In a crime movie, thieves might start out by “casing the joint” — familiarizing themselves with the location they plan to rob, looking for potential weaknesses they might exploit. Maybe one of the security guards is lazy and falls asleep on his shift. Perhaps there’s a window that doesn’t lock, which could be accessed from a nearby alleyway, away from prying eyes. Or there could be a technical problem with the alarm system that means it won’t sound, even if motion is detected on a particular floor of the building.
When it comes to cybersecurity, things are a bit different. Instead of physical security guards, literal entry points, and alarm systems, everything is based in the virtual world of software. Vulnerabilities still exist, but they’re vulnerabilities in code and programs, rather than loose window frames or snoozing security guards. Protecting against these vulnerabilities is no less important, however — whether it’s for safeguarding your computer system or practicing good website security.
Almost every piece of software has bugs, referring to an error or fault with a computer program that stops it from working exactly as its creator intended. In some cases, a bug might just be a minor glitch that causes only slight annoyance to the user, if it’s even noticed at all. But in some cases, it can rise to the level of significant vulnerabilities, whereby the software flaw is sufficiently large and egregious that it could be exploited by bad actors to carry out malicious actions.
These vulnerabilities might, for instance, allow an attacker to give themselves administrator privileges and then take control of the system; using this to steal or alter sensitive data, introduce malware, or carry out some other malicious action.
Vulnerabilities increasing all the time
Unfortunately, the number of high-risk vulnerabilities are increasing all the time. According to Bugcrowd, a crowdsourced security platform that is one of the largest online bug bounty and vulnerability disclosure companies, vulnerability submissions on its platform increased by 50% in 2020. That included a 65% increase in Priority One (P1) submissions, referring to the most severe and critical of all security vulnerabilities. This opens up new opportunities for bad actors willing to exploit these vulnerabilities, either for their own monetary gain or simply to cause problems for targets.
Any reputable software company will issue patches for vulnerabilities as they are discovered, not wanting their software to be exploited in a way that damages their users. However, vulnerability management can be complex. The problem with patches is that, while developers may fix the problem, it nonetheless relies on users installing the patch in order to be protected by it. Think of it like being a maintenance person charged with looking after a sprawling estate: yes, you might have the tools to fix every problem, but at a certain point the job becomes overwhelming in terms of just how much there is to do.
Challenges with patches can range from the simple problem of staying on top of vulnerabilities, and prioritizing which patches to install as a result, to the difficulty of installing patches on certain systems that cannot easily be taken offline for any length of time.
According to one 2020 Ponemon Institute study, commissioned by IBM, the average firm fails to patch 28% of its hardware and software vulnerabilities every six months. While that means that 72% of vulnerabilities do get patched, it also adds up to an average backlog of a massive 57,000 security issues firms have not fixed at any time. Needless to say, that’s a major security concern. It can be particularly difficult to maintain visibility into vulnerabilities in third-party dependencies.
Protect against vulnerabilities
To protect against vulnerabilities, organizations must take a methodical approach to vulnerability management. Ensure that you have allocated sufficient resources to the challenge, so that ensuring that all software is up-to-date is not simply a job given to an understaffed IT department with the assumption it can be done quickly and easily.
This is a time-intensive, serious job that poses significant risks if it is not done properly. To help stay informed about potential vulnerabilities, organizations can use resources like those made available by the Department of Homeland Security’s U.S. Computer Emergency Readiness Team. Groups such as this can not only provide lists of major vulnerabilities, but also help organizations prioritize patches according to risk severity.
One of the smartest decisions you can make is to employ the proper cybersecurity tools for the job, such as virtual patching. Despite its name, virtual patching is not a software patch in the way that the term is usually applied. A virtual patch is actually a collection of rules that adds an extra protective layer of security to a piece of software that stops potential attacks looking to exploit vulnerabilities.
This could come in the form of a Web Application Firewall (WAF) or Runtime Application Self-Protection (RASP) that blocks attempts to exploit exposures or vulnerabilities — regardless of whether the developers have patched the underlying vulnerability in question.
Unfortunately, vulnerabilities are going to remain a part of software for as far into the future as it is possible to see. But by using tools such as WAFs and RASP, you can achieve scalable vulnerability management in a way that will protect your organization, and all those who rely on it.