Software vulnerabilities represent a greater risk to sensitive data and to user safety than most enterprises appreciate, writes Vincent Smyth, Senior Vice President, EMEA, at the software company Flexera.
These threats have only become more dangerous in recent years, as the sheer number of software applications that enterprises rely upon to conduct business each day has expanded tremendously, and with them the size of the attack surface they present. Commercial off-the-shelf software (COTS) can include vulnerabilities for malware and attackers to exploit. At the same time, the millions of enterprise servers and client PCs running unpatched and often unsupported operating systems only heightens these vulnerabilities. For instance, Windows XP still enjoys a market share surpassing 4pc, even though the OS receives no security updates and has been unsupported for more than four years. Unfortunately, while some widely-used applications now go unnurtured from a security standpoint, the “script kiddies” of yesteryear have grown up, and they’re not alright: they’re now professional criminals initiating ransomware and other sinister attacks with enterprise-grade prowess.
Given this reality, it’s essential that enterprises actively engage in vulnerability management, and execute the correct techniques to secure their software assets. Here are three strategies your enterprise can use to reduce software vulnerability threats:
1) Regularly conduct thorough assessments of all applications in use, and introduce strict IT policies.
To begin the work of reducing and hardening the attack surface your applications present, perform an enterprise-wide audit of all software in use within your organisation. This means checking each server and client PC, across all enterprise locations, and including each SaaS solution, web application, and any other software to arrive at a complete inventory. Don’t be surprised to encounter a few, well, surprises – this audit will likely uncover a far greater quantity of applications than you may initially anticipate, and it’s all too common to find that many employees and departments have provisioned SaaS or COTS applications on their own, without your IT department’s awareness or approval.
With your audit complete, you can then identify any software that is obsolete, or orphaned with no current owners or users (as well as any hardware dedicated to these solutions), and proceed with plans to fully remove or replace them as appropriate. Any application past its end of life (EOL) or end or support (EOS) date (for example, Windows XP) represents a gaping opening in your IT security and should be upgraded, migrated to a secure platform, or simply retired before it inevitably becomes compromised. And, because all applications and OSs are part of the circle of life and reach EOL eventually, this audit shouldn’t be a one-time thing – it should be performed on a regular basis. Ideally, your enterprise should anticipate application upgrade and replacement needs as part of your overall application lifecycle management and IT strategy.
To curtail employee behaviours that introduce application vulnerabilities and risk – ie. buying software without ever telling your IT department – introduce clear and well enforced IT policies within your organisation, along with programs to educate employees in adhering to these policies. Each member of your enterprise should know the risks of introducing software that isn’t properly managed, and join in a united front from an IT security standpoint.
2) Determine and rank the value of your software assets, giving priority to applications with the greatest impact on your business and your bottom line.
When your platforms or applications do encounter issues – whether software is compromised by malware, experiences downtime, etc – it’s important to understand the priority of the issue and the severity of its impact on your business operations. To make these determinations before issues occur, enterprise IT departments should work with business departments to recognise and rank the importance of each software asset and prepare roadmaps for remediating issues affecting each specific software solution if and when they arise. For example, ERP, database, and client-facing applications are likely to warrant the highest priority and immediate attention to preserve 24/7 uptime, with measures in place to protect sensitive enterprise or client data as issues strike. In contrast, less mission critical tools such as those used for social media or collaboration ought to hold a lesser priority when it comes to allocating resources. In general, applications that impact your business’s bottom line or reputation with customers deserve the highest priority.
3) Design and implement a successful software vulnerability management process.
It’s important to approach software vulnerability management not as a singular goal, but as an ongoing process. Properly managing software vulnerabilities requires engaging in episodes of assessment, mitigation, and verification as phases within an ongoing lifecycle. In the same way as DevOps and agile practices have enabled enterprises to embrace continual product releases, adopting vulnerability management as a process enables enterprises to realise continuous protection.
In this pursuit, enterprises should make use of all software vulnerability and update information at their disposal, and explore the option of leveraging vulnerability research partners, which can help to reduce the time it takes to learn about and implement patches to software, middleware, and OSs. Enterprises are grappling to maintain software in an environment where more than 16,000 vulnerabilities were reported in 2018, a 12% increase from the previous year. It’s also the case that patches are available but underused: in 2017, 86pc of vulnerabilities had a patch available on the day of disclosure, and yet the great majority of exploitations occur a full 30 days after a patch is released. Considering these facts, enterprises could certainly use a hand in navigating the vast landscape of software elements and vulnerabilities, as well as in identifying their attack surfaces, performing risk mitigation, and making sure those actions have the intended effect.
Commercial software solutions change with each patch and release, making them challenging to protect as new vulnerabilities emerge. By leveraging strategies that put the correct policies and solutions in place to eliminate unnecessary and outdated software, correctly prioritise mitigation, and address software vulnerabilities as a continuous process, you can optimise your enterprise to succeed in the face of these security threats.
