Read Time: 3 Minutes
Proper end-point protection is the natural first step for safe business. But that alone is just not enough. You need security in each and every layer of the IT infrastructure – endpoint, data storage, network, cloud and application – to be really safe.
Certain organizations are always going to be targeted. Cyber Security Advisor Erka Koivunen from F-Secure Corporate Security lists:
As an organization, you face an increased risk of a targeted cyber-attack if you:
- Are well networked within a targeted industry sector
- Have close ties with other likely targets
- Collect large amounts of data
- Collect highly sensitive data
- Handle large amounts of money or other financial assets (your own or others’)
- Are a highly public player.
In addition to malware detection, these companies have the need for efficient prevention methods. Decreasing the amount of exposure to attacks is one efficient way to decrease the possibilities of a cyber-attack.
Security vulnerabilities in operating systems and applications are a major cause of security breaches and exploits. The HP 2015 Cyber Risk Report finds that 86% of web applications had serious issues with authentication, access control, and confidentiality. Out of these, 52% were long-known security issues. It is no wonder then that web applications are a preferred method for attacking businesses and their online assets.
Businesses need to pay special attention to End-of-Life products, such as Microsoft Windows XP and Windows Server 2003. These are open doors to your environment as they do not get new security updates or patches. Are you even aware of where these might be in use?
At the beginning of this year, Windows Server 2003 was still in use in 61% of organizations even though the extended support was running out. Even if that figure most probably has come down since, we can estimate that there are still quite many installations of it running as it is the most targeted Windows Server platform.
Additionally, with over 7000 new security vulnerabilities added to the National Vulnerability Database (NVD) in 2014, and third-party applications contributing 80% of these, keeping up to date with vulnerabilities and patches manually would be a huge task.
Continuous vulnerability discovery is the key to keeping IT environments secure. Proper preparation for vulnerability scanning is a starting point. You need to know your environment and to identify the critical assets.
The actual vulnerability scanning utilizes technology that seeks out security flaws and tests systems for weak points. This allows you to identify and quantify where your network is at risk, and to prevent unnecessary weak points. Whether the risk is in outdated software, in misconfigured systems, or in inadequately secured web applications, they all can open your company environment for attacks.
For vulnerability scans to be effective, they need to be run continuously. New vulnerabilities are found every day, and in 2014, the number of cyber-attacks reached 117,339 per day. Therefore, vulnerability scanning cannot be handled only as part of overall security audits every now and then, but needs to be a continuous process.
Just scanning for vulnerabilities is not enough – in addition, strict vulnerability management processes will be called for to identify, classify, remediate and mitigate vulnerabilities.
Proactive management of vulnerabilities is the key to reducing or eliminating security breaches. This means you will need easy tools to keep track of persisting vulnerabilities, of corrective actions done, and ways to easily report the findings to different interest groups.
Vulnerability scanning and management tools will offer you a way to automate some parts of the process.
Our consultants often see an overwhelming amount of vulnerabilities that are never remediated. To make sure you don’t overwhelm your organization, and that you get the best benefit out of a vulnerability management solution, it might make sense to run it as a service. This way you are not hampered by the lack of resources or know-how within your company. After all, it requires a lot of knowledge and time before IT staff knows how to fully operate and utilize a vulnerability scanner, and manage the vulnerabilities it finds.