Every piece of software has vulnerabilities, things that are not perfectly secure. Even programs that run every intended feature perfectly could be designed in a way that might be considered insecure. As a modern business, your infrastructure is made up of dozens of individual programs and configurations that could potentially contain data and security vulnerabilities. Software can often contain weaknesses like an easily spoofed login, an insecure way of saving files, lack of encryption when transmitting data, or even an open connection to the internet with no overt security.
When you install this software into your tech estate, most companies are thinking about the benefits brought by the features rather than any potential security problems but leaving these vulnerabilities unaddressed is like leaving your back door open when there's a burglar in the neighborhood. To keep your sensitive data business network safe, you'll need to identify and close all security holes caused by your collection of software vulnerabilities.
1) Run the Vulnerabilities Assessment Software
Finding every vulnerability on every piece of software incorporated into your business network is a long and tedious process of combing through code and functions to discover where hackers might be able to sneak in or where data might be leaking out. The good news is that your IT team doesn't have to do this by hand. There is already an incredibly helpful line of programs known as Vulnerability Assessment Software or VAS for short that can do the extensive and boring parts for you.
All you need to do is run the software and then respond to the list of issues it produces. Of course, for best results, you should run your VAS on a combination of individual computers and the network as a whole to detect all previously unknown vulnerabilities throughout your IT infrastructure.
A Word of Warning: While VAS is perfectly safe for software and systems made after 2010, if you are working with an older infrastructure, it's possible that the VAS's process could corrupt some of your data. To be safe, run the VAS on a non-essential system configured with the same older systems as a test before running the VAS on your entire network.
2) Form Your Vulnerability Triage Team
When the VAS is done, it will produce a ranked list of all the vulnerabilities it found ordered by what it thinks is most to least important. However, since the VAS can only identify problems, you'll need a real team of human professionals to actually assess and solve each vulnerability found. These people should be a combination of IT infrastructure, security, and software experts who can understand not just how the vulnerabilities work but what their real impact could be on the company as well as the IT structure. Updates and fixes are likely to be tricky so you need a team who can work on complicated technical problems and come up with a comprehensive solution.
3) Assess Every Vulnerability by Importance to the Company
The VAS does its best to give you vulnerabilities listed and ranked based on its assessment of severity but it can only understand technical definitions of what makes a vulnerability severe. Only your triage team can identify each vulnerability's potential impact on the company should it be exploited by a hacker or cause a dangerous data leak. Because of this, each and every vulnerability needs to be assessed even if the VAS gave it a ranking of low importance.
One common mistake with vulnerability management is to arbitrarily choose a ranking number and only fix problems that rank above that. However, this has the potential of leaving a 'lesser' vulnerability in place that could cause big problems in the future. For every single vulnerability on the list, your triage team needs to fully consider it based on the actual risk to the company and re-order the list based on their own rankings.
Network vulnerabilities are something that every business and network admin needs to worry about. Once you have identified your vulnerabilities and prioritized them, it will be time to build a plan to close these gaps in your security. And that's exactly what we're going to talk about in part two. Join us next time for the second half of this two-part article where we'll cover how to build and implement your vulnerability management plan. If you'd like more specific advice on how to manage your network's vulnerabilities, contact us today!