Cybersecurity must be proactive, as opposed to constantly playing catch-up and responding to vulnerabilities only after they’ve been exploited, writes Vincent Smyth, Senior Vice President EMEA, Flexera
Too many organisations still operate in a reactive mode because they generally lack two things: 1) accurate visibility into their own IT infrastructure and the potential cyber vulnerabilities lurking there; and 2) up-to-date, accurate information to help them prioritise and manage their vulnerabilities from a risk-management perspective.
It’s all too common for organisations to have little to no insight into the End-of-Support/End-of-Life (EOS/EOL) dates for their software and hardware assets. Many also don’t know the Common Vulnerability Scoring System (CVSS) values of their hardware and software assets.
This is understandable. Today, there are 31 million naming conventions that exist for 2 million hardware and software products—including, for example, 16,000 ways that inventory tools refer to an SQL Server. This lack of uniformity for how specific products are referred to results in a confusing hodge-podge of data that undermines most efforts at obtaining a comprehensive view of a network’s IT asset inventory and risk profile. The result is that IT managers often can’t readily identify the network-attached assets on their approved and unapproved lists—nor what the rogue assets are on either list.
Without this kind of intelligence and visibility into an enterprise’s IT infrastructure, it’s virtually impossible to deploy proactive practices and policies for addressing cyber risk. Imagine what could be done with a comprehensive view of all the network-attached assets subject to EOL today, and those that will be EOL six months or a year from today. This information goes a long way towards taking a proactive position in prioritising those vulnerabilities.
An example is to take the list of assets that are EOL or nearly EOL, and look at the assets that are also unapproved—and then see which of those assets carry high CVSS values. Not only does this kind of visibility and knowledge inform IT security staffs about the assets they should focus on and when, but it also helps inform planners in advance of the budgeting, contracting and logistical needs associated with replacing EOL hardware and software.
Having comprehensive information about vulnerabilities residing across the IT infrastructure enables IT managers to better understand their existing environments and proactively transition to their desired end-state environments. But this can’t be done when there are significant blind spots crippling an agency’s view of its infrastructure and vulnerabilities.
Many of the most frequently exploited cybersecurity vulnerabilities, known as Common Vulnerabilities and Exposures (CVEs), date back 10 to 15 years or more. And although these vulnerabilities are well known, they continue to be successfully exploited by hackers. That’s because EOL software and hardware possessing these CVEs continue to live on federal networks, often without the knowledge of IT staff.
This is unnerving news for chief information officers or chief information security officers. It’s even worse if there isn’t accurate data to tell exactly where the blind spots are and how to prioritise the mitigation of those vulnerabilities.
The current process of identifying EOS/EOL is a manual process that’s very time consuming. One of the problems is the EOS/EOL data isn’t built into the software itself, so security management professionals must find a way to centralise the data. If they do this, they must also continually update, as data changes over time. In addition, most companies don’t use software from a single vendor, so they need to gather this data from a variety of vendors, and then continue to research per vendor, per software.
So how can organisations go from reactive to proactive security? Here are four key actions:
- Compile and review an inventory of your EOS/EOL assets.Knowing the EOS/EOL data for all network-connected hardware and software provides more comprehensive cybersecurity risk awareness. And knowing what IT assets are EOL today, and those destined to be EOL in the future, empowers security teams to get ahead of their risks, so they can proactively mitigate them.
- Identify approved/unapproved IT asset visibility.It’s one thing to have an approved/unapproved list of IT assets. It’s another thing to enforce the list. Enable security teams to identify the hardware and software on their networks—including rogue assets that are unmanaged—and then break out which assets are approved and unapproved. It’s also just as important to identify which IT assets on the networks are neither approved nor unapproved and need to be reevaluated.
- Create a value score for common vulnerability values.Knowing the risk severity scores of vulnerabilities, as defined by the National Institute of Standards and Technology, contributes to better and more proactive decisions for how to direct the organisation’s limited risk-mitigation resources.
- Focus on the marriage of EOL and CVSS data. Plotting the enterprise’s riskiest assets (as measured by CVSS values) with those at or near EOL offers a quick way to prioritise mitigation efforts and proactively neutralise potentially ticking time bombs on the network.
Taking these steps will go a long way to help organisations manage vulnerabilities from a risk management perspective.
Vincent Smyth is Senior Vice President EMEA at Flexera, responsible for driving increased revenue, market share and customer satisfaction in the Enterprise, Government, ISV and Intelligent Device marketplaces.