Vulnerability Management: 5 Steps To Protect Your Business

Vulnerability Management

In the most simplistic terms, vulnerability management is an element of cybersecurity that involves finding and remediating weaknesses in your computer systems to minimize ways hackers can negatively impact your business. 

What is a vulnerability, and how does it affect businesses? 

Vulnerabilities are weaknesses in computer systems that allow unauthorized access to the said systems. Some vulnerabilities have great James Bond-esque names such as Spectre, Sweet32 Birthday attacks, Heartbleed, and BlueKeep — a fun concept to help people recognize the vulnerability, but not necessarily an indication of the importance of the vulnerability. For instance, zero-day vulnerabilities are not named in a particularly exciting way, but they’re the ones that we worry about more than anything. They’re vulnerabilities that software manufacturers are not yet aware of, meaning that a patch (or software fix) is not available. We simply don’t know what we don’t know. 

Vulnerabilities are attractive to malicious actors because they look to exploit them for their gain, such as stealing customer data or preventing businesses from using their computer systems. If malicious actors took over your business’s computers, what would you do? This probably isn’t a reality you want to experience, but unfortunately, it’s common. The National Vulnerability Database (NVD) from the National Institute of Standards and Technology (NIST) lists the thousands of software vulnerabilities discovered monthly.

The 5 steps of vulnerability management

Protecting your business from vulnerabilities involves a series of sequential steps. This is a common practice with many cybersecurity measures, like abiding by standard principles to assess the likelihood of a cyberattack amidst the threat landscape or developing an incident response plan in the event of an attack. To practice smart vulnerability management, you want to focus on five areas and ask these questions:

  1. Assets – What do we need to protect? 

  2. Scanning – What vulnerabilities are in our network?

  3. Prioritization – Is it worth it to fix this vulnerability? How fast do we need to fix this vulnerability?

  4. Remediation – How can we fix these vulnerabilities?

  5. Reporting – [With an eye on keeping management updated on what vulnerabilities exist in our environment] What have we done to remediate these?

In the rest of this article, I’ll provide details about the five steps of vulnerability management, how you can follow them, and why they will help your business.

Step 1: Assets - Determine your assets

You can’t practice effective vulnerability management until you know what to manage. Therefore, your first step is to compile a list of all assets in your network. These often include hardware like: 

  • Servers

  • Computers

  • Network equipment

  • USB drives

  • Phones, etc. 

Any device that connects to your network should be on this list. This list tells you what you need to protect in your environment.

Step 2: Scanning - Scan for vulnerabilities 

Vulnerability scanners are automated tools to help you find known vulnerabilities in your environment (company’s network). For instance, vulnerability scanners identify which devices are connected to your network, which vulnerabilities are present, and help to determine which devices shouldn’t be connected to your network. Thus, scanners can tell you where your patch management isn’t working. 

A simple way to think about vulnerability management is as a control in your environment that tells you which gaps exist in other processes. How you use data from a vulnerability scanner is the essence of vulnerability management. You can’t manage what you can’t identify. Scanners are a critical second step in vulnerability management because they are how you identify vulnerabilities, prioritize findings, and verify remediation.

Step 3: Prioritization - Prioritizing vulnerabilities

With the tremendous number of known vulnerabilities, it can be helpful to prioritize vulnerabilities based on a risk management approach. You could try to fix all vulnerabilities in your environment as you discover them. However, this may not be the most efficient use of time. Remediating all vulnerabilities may put too many constraints on your team defending your business from bad actors. Therefore, classifying vulnerabilities is extremely important. Think about the value if you separate vulnerabilities into these four categories:

  • Critical - Imminent threat; likely allows unauthorized access to sensitive data; likely to disturb business operations

  • High - Could disrupt business operations or cause a data leak

  • Medium - Potential risk to your business; minor information exposed

  • Low - Minimal impact on your business

Every business must determine the varying levels of importance for themselves. For that, let’s turn to the CVSS.

Common Vulnerability Scoring System (CVSS)

In addition to the above categories, many businesses measure risk based on the vulnerability’s CVSS score, the asset's criticality, and whether an exploit exists for that vulnerability. 

