July 10, 2020
When it comes to cybersecurity, you might have heard of terms like “vulnerability assessment” or “vulnerability management.” While they may be related, they are actually quite different. Management refers to taking a more proactive role in reducing your organization’s attack surface. However, assessment is part of the process. It’s the process of identifying, evaluating, treating, and reporting on security vulnerabilities in systems and the software that runs on them. This, implemented alongside other security tactics, is vital to your organization. And how much you are familiar with the risk associated with not having a vulnerability management system in place is equally imperative.
What qualifies as a security vulnerability?
Is your software completely patched and up to date? What about your hardware? Are you still using very old machines? What type of password system does your organization use? What about multifactor authentication and encryption? What security features do your in-house servers use? Any technological weaknesses that could potentially allow attackers to compromise a product and the information it holds is considered a security vulnerability. Identifying these areas of weakness is crucial. That’s why an MSSP will often utilize automated vulnerability scanners in conjunction with endpoint agents on a variety of systems. Laptops, desktops, physical and virtual servers, firewalls, printers — any number of these can and should be proactively and routinely scanned for vulnerability.
How do you deal with a security vulnerability?
Once a security vulnerability has been identified, the first step should be to evaluate it. What sort of risk does the vulnerability pose to your organization? Could it potentially result in a data breach? A DDoS attack? A complete takeover? Knowing how it can impact you — or even if it does — can help you prioritize the most critical areas first. To aid in your decision-making process, many vulnerability management solutions will provide different risk ratings and scores for vulnerabilities, such as Common Vulnerability Scoring System (CVSS) scores. This rating system can help you determine what to prioritize.
Once you’ve successfully prioritized the vulnerabilities, the next step is figuring out how to address them. Based on the severity of the vulnerabilities, there are three possible ways of going about this:
- Remediation – This involves in actually fixing the problem. Patch it, replace it or do whatever it is you have to do to make the vulnerability vanish. Ideally, this is what you should always strive for. But depending on the system in question, it’s not always an option.
- Mitigation – Maybe there isn’t a patch available, or maybe the system can’t handle a patch without it breaking something. For whatever the reason, if outright fixing the issue isn’t possible, you take the steps necessary to lessen the impact of an instance where an exploit is used against you. This is the “Someone broke the window but a storm is coming, so for now here’s some duct tape” approach.” It’s not ideal, but it can buy you some time.
- Acceptance – Also known simply as “ignoring the problem.” The only time you should ignore the vulnerability is if it’s something that you know with absolute certainty that the risk associated is minimal to non-existent. Only you and your IT team together will be able to make that determination.
At the end of the day, it’s important to remember that the only thing keeping your organization safe from harm is human intervention — no matter how much automation is involved. In a world where cyberthreats are growing exponentially, 24/7 vigilance is mandatory. You need to know whether your systems can handle an attack and what will happen to your business — not if, but when — such an attack gets through. Contact us to see how we can help.