What is vulnerability management and how do you enforce it in your organization? If you ask a security expert, most would respond the following way: it is a list of vulnerabilities on an operating system or application that need to be patched with the latest security updates. And, for the most part, they would be correct, but true vulnerability management (VM) is significantly more.
Wikipedia defines vulnerability management as “the cyclical practice of identifying, classifying, prioritizing, remediating and mitigating software vulnerabilities.” It goes on, stating, “it is integral to computer security and network security, and must not be confused with vulnerability assessment.” Although true, I argue that the scope should be larger and that true VM also requires a focus on the weaknesses that involve people, processes and business relationships, as well as technology.
People - your first and last line of defense
At the end of the day, your people are your strongest and weakest link. Computers are only as smart as they have been configured to be, and networks are as protected as they have been set up to be. So, it’s important to invest in the subject matter experts (or SMEs) configuring the computers and networks, as well as the people using them.
The security analysts within your organization should go to regular training sessions and invest time into assessing new approaches. They should also be encouraged and required to identify and document good processes. Helping others understand the protocols discovered and defined helps keep the environment safe.
However, no matter how expert the analyst and how well they have configured the network to avoid or reduce vulnerabilities, if the average user isn’t part of the equation and doesn’t understand how their interaction is impacting or protecting the network, they will inadvertently open a door for a malicious attacker and potentially bring down an otherwise “secure” environment. Hence, security leaders must be willing to make a considerable investment in helping the average user understand their role in security and vulnerability management.
Investing in technologies that will train a user to personally protect themselves, their homes and families will ultimately build habits that traverse into the workspace. Simply telling a user to create a long password or avoid email will not encourage consistent behavior. But investing in training solutions that allow your employees to practice, while educating them on the effects of what not to do, may help encourage good habits: ultimately protecting the workplace. More importantly, security leaders should ensure that all employees know who to contact and how to explain the circumstances when something has gone wrong.
Additionally, organizations should identify Security Ambassadors outside of their security teams (that can speak in layman terms and avoid the technical jargon) to help identify everyday risks and teach best practices.
The ever-changing world of technology is only as good as the configuration
Once employees across the enterprise are made to play a role in security, enterprise leaders should focus on their technology.
Assessing the base line configuration of the technology or application of interest is not enough. One must understand why and for what use it was acquired, the data (if any) that will be retained or transmitted, user access requirements, default settings and advanced capabilities and ultimately how it will impact the environment once placed into daily processes.
In addition, security leaders must keep in mind how any change on the network will ultimately change the scope of the vulnerability and need for a patch or mitigating control. This will be different depending on whether a new technology will be installed on your organization’s internal network or in the cloud.
Some questions security leaders should ask themselves include:
- Does a refrigerator system or IV Pump really need to be internet-access enabled?
- If you install a video camera in an office or lab, who will have accessibility?
- Will voice recognition devices encrypt the data while not in use and prevent others from hearing day to day noise?
- Do all of these devices require or have two-factor authentication capabilities? What about your cloud service provider?
Growing world – you are as safe as your weakest link or connection
A truly healthy environment not only focuses on internal direct vulnerabilities, but also those inherited by the organization’s relationships. As the company grows, the organization should consider the security practices of the groups connected to and working with their environment.
It’s imperative that risk professionals go into a partnership with their eyes wide open by assessing their partner's technology and vendor practices before finalizing any agreements. In addition, strengthen the relationship by defining time to address any vulnerabilities that can impact both parties or, at the least, outline an agreed-to timeline that works for both companies. After all, no one wants to negatively impact their partner or their brand.
Implementing a vendor risk management program allows security leaders to understand vulnerabilities and develop a healthy program to help secure the environment at the onset.
In order to truly apply vulnerability management, organizations must take a holistic approach: making certain not to focus on one area but instead identifying weaknesses that can be targeted.
Some great resources for vulnerability management are:
Editor's Note: Check out Monique Hart's 2021 Women in Security profile here.