In last week’s article, I covered threats in information security management systems. This week, the focus is on the impact and role of vulnerability in information management, how it can be detected and practical steps of preventing it.
It is important to define vulnerability first. The United Kingdom’s National Cyber Security Centre defines it as a “weakness in an IT system that can be exploited by an attacker to deliver a successful attack.” In other words, they are gaps that any group of unscrupulous individuals can use for malicious works.
Vulnerabilities, quite often, happen through flaws, features, or user errors. There is a formula: vulnerability + vulnerability = threats. Without vulnerabilities, there can’t be threats. The question, therefore, is how do vulnerabilities happen? One obvious way is when a computer is connected to an unsecure network. This can lead the computer open to an entire network of vulnerabilities.
An employee, for example, connects with her work laptop to a network outside her work environment. The next day she connects back to the company network without consideration of her previous actions. Then after a while, the company’s website, which generates a high traffic of customers, witnesses a downward spiral. Such vulnerability occurs regularly. This is called injection. Injection alters backend servers allowing an attacker to manipulate data or use it for any selfish reasons.
How can companies prevent vulnerabilities? That’s the big question. There is no one solution. The first thing that a company must do is create a vulnerability register and register the types of vulnerability that their company can be exposed to, and this can help the company match what is high, medium, and low.
The best solution to handling vulnerability is creating a management scheme to reduce the likelihood of successful attacks on their IT environment. There are various proven actions companies can take.
A good practice is a security scan. A company can employ vulnerability scanning tools that can help identify vulnerabilities in network systems. Once, a CISO asks “how often should these scans be performed?” The answer here is simple, what’s the traffic of assets within that network and what’s their importance and the implication it would have on the business? If she can answer that question, that can inform how scans should be carried out and when it should be carried out.
Another form of management of vulnerability is called penetration testing or pen testing as called in industry speak. This involves the use of a security scan plus additional manual tests that security scanning tools would usually not deploy. This type of testing is considered a simulation of an attacker who intends to attack an IT system. This test should be, for good practise, be done in non-productive areas so as not to affect daily productive IT environments.
When conducting a penetration test, the tester simulates the steps that a typical attacker would most likely take to successfully infiltrate an IT network. Through this process, the tester gathers the relevant data to analyse and identify the weaknesses that exist within the defences of an organization, so that they can be addressed to prevent further exploitation in the future.
The company must employ social engineering assessment to judge the personnel in the organisation to see how well they are able to recognise various tricks used by attackers in attempt to gain information. A company would use telephone calls, email and in-person encounters to test employees. This allows company to gauge assessments on whether further training is required for certain individuals.
Vulnerability management helps companies to prevent threats and protect the company’s information assets from malicious attack. A good vulnerability assessment would further make the company know where weaknesses within their network exists and make them realise the best mitigating strategy.
The art of doing nothing: Nigeria & The World