Welcome back to the second half of our two-part article on finding and closing your business network vulnerabilities. Last time, we talked about combining the expertise of your IT team with vulnerability detection software that will scan and identify known and suspected security gaps in your network. From there, we advised that you build a vulnerability management team and then prioritize the vulnerabilities you found (at first, there will be many) into what is most vital or risky for the company. Join us again today as we pick up where we left off: building your vulnerability management plan and enacting it.
4) Fix, Acknowledge, and Investigate
Now that you've got your real priorities set, it's time to start finding solutions. Have your triage team go down their new list and start actually addressing the problems. For each vulnerability, your goal is to assign one of three actions to take: Fix, Acknowledge, or Investigate with investigation used only as a temporary solution until a real one can be found.
Fixes can come in one of two forms. The first, easier solution presents itself when there is a recent patch for the problematic software that fixes a known vulnerability. If this is true, your triage team needs to make an action plan for implementing the patch and potentially re-configuring your stack to remain compatible. The second form of fix may be a unique one in which your team figures out a small change they can make to the program that would close the vulnerability or at least mitigate it until an official patch is released.
Acknowledgment should be used if there is a good reason not to seek a fix right away but you intend to do so later on. This response may be appropriate if, an available patch might damage your current IT infrastructure or a new patch will be available in the near future. Every time a vulnerability is noted as 'acknowledged' rather than 'fixed', a note should be made as to the reason why and an appointment made to check back in on the issue soon. The reason for acknowledging and not fixing should be good enough to justify the decision should the vulnerability lead to a security breach before it's fixed.
Investigation is only a temporary state meaning that your team doesn't yet know what to do about a vulnerability and need time to seek more information. This can happen if the team needs to build their own solution, suspects a particular item is a false positive, or if patching a vulnerability would lead to further problems that need to be solved before the patch is implemented. Make sure that each vulnerability being investigated has a time limit before it is re-addressed.
5) Rinse and Repeat Monthly
Finally, once the entire process of 'vulnerability detection, assessment, and solution' is complete, schedule another one about a month in the future. Patches for common business software often come out about once a month so this is a good time scale for repairing the vulnerabilities in your IT estate. Each month, your triage team can work on newly detected vulnerabilities, implement recent patches, and continue to solve more troublesome issues that they put on the shelf during the previous cycle.
Your firewall can keep out intruders, your virus scanner can catch viruses, but vulnerabilities are another kettle of fish altogether. Every vulnerability is a loophole, some opening that could cause a data leak or leave security weak in the face of hackers or malware. The most dangerous part about your IT software and infrastructure vulnerabilities is that most companies don't even realize they're there. Without a plan for vulnerability assessment and management, even the best defensive software could leave a security hole. For more tips on how to manage, secure, and improve your IT infrastructure, contact us today!