Vulnerabilities in technology environments have become increasingly prevalent, with the number of identified flaws growing exponentially in the past two decades.
The first vulnerability scanning software was created in the late 1990s. This automated process enabled companies to locate and address flaws in their systems before they could be exploited. By 1999, 991 vulnerability records had already been registered.
However, despite the efforts to secure technology environments, the number of vulnerabilities discovered has increased 30-fold in the last 20 years. In 2021 alone, 28,506 unique vulnerability identifiers were registered, with even higher numbers recorded the previous year (34,553), as reported by CVE.
Despite the rise in vulnerability detections, budgets for cybersecurity have not kept pace, making it challenging for organizations to keep up with the latest threats.
When asked, most CISOs would admit that they face a significant challenge. They are forced to contend with an ever-growing list of vulnerabilities while trying to ensure that they can safeguard their organizations against sophisticated attacks. It is a situation that often seems untenable, and many security professionals feel that they are at a dead end.
Perhaps the most worrying concern is that outdated software is one of the leading causes of these vulnerabilities [a staggering 60% of data breaches are caused by unpatched vulnerabilities]. This is because approximately one in every five security incidents can be attributed to unpatched software. This issue only adds to the already complex task of safeguarding a company’s digital infrastructure.
It is evident that vulnerabilities are increasing, and it is vital for organizations to address them to ensure their continued success.
In an effort to assist in the reconsideration of vulnerability management strategies and to overcome associated challenges, we have curated a comprehensive guide. This guide outlines six practices that should be ditched to improve the effectiveness of vulnerability management within organizational contexts. These practices can hinder the effective management of vulnerabilities and compromise the security and integrity of organizational systems.
Calculating risk based on CVSS only
The Common Vulnerability Scoring System (CVSS) has become the standard framework used globally to classify the level of severity of discovered vulnerabilities. It is used not only by companies that adopt vulnerability management processes but also by providers of such services and scanner manufacturers.
They use CVSS with the standard framework to classify how serious a security breach is and, from there, prioritize its correction. The severity, in this system, can range from none (score 0, in CVSS), to critical when the fault is classified with a score between 9 and 10.
However, relying solely on CVSS to calculate risk can be a mistake.
The number of vulnerabilities found has grown 30 times in 20 years, and new vulnerabilities appear every day. The standard classification system is almost impractical to use due to the sheer number of vulnerabilities.
Organizations need to adopt a risk-based approach to vulnerability management. This approach involves understanding the context and impact of vulnerabilities, including how they may be exploited and by whom.
Organizations should consider the real risks and consequences of a security breach, including the potential impact on their operations, sensitive data, customers, and reputation, as well as the risk of regulatory non-compliance. They should also consider the threat actors targeting their specific industries or sector.
To do this, organizations can adopt a risk-based approach to vulnerability management. This approach involves understanding the context and impact of vulnerabilities, including how they may be exploited and by whom. By focusing on the real impact of vulnerabilities, organizations can prioritize their remediation efforts, reducing the risk of a security breach.
To assess the likelihood of an attack, organizations can use threat intelligence to gather information about the current threat landscape. This information can help them identify which vulnerabilities are most likely to be exploited and which attackers are most likely to target their organization. They can also use penetration testing to simulate an attack and test the effectiveness of their security controls.
Once the likelihood of an attack has been assessed, organizations can calculate the potential impact of a successful attack. This involves considering the value of the assets that could be impacted, the level of criticality, and the potential impact on the organization’s sensitive data, customers, reputation, and compliance requirements.
After assessing the likelihood and impact of a security incident, organizations can use this information to calculate the overall risk of the vulnerability. This can help them prioritize the vulnerabilities that pose the greatest risk to the organization and allocate resources to address them.
Adopting the wrong frequency of scans for your company
Regular security scanning is crucial for protecting your company’s digital assets from cyber-attacks. However, it is equally important to determine the right frequency of scans for your organization. Too frequent scanning can cause system overload, while infrequent scanning can leave vulnerabilities undetected for extended periods. Finding the optimal frequency of scans can be a challenging task, but it is essential to ensure that your systems are adequately protected.
Evaluating the optimal frequency of scans for your company is essential because it varies depending on the organization’s size, industry, and risk tolerance. Here are three strategies to consider when determining how often to scan your company’s systems:
- Industry Standards and Regulations
Industry-specific standards and regulations, such as HIPAA, PCI DSS, and ISO 27001, outline the minimum requirements for protecting sensitive data. These guidelines typically recommend or require regular security assessments and vulnerability scans. Therefore, organizations in regulated industries may need to perform scans more frequently than those in less-regulated industries.
- Risk Assessment
A risk assessment is an essential process that involves identifying, analyzing, and evaluating the risks associated with your organization’s assets and operations. Once the risks are identified, you can develop strategies to mitigate or eliminate them. Regular security scans can be a crucial component of risk management, but the frequency of scans should be based on the risk level of your organization. The higher the risk level, the more frequent the scans should be.
- System Changes
The frequency of scans should also consider any changes made to the system. For example, if there are significant changes to your organization’s network infrastructure or application architecture, it may be necessary to increase the frequency of scans. This can help identify any vulnerabilities that may have been introduced during the change.
