How to Minimize Cybersecurity Vulnerabilities
When it comes to cybersecurity, your chief objective should be to manage things proactively and on your terms, as opposed to constantly playing catch-up and responding to vulnerabilities only after they've been exploited.
Unfortunately, too many organizations, including the U.S. federal government, still operate in a reactive mode because they generally lack two things: 1) accurate visibility into their own IT infrastructure and the potential cyber vulnerabilities lurking there; and 2) up-to-date, accurate information to help them prioritize and manage their vulnerabilities from a risk-management perspective.
After a decade of experience consulting with U.S. federal agencies, I've found it all too common for organizations to have little to no insight into the End-of-Support/End-of-Life (EOS/EOL) dates for their software and hardware assets. Many also don't know the Common Vulnerability Scoring System (CVSS) values of their hardware and software assets.
This is understandable. Today, there are 31 million naming conventions that exist for 2 million hardware and software products—including, for example, 16,000 ways that inventory tools refer to an SQL Server. This lack of uniformity for how specific products are referred to results in a confusing hodgepodge of data that undermines most efforts at obtaining a comprehensive view of a network's IT asset inventory and risk profile. The result is that IT managers often can't readily identify the network-attached assets on their approved and unapproved lists—nor what the rogue assets are on either list.
Without this kind of intelligence and visibility into an enterprise's IT infrastructure, it's virtually impossible to deploy proactive practices and policies for addressing cyber risk. Imagine what could be done with a comprehensive view of all the network-attached assets subject to EOL today, and those that will be EOL six months or a year from today. This information goes a long way toward taking a proactive position in prioritizing those vulnerabilities.
One approach for doing that, for example, is to take the list of assets that are EOL or nearly EOL, and look at the assets that are also unapproved—and then see which of those assets carry high CVSS values.
Not only does this kind of visibility and knowledge inform IT security staffs about the assets they should focus on and when, but it also helps inform planners in advance of the budgeting, contracting and logistical needs associated with replacing EOL hardware and software.
Having comprehensive information about vulnerabilities residing across the IT infrastructure enables IT managers to better understand their existing environments and proactively transition to their desired end-state environments. But this can't be done when there are significant blind spots crippling an agency's view of its infrastructure and vulnerabilities.
It is estimated that between 2016 and 2019, more than $3 billion in U.S. federal IT assets will become end-of-life. For each of these assets, this means there will be no patch management, no upgrades, no more vendor service or support. What may be less commonly known is that EOL assets represent vulnerabilities where hackers and malware may come in.
Many of the most frequently exploited cybersecurity vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), date back 10 to 15 years or more. And although these vulnerabilities are well known, they continue to be successfully exploited by hackers. That's because EOL software and hardware possessing these CVEs continue to live on federal networks, often without the knowledge of IT staff.
This is unnerving news if you're a chief information officer or a chief information security officer. It's even worse if you don't have accurate data to tell you exactly where your blind spots are and how to prioritize the mitigation of those vulnerabilities.
The current process of identifying EOS/EOL is a manual process that's very time consuming. One of the problems is the EOS/EOL data isn't built into the software itself, so security management professionals must find a way to centralize the data. If they do this, they must also continually update, as data changes over time. In addition, most companies don't use software from a single vendor, so they need to gather this data from a variety of vendors, and then continue to research per vendor, per software.
How can U.S. federal agencies and other enterprises of all sizes go from reactive to proactive? Here are four actions to get you started:
- Compile and review an inventory of your EOS/EOL assets. Knowing your EOS/EOL data for all of your network-connected hardware and software provides more comprehensive cybersecurity risk awareness. And knowing what IT assets are EOL today, and those destined to be EOL in the future, empowers security teams to get ahead of their risks, so they can proactively mitigate them.
- Identify approved/unapproved IT asset visibility. It is one thing to have an approved/unapproved list of IT assets. It's another thing to enforce the list. Enable security teams to identify the hardware and software on their networks—including rogue assets that are unmanaged—and then break out which assets are approved and unapproved. It's also just as important to identify which IT assets on your networks are neither approved nor unapproved and need to be reevaluated.
- Create a value score for common vulnerability values. Knowing the risk severity scores of vulnerabilities, as defined by the National Institute of Standards and Technology, contributes to better and more proactive decisions for how to direct your limited risk-mitigation resources.
- Focus on the marriage of EOL and CVSS data. Plotting your enterprise's riskiest assets (as measured by CVSS values) with those at or near EOL offers a quick way for you to prioritize mitigation efforts and proactively neutralize potentially ticking time bombs on your network.
Taking these steps will go a long way to help you manage your vulnerabilities from a risk management perspective.
Clark Campbell works with U.S. federal IT teams to help them gain clearer insight into their IT assets. Clark is vice president of public sector at Flexera, the maker of Technopedia, a comprehensive source of IT asset information. He can be reached at firstname.lastname@example.org.