Critical vulnerabilities (i.e., those that must be addressed by installing specific software updates) are the bane of existence for most IT and security shops. In an ideal world, major vulnerabilities — such as those that have plagued Microsoft’s Server Message Block (SMB) over the years — could be fixed more quickly and effectively.
Unfortunately, that’s not how things typically play out. When hundreds, if not thousands, of computer systems, operating systems and third-party applications blanket the average enterprise, it’s a daunting task — and it’s certainly not going to get any easier.
How to Shut Down Critical Vulnerabilities
In the spirit of prioritizing prevention over response, there are some things you can do to minimize your window of exploitation. Now is the time to address this issue and make some headway. Here are four steps to close the window on critical vulnerabilities.
1. Take Command of Patching
Regardless of your level of network complexity and resources available to address software exploits, you can’t just bury your head in the sand and ignore the problem. Leaving enterprise vulnerabilities untreated has gotten many of the largest and best-known brands into a pickle. To shorten the timeframe between vulnerability discovery and remediation, you will want to make software patches more routine.
Many servers are critical, and software patches certainly need to be tested. However, there is no reason workstations can’t be updated immediately. After all, that’s where the real risk lies.
Why not push out patches as soon as they’re available or shortly after that? Sure, some won’t stick, and not all will receive necessary reboots right away. But don’t rely on users to update their systems. That’s a common practice, and there’s no reason for it.
2. Maintain Good Intel
Actionable insight requires good information. Many larger enterprises have internal teams exclusively committed to gathering vulnerability intelligence and still get hit.
Small and midsized businesses tend to struggle in this area because they’re only doing vulnerability scanning once or twice a year (if that). These scans aren’t done in real time (and this is an area where there’s a massive opportunity for improvement). This is especially important for critical endpoints or certain click-happy users who tend to get themselves into trouble. Commercial vulnerability scanners can significantly expand risk awareness.
Some people aren’t willing to run the necessary vulnerability scans — and argue that the budget is not available. A few thousand dollars for a network vulnerability scanner may be tight, but it’s still a fraction of the cost of the consequences of insecurity.
You don’t have to have an expensive product to get the information you need. For example, for Windows systems before Windows 10 and Server 2016, you can use Microsoft Baseline Security Analyzer (MBSA). MBSA is a free scanner that can show you practically everything that you need to know to discover and respond to major vulnerabilities that are causing a lot of the Windows-related security problems. You can scan local systems and others on the network. It doesn’t have the features of the paid commercial scanners, but it gets the job done (and there’s no reason not to run it if that’s your only option).
3. Know Your Network
Vulnerability awareness also requires good network visibility and information on what network hosts are doing. Organizations with insight at this level are rare, but it can be very beneficial to see who your top talkers are, know what they’re doing and understand whether or not you’re seeing normal behavior.
Most organizations would benefit from outsourcing this function. Leverage a vendor who has the tools and, more importantly, the expertise to know what to look for and how to respond to network events.
4. Be Prepared
Most widespread vulnerabilities and subsequent exploits boil down to a lack of preparation in terms of getting proper security alerts from vendors; ongoing vulnerability testing; technical controls, such as compensation controls, that can minimize the impact of exploits that do occur; measured response efforts, such as a formal incident response plan; and putting the right people in IT and security. Most, if not all, organizations are deficient in at least one of these areas.
Think about it: If you had one computer system, one piece of software to manage — and no barriers to make sure that it stayed 100 percent secure all the time — you could do it. Anyone could do it. It’s your job to determine the factors that are blocking this exact same thing from happening at scale across your network.
There will always be people and business processes that you cannot change or overcome. But there are steps that can be taken — regardless of your situation. There are things that should be done, and they really won’t cost that much to address. If you don’t end up doing the right things yourself — starting today — then someone else is going to come along and do them for you or compel you legally to figure it out.
With vulnerability management, you don’t have to aim for perfection. That’s how people get sidetracked. Instead, follow the Pareto principle and aim for the 20 percent of the security flaws that are creating 80 percent of your problems.
Focus your efforts on improving processes and systems, and there’s no doubt that you’ll improve your security posture and not become a statistic like so many others.
Listen to the podcast series: Take Back Control of Your Cybersecurity now
Independent Information Security Consultant
Kevin Beaver is an information security consultant, writer, and professional speaker with Atlanta-based Principle Logic, LLC. With over 29 years of experienc...