If the internet or other network connections are used in the daily course of operating your business, you are subject to vulnerabilities. Plain and simple. Already have a great firewall? Good. You have antivirus software running? Good. Your administrators keep your devices patched with the latest security patches? Good. But if you think that is enough, you are wrong. According to Gartner in their Predictions for IT Security Directors, “Enterprises that implement a vulnerability management process will experience 90% fewer successful attacks…”. The harsh reality is that many organizations don’t even protect appropriately against known threats, leaving them vulnerable to 90% more successful attacks, using the inverse logic from the Gartner statistic.
One only has to remember back to the GHOST vulnerability to realize this is true. When the GHOST vulnerability was announced, network devices and computers all over the globe were found vulnerable – even some of the most hardened operating systems needed to be fixed! There will be surprises like that which will come up from time to time, but don’t overlook the known issues.
Vulnerability Assessment and Management Programs are related but different. During a Vulnerability Assessment your IT environment can be scanned to identify existing vulnerabilities giving you the awareness of what needs to be fixed. This is an absolute must, but understand it is a point-in-time assessment. This is not a “one-and-done” type of task though. Your environment will continue to change over time through addition / removal of systems, software upgrades and operating system patching. But even if you could freeze your technology infrastructure, new vulnerabilities and exploits are discovered in old code! Generally, a Vulnerability Assessment should be conducted at least quarterly, and as-needed following significant changes in your IT environment.
Taking it to the next step, a Vulnerability Management Program is a systematic approach to conducting assessments and resolving vulnerabilities. The term “Program” implies correctly that this is an ongoing activity, as it should be. For example, you may find on your initial scan that there are hundreds of vulnerabilities to address. You will likely need to prioritize them and address them in multiple waves through your Change Control cycles. Trying to fix everything at once may be neither possible nor wise.
If you are not staffed internally with the skills and resources to mount a solid Vulnerability Management Program, there are IT security consulting firms like Intrinium that have experts and well-defined procedures which can fill the gap. Whether you roll your own or outsource to experts, addressing vulnerabilities must be a part of your information security plan. Consider these points;
- What is your biggest security concern, either known or suspected, to be lurking in your company?
- Do you have a clear picture of your overall security posture? Do you even know what problems might exist?
- If you already have some sort of vulnerability scanning in place, how confident are you in the findings?
- Do you know how well you stack up against industry best practices or regulatory requirements?
- Are your financial, human and technology resources properly aligned to address the high-risk vulnerabilities or are you busy squashing ants?
As we continue to embrace technology and the Internet, information security must be a top-shelf issue for virtually all organizations. It is hard to even think of a business, municipality or even charitable organization that is not dependent on technology, or that would not suffer incredible harm if a vulnerability were exploited in their environment. Partnering with a consulting firm to obtain best in class Vulnerability Assessments and implement a Vulnerability Management Program may be your best initiative this year!