3:30 min read |
Vulnerabilities on Internet connected systems are targeted on a daily basis. The fourth CIS control addresses the need to keep them protected. “Continuous Vulnerability Assessment and Remediation” addresses keeping up with and fixing newly discovered security issues.

The need for vigilance

Every day, cyber security researchers find new security flaws in software.  These software vulnerabilities are generally announced once a patch has been made available. However, once new vulnerabilities are announced, that information is available to both system managers and criminals alike. System managers need to determine whether or not these vulnerabilities exist on their systems and act on the information as quickly as possible to mitigate detected risks.

Vulnerabilities can arise from system misconfiguration as well as software flaws. For example, a host that is accessible from the Internet could expose functionality that should only be available locally, such as access to management interfaces. An external scan should discover these issues.

A vulnerability management process is necessary to keep up with the number of published vulnerabilities. A comprehensive process will identify vulnerabilities and recommend the necessary patches or configuration changes. This should be followed up with patch deployment and remediation scans to ensure that updates were successfully applied.

Even one existing critical vulnerability could allow an attacker to take complete control of a system. Therefore, it is important that the appropriate vulnerability scanning and patch management tools are implemented to identify and remediate the various points of risk throughout the company’s network.

Vulnerability scans

Vulnerability scans should be performed from both an internal and external perspective to get a complete picture of what vulnerabilities exist on a network.  External scans provide information around the exposure of an organization’s systems to the Internet.  It should also highlight potential misconfigurations of the services on those hosts that are exposed to the Internet.  Internal scans should detect vulnerabilities on all internal hosts accessible by the scanner, as opposed to just those services exposed to the Internet through the gateway firewall.  To ensure early detection of new vulnerabilities, scans should be performed monthly at a minimum.

It is generally recommended to perform authenticated scans to get the most comprehensive and accurate set of results, including additional information about versions of installed software, missing patches, insecure configurations and the potential malware on scanned hosts.

Patch installation

Once scanning is completed, remediation efforts should be prioritized based on which vulnerabilities present the greatest risk to the organization.  An immediate effort should put into addressing all discovered critical and high vulnerabilities.  Higher priority should also be placed on those specific hosts that contain sensitive data, are considered to be mission critical, or are directly accessible from the Internet.

There are certain risks associated with patch deployment.  Patches should be tested before being applied to verify whether or not they will have an adverse effect on dependent software.  Additionally, it’s important that the process of deploying patches doesn’t disrupt operations; chances are you don’t want forced reboots on servers and workstations during business hours.  This could possibly lead to data loss and will certainly lead to very upset users.  This highlights the fact that communication is also a key component of the patch deployment process.  It’s important to keep system managers and end-users abreast of planned patch deployment.

Also, it isn’t just ‘computers’ in the usual sense that need patching. Any device with a processor and firmware could have security issues that could potentially lead to the compromise of that particular device as well as a potential network breach.  Devices such as printers, scanners and routers all need to be routinely updated as a part of the patch management process.

Keeping up means greater safety

Unpatched software vulnerabilities are a major factor in system breaches. The cost in lost data and time spent recovering it as well as the hit to reputation is, more often than not, huge. A systematic approach to detecting and fixing security holes should stop the large majority of threats. It’s an ongoing, sometimes tedious task; but it is beyond necessary, it is a vital work.