The way of doing business, the way of shopping and even human life has changed and is now a part of this New Digital World. Like in the physical world, there are associated risks and if ignored they can turn into chaos.
One way to address these dangers is by conducting vulnerability management.
In previous articles we have discussed several topics that are related in one way or another to vulnerability management. Today, we guide you on how to mitigate the likelihood of incurring those costs.
Vulnerability Management is an iterative process of identifying, classifying, prioritizing, and remediating or mitigating vulnerabilities of given assets.
For this purpose, it is useful to think of something known as “Risk Equation” that calculates the risk as a result of the product between a “Threat” and the vulnerabilities. A company may be susceptible to thousands of threats in the digital world, but a company with a lower vulnerability number will make the risk less:
Threats * Vulnerabilities = Risk
1000 Threats * 0 Vulnerabilities = 0 Risk
The objective of vulnerability management is to identify a vulnerability when it arises, classify it, assign it a severity level among other vulnerabilities, remediate it or mitigate it, so that the risk is reduced. The fewer and less severe vulnerabilities you have, the lower the risk is.
In order to accurately identify a vulnerability, you must first have all of your assets correctly identified in an inventory, and then perform a vulnerability scan.
Traditionally, the advice was to run sporadic scans, but nowadays they must be done continuously with one or more automated software solutions.
In addition to the above, it is necessary to maintain penetration tests to confirm and properly analyze any of the discovered vulnerabilities, but there’s no need to do it entirely manually: automation is the new approach. SaaS cybersecurity companies offer solutions that perform automatic and continuous penetration testing, allowing you to optimize and use your budget more efficiently, as opposed to only manual testing which, due to cost and complexity, is performed semi-annually or annually at best. Check out Humanize Salience for automatic and continuous penetration testing solution.
If you do not know where to start, a good starting point might be to go through CIS Controls. The 7th Critical Security Control advice, in fact, advises ongoing vulnerability management.
Once you discover a vulnerability, you need to know how serious it is, based on the CVSS score and, on top of that, the intrinsic characteristics of your infrastructure. What is the likelihood of being attacked or the vulnerability to be exploited? It is necessary to classify for prioritization purposes.
What is CVSS? It is an open standard under the domain of FIRST. CVSS stands for “Common Vulnerability Score System” which, as its name suggests, is a scoring system to estimate the impact that vulnerabilities may have. When determining what level of risk a threat can determine, a scale is used that is established between 0 and 10.
After the classification instance, you are able now to assign something like a “severity level” to each vulnerability. In this way, you can conduct the action plan from urgent to less urgent.
The last step of the vulnerability management process -before starting the cycle again- is planning. Your software scan will usually advise you what to do next based on the global knowledge and experience, but the final solution will depend on your environment. A recommendation might be “disabling SMB service in Windows Servers,” but you have legacy services that still need it. In that case, your professional staff will have to adapt and evaluate the cost-benefit of their decisions.
You can choose a mitigation or a remediation plan.
A mitigation action consists of preventing or applying a workaround for buying some time or reducing the likelihood of being exploited. It is better than doing nothing.
A remediation plan consists of definitively getting rid of the vulnerability, neutralizing it in the appropriate way.
Keep in mind that “Vulnerability Management” is not the same as “Vulnerability Assessment”. The second term is a key part of the first term as it is part of the identification stage.
The cost is not always measured directly in money. In previous articles we discussed various topics that are related in one way or another to vulnerability management. In the article "5 Hidden Costs of Cyber Attacks" we address 5 hidden costs that ultimately lead to loss of money or worse, reputation. In this article, we guide you on how to mitigate the likelihood of incurring those costs.
Vulnerability Management plan is essential for your business, since it allows you to manage risk by reducing the vulnerabilities through a cyclical process aimed at detecting and eradicating them as much as possible and continuing to increase reputation and the income of your business. Last but not least, the less time your security team spends dealing with incidents, the more time they have to focus on new challenges or improve existing processes.