Hello! Welcome back to this next TomCast from GuardSight; we are a tactical cybersecurity-as-a-service organization dedicated to helping businesses protect their data, their assets, and their endpoints.

Today’s discussion is going to center around vulnerability management. Oooo, sounds like a riveting topic, doesn’t it? Well, it all depends on where you are within the cyber world.

If you are in the policy realm of cyber, vulnerability management represents a portion of risk management, which is a very important aspect of business.

If you are a system or application administrator, vulnerability management can typically mean patching cycles, down time, coordination with other divisions or departments, etc., so it is an important aspect of your regular responsibilities.

If you are in the tactical side of cyber, hunting threats, identifying compromises and breaches, vulnerability identification can show how a particular threat actor gained access to the environment, and the communication involved in identifying that vulnerability can be vital to the organizations overall vulnerability management strategy.

So, what is vulnerability management? Well, as a very over simplified answer that seems rather obvious, it is the management of the vulnerabilities impacting any particular organization.

Are the vulnerabilities only in logical resources (computers, networks, etc)? Overall, no. If you have a comprehensive vulnerability management program, that program will identify physical vulnerabilities as well as logical vulnerabilities.

Most of the time, however, vulnerability management manages organizational risk by not only identifying the vulnerabilities within an organization, but also providing guidance on how to prioritize, categorize, and resolve those vulnerabilities.

Vulnerability management goes hand in hand with risk management, so there will be some cross-pollination in this discussion with regards to vulnerability and risk management.

Ok, so, let’s step back. What are vulnerabilities? Oxford tells us that a vulnerability is “the quality or state of being exposed to the possibility of being attacked or harmed”. Ok, we’ll dig into the cyber portion related to the part of that definition that states “the quality or state of being exposed”. We’ll use the example of using an outdated End-Of-Life Windows operating system on a modern network.

Why is this a vulnerability? The operating system has security problems that can no longer be fixed due to it not being supported anymore; this is a major vulnerability to the overall network. Threat actors can use that particular system as an entry point into the network, making it relatively easy to pivot from system to system once internal access has been gained.

Ok, well that is a rather obvious example that doesn’t impact that many organizations, right? I don’t have that data, but my gut tells me that it adversely impacts more organizations than it should.

Vulnerabilities are a constantly moving target; what may not be a vulnerability today could be one as soon as later today or early tomorrow. Technology is evolving at such a rapid pace that it is vital for organizations to stay on top of their vulnerability management programs.

Every day there is data to support more and more organizations falling victim to network compromises or data breaches due to vulnerabilities that haven’t been addressed.

With the prevalence of technology in just about every organization and every sector in business, threat actors have immeasurable targets to choose from. The more vulnerable an organization is, the easier access will be by a threat actor.

Many organizations still have a false belief of “it won’t happen to us”. Think back as I use an analogy here to the Old West. Remember bank robberies? They became almost mainstay back then, and the phrase used was not “if” the bank was robbed, but “when”.

Fast forward to modern day, the physical bank has been replaced by logical resources. Bank robbers have been replaced by threat actors that no longer need to gain access by physical means and leave by shooting their way out.

They can come and go without leaving hardly any trace. The phrase hasn’t changed, however. It isn’t “if” the organization will get compromised, attacked, or breached. It’s “when”.

So, getting back to vulnerability management, the proper management of the organizations’ vulnerabilities helps to better prepare the organization for that “when” scenario. When the threat actor attempts to access, are they going to be able to exploit vulnerabilities to gain entry?

Are they going to find that easily opened logical door? Or are they going to be presented with a level of difficulty that could possibly change their focus to somewhere else?

Making vulnerability management a priority from the get-go is vitally important. Having to play “catch-up” due to not considering this important aspect makes vulnerability management very difficult, as it becomes a case of constantly chasing ones’ tail.

Just like other aspects of cybersecurity, vulnerability management needs to be integrated into business processes early and often to ensure risk within the organization is managed effectively.

We here at GuardSight thank you for taking the time to listen to this TomCast. Please share this if you believe it would be of assistance to anyone in your contact list, and please provide us some feedback in the comments so we can continue to improve. Thanks!