Are you one of the IT pros in charge of managing and closing network vulnerabilities at your organization? If so, we strongly recommend you read Verizon’s Data Breach Investigations Report 2016; it’s the best document you can read to understand the realities of network vulnerabilities management in business organizations. The report suggests that the top 10 vulnerabilities accounted for 85 percent of information security breaches. The other 15 percent were made of of than 900 common vulnerabilities and exposures, called CVEs. Here are two important takeaways from the report:
- Though focusing on top 10 vulnerabilities will help you manage 85 percent of network vulnerabilities, you can’t ignore the remaining 15 percent.
- CVEs become low-hanging fruits for cybercriminals to target. Thankfully, out of the 900 CVEs that make for 15 percent risk, most can be easily managed using basic coding practices and regular patching.
The 3 tick marks your network risk-scanning must get
The key to network security is to 1) scan for threats as a regular practice, and 2) make the scanning schedule frequent. Third and perhaps most important, the scan results must be as detailed and comprehensive. You just can’t hope to protect your enterprise network if the starting point of any remedial actions is not thorough. This can be extended to pretty much any aspect of network vulnerabilities management in your business. For instance, in software development life cycle, the “security” way is all about scanning as soon as possible to detect risks as early as possible, and hence prevent situations that might necessitate massive remediation costs.
Organized planning and quick execution
For many organizations, the operational aspects of network vulnerabilities management only become obvious when a risk is identified. It can be a mistake to depend on traditional methods such as:
- Preparing Excel sheets with lists of network vulnerabilities.
- Sending these sheets to the security team.
- Expecting the security and operations teams to work on the risk remediation in parallel.
Remember the last time you had a dozen emails marked “urgent” within a day? Chances are you found it tough to prioritize. It works the same way with network vulnerabilities; they’re all seemingly urgent, and they all need to be fixed.
To manage things better, risk reports need to be easy to read and must indicate clear action points for those reading the reports. Security and operations teams must be able to quickly identify the most important tasks, assign them to skilled technicians, and update statuses for managers to monitor and check.
Managing internal risks via policy and culture
Did you know — your organization networks are as equally vulnerable to internal security breaches as they are external cyberattacks? It’s a reality — your employees will use their workstations and Internet connection for a bit of their personal work. Staff that uses Internet facilities and email services for personal work have to be educated about the potential risks their actions pose to organizational data. This is where a clear policy about Internet and computer usage comes into play. Make it visible, make it easy to read. Secondly, nurture a culture of compliance based on constant monitoring. IT managers will need to perform roles of educators, along with being assertive in policy implementation, to make sure internal network usage laxity doesn’t lead to information security breaches.
Contextualize all vulnerability management efforts
What’s the one most important thing missing from communications between IT, operations, and security teams? It’s context. And context is what helps IT pros manage network vulnerabilities successfully.
For instance, if your business team reports that their emails are not reaching out to vendors, and the procurement process is badly broken, what do you do? Well, one option would be to shout “YOU’RE FIRED” at the top of your voice, and let the customary chaos of production issues ensue. A better way, however, would be to quickly gather all the necessary info that helps you contextualize the problem. Is it an issue with emails going out of the organization’s server? Is it an integration issue? It is a problem with the email server vendor? It is localized? What’s the immediate workaround to make things work?
The questions you need to ask will differ, but there must be questions! Starting on a vulnerability remediation effort without contextualizing it is not going to make you win; it will be time consuming, costly, and off the bull’s eye.
Network Access Control: A contemporary method to manage network vulnerabilities
Network Access Control is a way of restricting the availability of enterprise-commissioned network resources to endpoints. Companies are already using NAC to manage guest and contractor access to their networks. The core tenet of NAC is that by restricting the availability of network to data and resources, compliance can be easily ensured. Also, NAC can be extended to help with asset management for enterprises. If you choose to go with NAC, make sure you educate yourself before finalizing a vendor, choosing a form of NAC, and choosing among appliance-based, software-based, or hybrid solutions.
Managing vulnerabilities in the BYOD era
Chances are your employees bring their personal devices to work, and use them to perform important tasks related to their roles. Though these devices enable a lot of flexibility for contemporary businesses, they also pose unique network vulnerabilities management challenges for IT teams. These devices can be stolen, can be misplaced, and can even be deliberately misused by employees to access critical business data. To avoid risks related to these devices, IT teams need to make sure that only the necessary accesses are granted on such devices, and usage is governed by strict security controls. A conservative approach helps avoid risks; if an employee needs more access, requests must be routed through proper channels.
In this guide, we’ve covered some of the strategic level aspects of network vulnerabilities management that are often ignored by organizations, at their own peril. Start one by one, improve your practices in sync with these suggestions, and your enterprise will be safer.
Photo credit: Shutterstock
