When a new vulnerability is reported, it triggers a race against the clock between the various people involved. From a software point of view, the developers of the vulnerable app must work to create the necessary security patches – which allow the faults to be rectified – and issue the corresponding updates.
As for the attackers involved, they could start developing exploits with malicious code that can take advantage of the identified weaknesses. Users and IT security managers should install the updates or, failing that, use compensatory safety measures that can contain the threat while a definitive solution is developed and implemented.
With this in mind, time becomes a key factor to reduce the window of exposure to potential attacks, as does proper management of vulnerabilities, primarily within organizations that may become a target of cybercriminals looking to derive some benefit. And, as time never stops, neither should the search for an ideal state of security. Continuous vulnerability assessments are therefore a highly recommended practice.
Limitations and challenges for vulnerability assessments
Continually assessing the state of security is easier said than done. The activity can be complex due to various factors. Firstly, IT security managers need to be constantly up to date with a constant flow of information, which includes data about software updates, new security patches, bulletins on new vulnerabilities or security alerts.
They require tools and software for such purposes, and staff who can operate them with the necessary skills, knowledge and experience. They also need to consider other resources, such as time and having a large enough budget. Furthermore, it is necessary to define criteria and scales to prioritize the vulnerabilities identified, because some will clearly be more important than others, due to the risk they may pose to the critical operations of a business.
However, continuous vulnerability assessments are a crucial activity given the current trends in security.
Implementation of constant vulnerability assessments and associated considerations
A quick way to implement continuous vulnerability assessments is through the use of automated scans on a set of targets that have been previously classified as critical, based on their importance for the company. Likewise, manual tests can be also performed.
In parallel, having access to revised system records or logs turns out to be very useful for two reasons:
- If the tests find offending vulnerabilities, the systems should record this abnormal activity.
- The information can indicate whether a detected attack is linked to the result of a previous vulnerability scan, and therefore verify whether an exploit has been used against a vulnerable target. Security Information and Event Management (SIEM) solutions are useful for this task.
It is also important to ensure that the tools used to perform the scans are up to date and are looking for the most relevant security vulnerabilities at the time of execution, as the use of an outdated solution may not provide the most important information about the state of security.
For the purposes of correction, tools for managing patches and updates to operating systems or other software can be applied. When it comes to critical systems, it is important that before direct application to the production systems, checks on the corresponding test environments may be made, so that applying an update does not jeopardize operations.
As already mentioned, when you do not have the necessary updates and the situation warrants it, you might need to implement alternative security measures that can contain the threats while a definitive solution is developed. In this activity, risk aversion or risk susceptibility determines the correct decisions to be made.
Similarly, when a solution is more expensive than the asset to be protected, its application may not be feasible.
The aim is to work toward ideal safety conditions
The assessment period can certainly vary depending on the needs, characteristics, and resources of each organization, as well as the type and number of critical systems. However, the fact remains that appropriate tests should be carried out continuously, and the shorter the review and remediation period, the shorter the window of exposure to attackers and threats. It goes without saying that addressing more critical vulnerabilities should be prioritized.
This activity is classified by different specialized computer security frameworks. For example, critical security controls (CSC) for positioning of cyberdefense vulnerability management (including assessment and remediation), as one of the first controls to apply.
The aim is to have a set of effective measures to detect, prevent, respond to or mitigate cyberattacks. This can be achieved by considering various aspects of vulnerability assessments, such as contracting out these services or developing with its own team, a period established for its execution, activities following security patches, as well as exploiting vulnerabilities in systems and people, as they may not all result from the technology being used, if we take social engineering into account.
In addition, while continuous vulnerability assessments might be a complex and tedious task, it is one of the main practices recommended by various security control frameworks, as it can mitigate a significant set of common attacks and threats.
Finally, this activity is performed bearing in mind that information security is an ongoing process, and so although in reality it is not possible to avoid every risk, the aim is to work every day toward achieving the ideal state of security.