Common Vulnerability Scoring System (CVSS) is an effort from the CVE® Program, whose mission is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. Its scoring system is designed to determine the potential impact on a computer system if that vulnerability were to be exploited. The higher the CVSS number, the more damage the vulnerability could cause:

  • Critical - 9.0-10.0

  • High - 7.0-8.9

  • Medium - 4.0-6.9

  • Low - 0.1-3.9

This type of quantifiable scoring helps identify high-priority vulnerabilities in the most strategic way possible. Now that you know which vulnerabilities to prioritize, you can first focus on fixing those critical vulnerabilities on your most critical systems that will bring down your business if exploited. Then, you can develop a plan for the lower severity vulnerabilities that, when exploited, are not a catastrophic event but more of an inconvenience.

Step 4: Remediation - Fixing vulnerabilities

Remediation is how we fix vulnerabilities. As mentioned above, vulnerability management can be viewed as a control against your patching systems. It should identify gaps and points of improvement in other systems and processes. Though patch management is essential to cybersecurity, it is separate from vulnerability management.

There are many steps to successful remediation. Let me walk you through an actual situation I dealt with previously. I had configured a vulnerability scanner and found 50 vulnerabilities for the same software on every computer! Here are the questions I asked to come to a resolution.

  • Who uses this software?

    • Only five people in the company use this software. 

  • Can this software be uninstalled where it isn’t needed?

    • Yes, it can! I developed an automated method to remove this software from all machines that didn’t need it.

  • Why is this software not up to date? 

    • It turns out nothing was configured to push updates for this software because a few people were concerned about breaking it, so they never configured updates. That leads to my next question!

  • If I update this software, what issues may arise?

    • Spoiler alert! This may be the most challenging question because an update could adversely affect the software in question and connected systems. After thorough testing, I found no issues with running the up-to-date software version. I ensured the application appropriately worked after the update and that other software connecting to the application worked as well.

  • How can I keep this software up to date in the future?

    • I configured our patching software to push updates on a regular schedule. 

  • Why is this software installed on every computer?

    • The software, needed by only five people, was installed on all new computers as this software was added by default when all the computers were set up. To prevent this exact situation from occurring repeatedly in the future, I removed this default. The problem was solved, and it was solved for good.

Remediation is ultimately about developing a smarter, more secure way to run your business. By identifying the actual cause of each vulnerability, you have the data to fix the vulnerability at the earliest time, which can create efficiencies in your environment.

Step 5: Reporting - Reporting on vulnerabilities

Reporting is a great way to track the success of a vulnerability management program. Let’s be honest; watching vulnerability severity decrease in your environment while you increase your security posture is fun! EVERYONE knows it is the MOST fun you can have in life (or maybe not). Well, for those of us in vulnerability management, it is! Plus, it surely will make cyber insurers smile. Additionally, reporting on vulnerability management is a great metric to help management understand your current security posture. Keeping your management team updated on what vulnerabilities exist in your environment is a fantastic way to ensure they are aware of your present threats. That knowledge will help them make better, more informed business decisions. I would also encourage that reporting shouldn’t stop at management but extend to the company's employees. It can help everyone do their part in securing your network.

Conclusion

Computer vulnerabilities are a serious threat to every business with a digital component program — which is to say, almost every business today. Following these five steps will bring order to your vulnerability management, helping protect your business and keep it running smoothly.

Houston, we have a problem. I have so many people I want to share this epic site with, but there are so few hours in a day!

Are you looking to go to a persona page?

Cyber 101 | The Solopreneur | SMB | BoD

Jane Rainer, CISSP

Jane has held many roles in organizations, from security analyst, IT manager, senior IT support, infrastructure administrator, bank security officer, and data analyst. She had a unique opportunity to learn how pieces of technology fit together to increase process efficiency and security. Jane is passionate about helping others and helping businesses understand the criticality of technology and security in today’s environment.

https://www.linkedin.com/in/jane-rainer/
Previous
Previous

5 Steps to Maximize AI in Business Projects: Avoiding Security and Regulatory Headaches

Next
Next

Incident Response Plan: How to Prepare for the Worst and Protect Your Business