Maintaining an environment which centralizes not only the protection, but the creation of knowledge is the cornerstone of any successful vulnerability management strategy. Your connection to the internet unavoidably exposes your cyber environments to risk. Economist and financial journalist Michael Lewis claims the greatest threat to American governance today is the ‘fifth risk,’ an unknown quantity described as, “the knowledge that is never created, because you have ceased to lay the groundwork for it.” In the same way, the greatest threat to an organization’s information security is not the presence of vulnerability, because vulnerability is inevitable. It is a system which was not designed to systematically detect vulnerabilities which presents the greatest risk.
In industry today, the detection, discussion, and assessment of risk is typically conducted by way of a vulnerability scanning service of some kind. During a vulnerability scan, an appliance reaches out to a predetermined set of IP addresses on your network. The appliance requests information from the location and, depending on the type of scan, will receive different kinds of data. This information is then run through a database of common vulnerabilities and exposures provided by the US government, which the appliance uses to produce a list of your vulnerabilities. Vulnerabilities are often ranked on a scale of 1 to 5, with 5 representing the most severe risks.
This process may at first appear straightforward, but not all vulnerability scans are the same. They can be either external or internal, authenticated or unauthenticated, and understanding the different kinds of scanning an IT department conducts is essential to successfully evaluate an organization’s perception of its own risks. External scans are used to detect vulnerabilities that exist outside of a company’s firewall, including the DMZ, while internal scanning evaluates risks existing within it. Authenticated assessments include a total log-in to an organization’s devices by the scanning appliance, whereas unauthenticated scans produce a more limited dataset.
In my experience, many companies struggle to select the right combination of vulnerability scanning. Even when scanning processes are conducted appropriately, the identified risks are rarely methodically addressed. This is primarily because the results of vulnerability scans are overwhelming.
For example, when I started work as CISO at a small technology company several years ago, I began by conducting an unauthenticated, external vulnerability scan. Across just 3 locations and 2 small data centers, the scan produced a catalog of more than 60,000 vulnerabilities. The sheer volume of data produced by a proper vulnerability scan paralyzes IT departments and administrators alike. It can be tempting to conduct the most limited scans possible, not to conduct them at all, or to conceal results from management. Even when they are performed and fully disclosed, it is challenging to develop a plan to address such a large number of risks, and many organizations flounder.
There are three approaches I use to navigate complications associated with vulnerability scanning in real-world corporate settings:
1) Encouraging Straight Talk, 2) Slow and Steady Wins the Race, and 3) Responsiveness.
Encouraging Straight Talk. Effective vulnerability management is impossible if you do not ensure your IT Department is an environment which actively encourages the exposure of risk. Punishing the discovery of vulnerability is the fastest way to ensure the risks your organization faces will be made invisible to you. Encouraging open communication, and enabling IT employees to conduct the most comprehensive scans appropriate for your needs, are the only ways to be sure your organization has eyes on its cybersecurity weaknesses.
Slow and Steady Wins the Race. Once your organization has begun vulnerability scanning, the redress of risks must not only occur, but be methodical and deliberate. Accept that vulnerabilities are inevitable in the cyber landscape. Work to identify and address the most serious risks first. Acknowledge that strict timelines in some cases can be counterproductive, and prioritize ongoing effort above all else. In the example of vulnerability scanning described above, my first year as CISO was spent systematically addressing external risks listed as 5s, then 4s, and finally 3s. In fact, we expressly accepted the risk of all 1s and 2s in our documentation. By beginning with the most pressing vulnerabilities, the company was able to make meaningful progress toward eliminating the stack of 60,000 identified risks. Although thousands still remained by the conclusion of the year, many of the most serious threats were mitigated, and the IT Department had systematized their approach to the remaining lower-level vulnerabilities.
Responsiveness. A typical risk remediation time frame would require the highest-level risks to be addressed within roughly 72 hours, slightly lower-level risks to be addressed within 2 weeks, and so on. However, it is important to keep in mind that remediation timelines are not in proportion to the severity of vulnerabilities. Responsiveness and flexibility enable the address of risks to be as appropriate and timely as possible. For example, some 2s can be fixed within a day, while some 5s may require months of creative problem solving. At the same time, some vulnerabilities are best reimagined as capabilities; for example, an open camera on an employee’s chrome account might register as risk during a vulnerability scan, but is essential for that employee to work remotely. Some vulnerabilities require patches, or upgraded versions of software, while others require the reconfiguration of existing software; while patches are often preferable, and the configuration of existing software can result in unexpected changes, it is important to allow IT specialists to utilize the tools they find the most appropriate, see 1).
At the end of the day, vulnerability management is something you do on an ongoing basis. Steady pressure on the process is vital to success. Encourage IT teams to tell it like it is, and then take actions that improve your security and reduce your 'fifth risk' over time. If you actually improve each month, in a year you will see a tremendous improvement in your company’s information security