness also requires good network visibility and information on what network hosts are doing. Organizations with insight at this level are rare, but it can be very beneficial to see who your top talkers are, know what they’re doing and understand whether or not you’re seeing normal behavior.

Most organizations would benefit from outsourcing this function. Leverage a vendor who has the tools and, more importantly, the expertise to know what to look for and how to respond to network events.

4. Be Prepared

Most widespread vulnerabilities and subsequent exploits boil down to a lack of preparation in terms of getting proper security alerts from vendors; ongoing vulnerability testing; technical controls, such as compensation controls, that can minimize the impact of exploits that do occur; measured response efforts, such as a formal incident response plan; and putting the right people in IT and security. Most, if not all, organizations are deficient in at least one of these areas.

Think about it: If you had one computer system, one piece of software to manage — and no barriers to make sure that it stayed 100 percent secure all the time — you could do it. Anyone could do it. It’s your job to determine the factors that are blocking this exact same thing from happening at scale across your network.

There will always be people and business processes that you cannot change or overcome. But there are steps that can be taken — regardless of your situation. There are things that should be done, and they really won’t cost that much to address. If you don’t end up doing the right things yourself — starting today — then someone else is going to come along and do them for you or compel you legally to figure it out.

With vulnerability management, you don’t have to aim for perfection. That’s how people get sidetracked. Instead, follow the Pareto principle and aim for the 20 percent of the security flaws that are creating 80 percent of your problems.

Focus your efforts on improving processes and systems, and there’s no doubt that you’ll improve your security posture and not become a statistic like so many others.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

More from Intelligence & Analytics

BlackCat (ALPHV) Ransomware Levels Up for Stealth, Speed and Exfiltration

9 min read - This blog was made possible through contributions from Kat Metrick, Kevin Henson, Agnes Ramos-Beauchamp, Thanassis Diogos, Diego Matos Martins and Joseph Spero. BlackCat ransomware, which was among the top ransomware families observed by IBM Security X-Force in 2022, according to the 2023 X-Force Threat Intelligence Index, continues to wreak havoc across organizations globally this year. BlackCat (a.k.a. ALPHV) ransomware affiliates' more recent attacks include targeting organizations in the healthcare, government, education, manufacturing and hospitality sectors. Reportedly, several of these incidents resulted…

9 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

79% of Cyber Pros Make Decisions Without Threat Intelligence

4 min read - In a recent report, 79% of security pros say they make decisions without adversary insights “at least the majority of the time.” Why aren’t companies effectively leveraging threat intelligence? And does the C-Suite know this is going on? It’s not unusual for attackers to stay concealed within an organization’s computer systems for extended periods of time. And if their methods and behavioral patterns are unfamiliar, they can cause significant harm before the security team even realizes a breach has occurred.…

4 min read

Why People Skills Matter as Much as Industry Experience

4 min read - As the project manager at a large tech company, I always went to Jim when I needed help. While others on my team had more technical expertise, Jim was easy to work with. He explained technical concepts in a way anyone could understand and patiently answered my seemingly endless questions. We spent many hours collaborating and brainstorming ideas about product features as well as new processes for the team. But Jim was especially valuable when I needed help with other…

4 min read