Failing to rate assets
Effective vulnerability management requires a comprehensive understanding of an organization’s IT inventory. It is essential to know the software and hardware assets present in your company’s environments and assign a criticality score to them. By assigning vulnerabilities found to assets in each environment, you can adopt an additional layer of risk-based vulnerability management, which can exponentially increase the efficiency of digital risk mitigation across the enterprise.
CIS Controls, a set of guidelines for implementing and maintaining an effective cybersecurity program, dedicates its first and second control entirely to the identification and efficient management of software and hardware assets. This underscores the importance of this action in ensuring effective vulnerability management.
Despite this, the view of the IT environment is often superficial, and applications and assets remain in the shadows. This lack of visibility can lead to a failure to identify critical vulnerabilities, resulting in severe consequences for the organization.
Assigning a criticality score to each asset can help organizations prioritize the remediation of vulnerabilities based on their impact on the organization. For example, a critical vulnerability found in a production server that supports a critical application must be corrected before a critical vulnerability is found in software used by the company’s Marketing department.
Having a comprehensive understanding of the organization’s IT inventory and assigning a criticality score to each asset is essential in carrying out effective vulnerability management. It allows organizations to prioritize the remediation of vulnerabilities based on their impact on the organization, significantly reducing the risk of a security incident.
Overreliance on automation
Automated tools rely on databases of known vulnerabilities, and they can only identify the vulnerabilities for which they have a signature. Attackers can exploit zero-day vulnerabilities, which are vulnerabilities that are unknown to the vendor or security community, making them invisible to automated tools. Additionally, automated tools can produce false positives or false negatives, and it’s up to the security team to manually validate the results.
False positives occur when automated tools report a vulnerability that doesn’t exist or overestimate the severity of a vulnerability. These false positives can lead to wasted time and resources, as security teams focus on vulnerabilities that aren’t actually a threat.
Manual validation is essential to reduce the number of false positives, human security specialists can use their expertise and experience to identify vulnerabilities that automated tools may miss. This is especially true for complex systems or custom applications that automated tools may not fully understand.
Moreover, manual validation can help identify vulnerabilities that may have a lower CVSS score but still pose a significant risk to the organization. For example, a vulnerability that allows an attacker to bypass authentication may have a low CVSS score, but the potential impact on the organization’s data and systems could be severe.
Using Spreadsheets
While spreadsheets can be useful for organizing and analyzing data, they have significant limitations in vulnerability management. With the vast amount of vulnerability data generated daily, spreadsheets become a precarious system for prioritizing the flaws identified in the environment.
Using spreadsheets can have a high risk of human error, version control issues, and large file sizes that can require a supercomputer to process them. Additionally, standard scanning tools’ features do not typically offer reporting functionality, making it challenging to extract relevant information from the data set produced by them.
Another issue with using spreadsheets for vulnerability management is their lack of data visualization and analysis features. This lack of functionality can make it difficult to extract insights from the data and prioritize actions effectively. It also makes it harder to focus on what matters for effective management, such as identifying occurrences by type or category, failures never identified, and severity by a group of assets or environments.
The limitations of spreadsheets mean that organizations must seek alternative solutions to manage their vulnerability data effectively. Rather than relying on spreadsheets, organizations should consider using vulnerability management tools that offer data visualization and analysis features. These tools can help prioritize actions based on the severity of vulnerabilities, track the status of remediation efforts, and generate reports for stakeholders.
Not having historical follow-up
Effective vulnerability management requires more than just identifying and prioritizing vulnerabilities in your environment. It’s essential to maintain a historical record of vulnerabilities to help identify trends and patterns and enable root cause analysis.
Not having consolidated monitoring of the history of vulnerabilities in your environment prevents the determination of standards, making it challenging to understand whether vulnerability management efforts are effective. By analyzing the historical behavior, you can identify business processes that cause failure peaks, enabling the correction of their root cause.
Timeline monitoring also allows you to define and monitor performance indicators by teams and individuals, leading to more effective management of human resources and investments. This tracking ensures that the most critical vulnerabilities receive attention and that remediation efforts are prioritized based on their potential impact.
Having a historical follow-up enables you to learn from past experiences, allowing you to refine your vulnerability management processes continually. It also ensures that your organization’s risk posture is continuously improving, reducing the likelihood of a successful cyber attack.
It’s essential to recognize that managing vulnerabilities is a complex and ongoing process. Without consolidated monitoring of the history of vulnerabilities, it’s impossible to expect different results by doing the same thing over and over again. Organizations must embrace a proactive approach to vulnerability management and prioritize the maintenance of a historical record of vulnerabilities.
Final thoughts
Besides all the above things, effective vulnerability management requires strong communication and collaboration between different departments within an organization. For example, the security team may identify a vulnerability that needs to be fixed, but the IT team may be responsible for implementing the fix.
Therefore, it’s important to establish clear channels of communication and collaboration between different departments to ensure that vulnerabilities are addressed quickly and efficiently. This may involve regular meetings or status updates, as well as clear processes for escalating issues when necessary.
Finally, it’s important to track the progress of vulnerability management efforts over time. This allows organizations to identify areas of improvement and measure the effectiveness of different strategies and tactics.
Tracking progress may involve regular reporting and analysis of vulnerability scan results, as well as tracking the implementation of patches and other security fixes. By regularly reviewing and analyzing this data, organizations can identify trends and patterns, and adjust their vulnerability management strategy accordingly.