The number of vulnerabilities continues to grow. In the past year, it increased by 14 percent, reaching an all-time high of nearly 20,000, according to the Flexera Vulnerability Review 2018. This figure alone is clear evidence that the challenge of reducing the risk of exploitation of unattended vulnerabilities is not getting easier. On the contrary, things keep getting more complicated with costly consequences for businesses around the globe…
Let me exemplify:
Story one: a vulnerability on an operating system (OS) is disclosed – let’s say Windows Server. Patching servers’ OS can be tricky. No one wants to disrupt the business by taking down a system outside regular maintenance windows or by breaking something. The vulnerability is critical, but it has no exploit. The conclusion is not to patch now. The issue is forgotten and that patch is never applied. Then one day you get to work and you’re a victim of a ransomware attack like WannaCry.
Story two: a vulnerability on an open source software (OSS) is disclosed. You build internal systems using that OSS but you do not document the use properly. That system parses customer data. Because you do not know you use that OSS, you don’t know you’re vulnerable. One day your business is making the cybersecurity headlines, like in the case of Equifax.
WannaCry and Equifax were cases that made it to the news, but the fact is that those are not isolated cases. The exploitation of unpatched vulnerabilities remains one of the main vectors for incidents and breaches. According to a recent study by the Ponemon Institute nearly 60% of organizations that suffered data breaches in the past two years cite unpatched vulnerabilities as the culprit in the attack. In a different study by analyst firm Forrester, IT security professionals place exploitation software vulnerabilities as the most common mean for external attacks leading to incidents.
But how can you improve your practices to manage software vulnerabilities? Here are three points to take into consideration:
You don’t know what you don’t know
I continue to be surprised by how many organizations simply don’t know a large portion of the software they use.
You can’t expect to protect your systems if you just don’t know what’s in there.
Knowing what you have and where is the critical first step in the quest to stay on top of vulnerable applications.
Policies and processes
Doesn’t matter if it is about applying patches or mitigating the risk of exploitation of a vulnerability which can’t be patched. Policies and processes that enforce those policies are the only way to get control over software vulnerabilities and report on risk reduction.
It’s a relatively simple principle: Most incidents occur long after the vulnerability is publicly known. So, processes that support a regular cadence of assessment and mitigation should do the trick and effectively reduce risk.
Intelligence and prioritization
It’s clear that not all vulnerabilities can be fixed as they become public. The only way is to prioritize. But do you even know when a vulnerability is disclosed for a piece of software you use? Do you have trusted information on vulnerabilities affecting your systems? Can you connect that information with your policies to determine what to do first?
Without timely, accurate information on vulnerabilities – intelligence – prioritizing is simply not possible.
All of this is easier said than done. But there is hope. Organizations are becoming more aware of the problem and understanding that detection systems and security teams are overwhelmed with the incidents and consequently failing to stop breaches that could have been prevented with optimized processes to regularly patch applications and systems.
Flexera’s customers report that our vulnerability intelligence and our technology help them achieve visibility, prioritize efforts and remediate vulnerabilities faster and without operational overhead. They remediate the right things and reduce the risk of exploitation for their businesses effectively.
Download Vulnerability Review 2018 – Global Trends today and learn more about the vulnerability landscape and our vision for mitigating risk.
Learn more about our solutions for managing software vulnerabilities.