The other day the White House sent a warning message to organizations: “Patch your system!” The recent hacks on Microsoft Exchange Server even elicited a response from the President. That shows you the seriousness of vulnerability management not just in government systems but in all types of organizations. The recently uncovered hack is only the latest in a long litany of hacks that, for almost 30 years, take advantage of unpatched product vulnerabilities. “Patch your systems!” has been evangelized from the beginning of the SANS & CIS Top 20 Critical Security Controls. Vulnerability management is such an onerous task that remediation often gets pushed too far out, leaving the network exposed.
Here are some steps you need to take beyond simply patching the latest vulnerability reported on the nightly news to ensure you are not in the headlines next. These are the best practices implemented at some of our nuclear power plants and other critical infrastructure sites, some of the most targeted networks in the world:
- Good security begins with good configuration management hygiene. Know your assets, categorize your assets (e.g., critical versus non-critical), and have a single simple process to identify any vulnerabilities on each one. If you have real-time systems such as operational technology (OT) assets, this is not as simple as running a live vulnerability scan. You may need a process to do offline scanning.
- What physical security assets are connected to the network? Many IT departments aren’t responsible for physical security assets like surveillance cameras. But just because they provide physical security doesn’t mean they are inherently cyber secure. Verakda, an IP camera system, for example, was just breached exposing 150,000 security cameras in Tesla factories, jails, and more. Ignoring physical security asset vulnerabilities can be an easy entry point into your network.
- What about other IoT devices? And mobile devices? These assets will have vulnerabilities and have to be managed.
Having a standard approach to configuration and vulnerability management across all devices, including IT, OT, IoT, mobile, and physical, will allow you to identify, prioritize, and remediate vulnerabilities faster.