3 Mistakes Everyone Makes In Vulnerability Management
Avoid these goof-ups for an effective vulnerability management program
If Cybersecurity was a family then vulnerability management would be the relative that no one talks about until something bad happens
Vulnerability Management or VM is typically one of the most overlooked areas in Cybersecurity
It makes sense as it hardly sounds as bad-ass as doing malware analysis or implementing a new AI security solution
And yet .. a poor VM program has the ability to make or break your company’s security posture and make you the next data breach headline
Let us look at three examples of how companies goof up when it comes to vulnerability management
MISTAKE 1 : Thinking a VA Scan equals Vulnerability Management
A quick anecdote: Years ago, I worked for a company that ran scans religiously every month. And yet no improvement in the security posture happened .. the findings just kept piling up more and more as there was no attempt to analyze or risk assess the findings. They were just dumped into a PDF format and emailed to the IT team.
Lesson of the story: Vulnerability Management is not running a scan
I would say that the scanning part is just 10% of the whole process
Once you have run the scan .. you need to analyze , risk assess, filter and prioritize the findings before sending them to the IT team to fix
Simply emailing a report every month will not accomplish anything except giving you a false sense of security
MISTAKE 2 : Thinking that Patching equals Vulnerability Management
Another quick anecdote: A leading e-comm company my friend worked for were great a patching. The CTO prided himself on taking patching seriously and rolling out patches as soon as they were available. Unfortunately they got breached badly not due to a missing patch but because of an incorrect configuration in their cloud platform. After a thorough review (and some thousands of dollars ) .. they realize that patching is just a small part of fixing vulnerabilities as they were completely blind in other areas.
Another common mistake .. patching is not vulnerability management
You need to have a strategic approach and assess your digital ecosystem properly
Applications, Databases, Cloud configurations, Source Code .. all of them may have vulnerabilities that can grant entry to an attacker.
And most of them with zero to do with a patch
Also not every vulnerability with a patch needs to be patched (shocking .. I know !) .. some may simply be accepted or mitigated via other means.
Patching blindly always leads to more problems !
MISTAKE 3 : The “shiny product” syndrome
Last Anecdote: Company A buys a shiny new state of the art commercial scanner. Their CISO is blown away by the nice dashboards, integrations, customized scans etc. And yet .. even after months of scanning and reporting .. their security posture remains the same
The problem?
Their immature processes and expertise ..
The team simply did not know what to do with the reports once they had it
When IT challenged the reports they would simply try to re-scan and insist the scanner was right
The amount of money spent on the solution could easily have been spent on upskilling the team and making them better at vulnerability management !
So .. buying a commercial solution is not a silver-bullet in vulnerability management
I know of small tech-firms that have implemented open-source tools but have experienced great success with reducing vulnerabilities
Why ?
Because the team had the right strategy , mindset and expertise.
Summing it all up .. vulnerability management is a massive domain that is not just about running scans and applying patches. While these have their place .. they are part of the process. Understand the nuances of VM to improve your security posture in a realistic and practical way.
I hope you enjoyed reading this. If Vulnerability Management interests you then do check out my latest course on Udemy which is on sale right now !