Vulnerability management is a key process in any information security program and regulatory compliance framework. According to a recent Forrester Global Security Survey, 49% of organizations have suffered one or more breaches in the past year, and software vulnerabilities were the largest factor in those breaches.
High-profile security breaches, such as the WannaCry crypto-ransomware outbreak in May, have made everyone conscious of cyber security issues. WannaCry is an example of a known vulnerability being exploited to a great effect. Why is it that many companies lag behind on patches and updating their systems?
1. The volume of known vulnerabilities is overwhelming and can lead to focusing on high severity vulnerabilities only
A new security vulnerability is identified every 90 minutes, and several thousands of vulnerabilities are disclosed every year. Managing vulnerabilities and staying ahead of risks can feel like treading water.
Analysis of vulnerability trends within our customer base with F-Secure Radar solution shows that high severity vulnerabilities are far less prevalent. The vast majority of unpatched vulnerabilities are of low or medium severity.
From a company’s point of view, handling high severity vulnerabilities is a number one priority, and they get handled in well run organizations. Of course, it makes perfect sense that you’re going to perform triage when a new high severity vulnerability surfaces. But what about the rest of them?
The prevalence and severity of vulnerabilities collected during 2016 with F-Secure Radar
2. A broad attack surface makes identifying vulnerable systems challenging
An organization’s attack surface is the sum of its IT risk exposure. Rapidly changing, complex business IT environments lead to a broad attack surface. Companies need to scan for vulnerabilities in internal systems and applications, and they need to gain visibility into shadow IT.
Imagine a newly announced vulnerability, and not knowing how to identify the vulnerable systems in your network. With the right tools in place, you can easily generate a threat assessment report of your Internet and web topology, giving your security team visibility into cyber security risks.
3. Vulnerability management must be a continuous process – occasional scans will not do the trick
Vulnerability management is more than running a vulnerability scanner and remediating the resulting vulnerabilities on an annual basis. Only constant scanning and ruthless control can help you find vulnerabilities before anyone else does.
Taking time to understand the implications of every newfound vulnerability, prioritizing and planning for patch management seems like a lot to ask, but is well doable with the right combination of human expertise and advanced solutions.
Given that there are very real monetary and reputational consequences to a security breach, company boards and executive teams want to know what steps you are taking to prevent one. In our report, we discuss the state of vulnerability management and give advice on how to mitigate cyber security risks with a proactive approach to vulnerability management. If you’re interested in the latest insights, we recommend downloading the report.