Light Dark
July 26, 2018 By Kevin Beaver 4 min read
Intelligence & Analytics
Endpoint
Incident Response

Critical vulnerabilities (i.e., those that must be addressed by installing specific software updates) are the bane of existence for most IT and security shops. In an ideal world, major vulnerabilities — such as those that have plagued Microsoft’s Server Message Block (SMB) over the years — could be fixed more quickly and effectively.

Unfortunately, that’s not how things typically play out. When hundreds, if not thousands, of computer systems, operating systems and third-party applications blanket the average enterprise, it’s a daunting task — and it’s certainly not going to get any easier.

How to Shut Down Critical Vulnerabilities

In the spirit of prioritizing prevention over response, there are some things you can do to minimize your window of exploitation. Now is the time to address this issue and make some headway. Here are four steps to close the window on critical vulnerabilities.

1. Take Command of Patching

Regardless of your level of network complexity and resources available to address software exploits, you can’t just bury your head in the sand and ignore the problem. Leaving enterprise vulnerabilities untreated has gotten many of the largest and best-known brands into a pickle. To shorten the timeframe between vulnerability discovery and remediation, you will want to make software patches more routine.

Many servers are critical, and software patches certainly need to be tested. However, there is no reason workstations can’t be updated immediately. After all, that’s where the real risk lies.

Why not push out patches as soon as they’re available or shortly after that? Sure, some won’t stick, and not all will receive necessary reboots right away. But don’t rely on users to update their systems. That’s a common practice, and there’s no reason for it.

2. Maintain Good Intel

Actionable insight requires good information. Many larger enterprises have internal teams exclusively committed to gathering vulnerability intelligence and still get hit.

Small and midsized businesses tend to struggle in this area because they’re only doing vulnerability scanning once or twice a year (if that). These scans aren’t done in real time (and this is an area where there’s a massive opportunity for improvement). This is especially important for critical endpoints or certain click-happy users who tend to get themselves into trouble. Commercial vulnerability scanners can significantly expand risk awareness.

Some people aren’t willing to run the necessary vulnerability scans — and argue that the budget is not available. A few thousand dollars for a network vulnerability scanner may be tight, but it’s still a fraction of the cost of the consequences of insecurity.

You don’t have to have an expensive product to get the information you need. For example, for Windows systems before Windows 10 and Server 2016, you can use Microsoft Baseline Security Analyzer (MBSA). MBSA is a free scanner that can show you practically everything that you need to know to discover and respond to major vulnerabilities that are causing a lot of the Windows-related security problems. You can scan local systems and others on the network. It doesn’t have the features of the paid commercial scanners, but it gets the job done (and there’s no reason not to run it if that’s your only option).

3. Know Your Network

Vulnerability awareness also requires good network visibility and information on what network hosts are doing. Organizations with insight at this level are rare, but it can be very beneficial to see who your top talkers are, know what they’re doing and understand whether or not you’re seeing normal behavior.

Most organizations would benefit from outsourcing this function. Leverage a vendor who has the tools and, more importantly, the expertise to know what to look for and how to respond to network events.

4. Be Prepared

Most widespread vulnerabilities and subsequent exploits boil down to a lack of preparation in terms of getting proper security alerts from vendors; ongoing vulnerability testing; technical controls, such as compensation controls, that can minimize the impact of exploits that do occur; measured response efforts, such as a formal incident response plan; and putting the right people in IT and security. Most, if not all, organizations are deficient in at least one of these areas.

Think about it: If you had one computer system, one piece of software to manage — and no barriers to make sure that it stayed 100 percent secure all the time — you could do it. Anyone could do it. It’s your job to determine the factors that are blocking this exact same thing from happening at scale across your network.

There will always be people and business processes that you cannot change or overcome. But there are steps that can be taken — regardless of your situation. There are things that should be done, and they really won’t cost that much to address. If you don’t end up doing the right things yourself — starting today — then someone else is going to come along and do them for you or compel you legally to figure it out.

With vulnerability management, you don’t have to aim for perfection. That’s how people get sidetracked. Instead, follow the Pareto principle and aim for the 20 percent of the security flaws that are creating 80 percent of your problems.

Focus your efforts on improving processes and systems, and there’s no doubt that you’ll improve your security posture and not become a statistic like so many others.

Listen to the podcast series: Take Back Control of Your Cybersecurity now

 | 
Kevin Beaver
Independent Information Security Consultant

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature