“You keep using that word, I do not think it means what you think it means” – Inigo Montoya
Photo Credit 20th Century Fox
The laundry list of cybersecurity terms that can mean different things to different people seems interminable. Vulnerability is one of those terms. From psychotherapy to physical security, vulnerability has many nuanced meanings. Even within information technology vulnerability can mean different things to different information technology professionals. The authoritative definition of vulnerability for cybersecurity professionals comes from the National Institute of Standards and Technology (NIST). NIST defines a vulnerability as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” As a cybersecurity professional, I appreciate NIST’s definition because its inclusivity. It does not focus on just software and systems, but instead includes controls, procedures, and implementation. Businesses need to look at cyber risks from varied angles and need to layer the cybersecurity programs. A layered approach to cybersecurity programs allows for businesses to have multiple points where cyber risks can be discovered and mitigated to ensure continued operations. One layer of any successful cybersecurity program is vulnerability scanning.
What is vulnerability scanning?
While NIST’s definition of vulnerability is inclusive, the concept of vulnerability scanning is much more directed to systems and software. A vulnerability scan is “a technique used to identify hosts/host attributes and associated vulnerabilities.” This is usually done with a software package installed on computers within a network that will check for known vulnerabilities that can be exploited. There are three limiting factors to the benefit of any vulnerability scanning performed on your business’ computers.
First is the timeliness of the vulnerabilities being checked for. If the vulnerability scan is only checking for old vulnerabilities (over 3 years old) and has no updated information to work from, the vulnerability scan is less useful. I do not say completely useless because there are businesses out there that are using machines that have not been updated in years that contain years old vulnerabilities. However, a good vulnerability scanning tool should have updated databases of vulnerabilities. There are daily headlines of vulnerabilities that have been discovered and not yet exploited, or worse yet, discovered because they have been exploited.
The second limitation also has to do with timeliness, from a different perspective though. A vulnerability scan is only a snapshot taken in time. At that moment that vulnerability scan was performed your business’ computers may have been safe. However, those headlines keep happening and the threat landscape is constantly evolving. For a cybersecurity program to get the maximum effectiveness out of any vulnerability scanning tool, it should be used on a regular basis.
The final limiting factor is a lack of processes in place to mitigate the vulnerabilities once uncovered. A good cybersecurity program must have a vulnerability mitigation plan to deal with vulnerabilities. Just as other parts of the cybersecurity program should be layered, a vulnerability mitigation strategy should be as well. Vulnerability mitigation strategies that simply tackle vulnerabilities as a matter of updating software packages will be severely hampered if there is a known vulnerability with no known software patch. Alternatively, discontinuing use of a software package because it is vulnerable with no known fixes may not be an option. Businesses cannot stop operations simply because a vulnerability exists. Instead, a vulnerability mitigation strategy should have processes in place that limits the impact of that vulnerability being exploited via multiple avenues. Updates, discontinued use, quarantining of machines from the network if the vulnerable software must be used for daily operations, and finally, documenting and accepting the risk the vulnerability poses if no other alternatives can be found. By having a layered approach to vulnerability mitigation, a cybersecurity program can ensure that businesses continue to operate while remaining as secure as possible.
Vulnerability scanning and mitigation is a useful tool in any cybersecurity program but must be utilized in conjunction with many others to ensure continued success when mitigating business cyber risk.
Quantum Vigilance can help your organization create and maintain a cybersecurity program that secures your business now and moving into the future. Our approach focuses on your business cyber risk, mitigation, and recovery from cyber incidents so that your business can continue operating despite cyber threats. We will provide cybersecurity guidance you and members of your business can understand. Click below to get started.