Business Responsibility in Mitigating Vulnerabilities

According to a 2018 study by Juniper Research, cybercriminals will likely steal an estimated 33 billion records in 2023, alone.  This pales in comparison to the 12 billion records that were swiped last year.  Companies that wish to stay on the brighter side of this trend need to configure, implement, and maintain a vulnerability management program that does more than just discover vulnerabilities.  Information Security (InfoSec) teams must go further to mitigate potential risks following the discovery phase to protect their network, maintain compliance, and foster client confidence.  Let’s consider how businesses can act responsibly in vulnerability mitigation and not just discovery, by implementing a vulnerability management program.

Vulnerability Mitigation

A vulnerability management (VM) program is an InfoSec team’s continuous responsibility to mitigate risks in the organization’s network in concert with management oversight balanced with business operations.  VM is the foundation of a security program where the focus is on finding, categorizing, and assessing network assets for risk. The goal is to focus on constructing a comprehensive understanding of what’s on the network and strategize on how to mitigate risks before they can be exploited. 

Once team members understand the risks for the assets on the network, they can prioritize and remediate before exploitation.  After vulnerability identification, one method of mitigation is by installing a web application firewall. This may be easier and less of a burden on the organization’s resources than fixing a discovered web application flaw in  application’s coding.  In this scenario, the vulnerability may still exist, but the risk is diminished as long as the web application firewall is patched and in place.

There are also scenarios where business leaders are financially invested in legacy tools or applications, and decide to accept the risk of an associated vulnerability, without remediation or mitigation.  For example, stakeholders may feel that installing antivirus software on expensive equipment may impact business operations more than the actual vulnerability itself.  In these scenarios, stakeholders must understand how vulnerabilities can impact data confidentiality, system and data integrity, system availability, or even a combination of the three. Nevertheless, InfoSec teams must constantly revalidate the risk tolerance, and weigh the business need in maintaining or replacing the application.

Discovery Is More Than Just Checking a Box

A VM program is typically broken up into four phases: Discover, Report, Prioritize, and Respond.  After placing company assets into a distributed inventory or asset management system, Vuln Management teams must organize the information systems into data classes such as vulnerability, configuration, patch state, or compliance state.  The discovery phase should allow your InfoSec team to locate every asset and build a database of knowledge other VM processes can use.  At the very least, the InfoSec team should know the state of critical business assets. Since networks are in a constant state of change, asset information needs to be continually refreshed.  Following through with discovery in this way sets companies up to adequately remediate their vulnerabilities and better prioritize the vulnerabilities in their network environment.

Due Diligence Beyond Discovery via Prioritization

If InfoSec teams are unable to remediate a vulnerability within a specified timeframe, a plan or Plan of Action and Milestones (POA&M) or something similar, needs to be developed and followed to re-prioritize the vulnerability until remediation efforts are completed. In other words, risk acceptance should be short term. Tactical reports should be configured and delivered in a way that outlines business-oriented risk metrics that provide InfoSec teams and Business stakeholders with the visibility they need to mitigate findings on the spot.  This type of reporting should be reviewed before a new feature is installed, during testing, and at regularly occurring invervals following the implementation of new hardware or application features.

Based off your business, prioritization of efforts to remediate known asset vulnerabilities should be completed within 30 days of discovery when they are of a high priority nature. Lower priority vulnerabilities can be reasonably extended up to 90 days for complete remediation.  However, if a Zero-day vulnerability is being exploited by an attacker remediation should be a top priority to avoid a possible network breach.  Creating this type of short list allows your team to focus on quickly eliminating the risk of exploitation by attackers.