Welcome to part two of our series on building a vulnerability management program. Today we go through steps three and four of our build but if you missed last week, you can catch up here.
Step 3: Patching
You’ve got your list of vulnerabilities from your scanner and now your vulnerability management solution has prioritized them all so the next step in this process is to start fixing your problems by patching the most severe vulnerabilities. Did you know that two of the biggest cyber-security breaches in the past year have been due to unpatched vulnerabilities? Both the Equifax breach and the WannaCry virus were done by vulnerabilities where there had been patches available for weeks or months.
Once again, knowing what is on your network will allow you to monitor for new patches and any device that you purchase should come with an agreement from the vendor to keep you up to date on all patches for the machine or its software. Know who owns all of these assets on your network. If there is a patch available, know who is responsible for patching it. I’m not suggesting you call them out specifically until it is done, but if no one owns the action item then chances are it won’t get done. If there is a vulnerability that can’t be patched because it would disrupt business, make an exception schedule a maintenance window. However, also work on finding a work around and a way to patch the vulnerability without disrupting business as soon as possible. Oh and if you have a device that is too old to patch – it’s time to replace.
Step 4: Testing
Ok you now know where all of your valuable assets are and what is connected to them. You also know all of the vulnerabilities associated with those assets and the known exploits for them. You’ve gone in and patched the most risky vulnerabilities but – did it work?
This is a lot of work by your security team but if the patch wasn’t applied correctly, it is all for nothing. In order to make sure your patching works, run a penetration test on your network. A penetration test (or pen-test) will enable you to test your network by ethically hacking into it. These tests take the same paths and methods that bad actors use and try to break into your network. Whether you decide to invest in a penetration testing solution for your team or you rely on an outside consultant, you should be testing any time that you go through any major upgrades, patches, or the addition of new applications.