Exploiting Vulnerability, Executing and Granted Access

Why Organizations Need a Vulnerability Management Program

By Dr. Rey LeClerc Sveinsson, ERMProtect

Organizations of all sizes should develop a comprehensive vulnerability management program to reduce their risk landscape in today’s increasingly complex digital world. Organizations can no longer afford to take a wait-and-see approach when it comes to protecting their networks. Cybercriminals regularly search for potential vulnerabilities in the most widely used software programs and IT assets. They have many tools at their disposal.

This is why every cybersecurity strategy should implement what is known as a vulnerability management program. The purpose of a vulnerability management program is to keep your organization’s network safe from known exploitations and ensure compliance with regulatory requirements.

An effective vulnerability management program includes processes and procedures to continually monitor, analyze, and assess risk, wrapping its arms around security weaknesses and shining a light on exposures that can negatively impact the enterprise.

The vulnerability program:

  • Ensures the network is analyzed for any incompatibilities, missed updates, and common weaknesses within the software you use.
  • Establishes protocols for identifying, tracking, and remediating potential vulnerabilities. This helps the IT team efficiently analyze the entire threat landscape.

Step One – Inventory All Assets

The process begins with taking inventory of all the organization’s IT assets. This inventory must remain as current and as comprehensive as possible. Many companies fail to include certain programs, apps, and devices in security assessments, such as the Internet of Things (IoT). Remember: Any asset that can be used to wage a cyber-attack must be accounted for. It is also important to understand the interconnectedness of your environment - where the data flows and where the integrations occur.

Step 2 – Scan the Network

Once the team has inventoried all assets, they can begin scanning the entire IT network for potential vulnerabilities. A vulnerability scanner scans a network or system, including operating systems, for known weaknesses. The scan can also uncover such issues as improper file sharing, system misconfigurations, and outdated software.

Step 3 – Prioritize Vulnerabilities

After you have identified and evaluated the vulnerabilities, you have to determine how to prioritize and address them. Most organizations today prioritize vulnerabilities based on two approaches: They either rely on the Common Vulnerability Scoring System (CVSS) to determine which vulnerabilities to remediate first, or they accept the prioritization provided by their vulnerability scanning solution.

Step 4 – Create Tracking System

Once the remediation priorities are established, the IT department should use a ticketing system to keep track of all potential vulnerabilities and software issues. Each incident report should include important details, such as the time and date of discovery, the risk level, whether the asset contained sensitive information, and the time and date the issue was remediated. Workers can use this method to make sure every incident gets accounted for.

Step 6 – Establish KPIs

The scanning tool should make it easy for IT teams to create and share cybersecurity reports and data that can be used to track their progress on key performance indicators, such as the average amount of time it takes the team to remediate potential threats, and the average number of threats reported within a set period of time.

Other KPIs could include percentage of assets inventoried, time to detect, mean time to repair, number of incidents due to vulnerabilities, vulnerability re-open rate, and number of exceptions granted. Tracking KPIs can indicate whether your vulnerability management program is improving over time and provide a benchmark against other organizations.

Step 7 – Keep Up the Good Work

Vulnerability management is a continuous process to ensure systems and applications are always up-to-date and to ensure new vulnerabilities are quickly identified. The National Institute of Standards and Technology (NIST) recommends vulnerability scans be run at least quarterly, regardless of network size or type. For any organization that relies on continuous availability of their computer network for regular operations, vulnerability scans should be run at least monthly and even more frequently for organizations that collect and/or process personal or sensitive data. Depending on the type of report the organization needs to fill out, the Payment Card Industry Data Security Standard (PCI DSS) requires companies to perform internal and external vulnerability scans quarterly and after any significant network changes, irrespective of their size.

Proactive Cybersecurity Efforts

With the number of cyberattacks continuing to increase, organizations need to take a proactive approach to their cybersecurity efforts. Vulnerability management is one way to do this. The sooner a weakness is identified, the faster it can be assessed and remediated.

How ERMProtect Can Help

ERM Protect can help you develop your organization’s vulnerability management program. We leverage 25 years of experience in cybersecurity to secure your data, protect your business, and manage costs and risk.

Get a curated briefing of the week's biggest cyber news every Friday.

Stop Phishing Attacks with ERMProtect's Security Awareness Training

Turn your employees into a human firewall with our innovative Security Awareness Training.

Our e-learning modules take the boring out of security training.

Intelligence and Insights

NIST Cybersecurity Framework

Complete Guide to the NIST Cybersecurity Framework 2.0

In this comprehensive guide, we explain in simple terms every aspect of complying with the NIST Cybersecurity Framework 2.0 …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 2

We asked Akash to take a trip down memory lane and discuss some of his more interesting intrusion cases. This is Part 2 of “Musings from Pen Tester’s Diary.” …
Musings From a Pen Tester’s Diary

Musings From a Penetration Tester’s Diary – Part 1

Ever want to peek inside the mind of an ethical hacker? Akash Desai, our Director of IT Consulting for 18 years, is sharing his diary of experiences “hacking” banks, factories, fire departments, airports, etc …