Given the important role of aggressive vulnerability management in an effective information security management program, you would think that IT departments and the IT / MSP vendor community would keep the networks they manage well-patched and updated. Unfortunately, this doesn’t seem to be the case.
Citadel recently analyzed internal network vulnerability scans we’ve done over the last year for new clients and prospects.
The scans show an average of 1.8 critical vulnerabilities per device. This means an organization with 100 computers has an average – metaphorically – of 180 holes in their dike just waiting for the tide to come in and the waves to hit. In addition to the 1.8 critical vulnerabilities, we find another 10 vulnerabilities classified as high. Equally disturbing: we often find a missing update for a program for which a patch was released ten or more years ago. This is like playing Russian Roulette with 5 bullets.
One can’t over-estimate the importance of vulnerability management; the management discipline of keeping all the devices on a network patched and updated.
- The Center for Internet Security lists Continuous Vulnerability Management as the third most important of their highly regarded CIS-20 Best Practice Controls.
- Verizon’s annual Data Breach Investigations Report (DBIR), now in its 10th year, repeatedly demonstrates the critical importance of keeping systems patched and updated.
- In an ongoing study of 37 strategies for blocking cyberattacks, the Australian Ministry of Defense has repeatedly found rigorous vulnerability management and patching to be either the 1st or 2nd most effective IT strategy to prevent intrusions.
- This is why SecureTheVillage includes Continuous Vulnerability Management in its Code of Basic IT Security Management Practices.
We typically get one of three answers when we ask a new client – or their IT people – why the network vulnerability scans are so bad.
- The client doesn’t understand the importance of regular vulnerability scanning and patch management. Not understanding it, the client is reluctant to pay for it.
- IT staff doesn’t understand the critical security importance of regular vulnerability scanning and patch management. This illustrates how vitally important it is for the C-Suite to have an independent source of information security management knowledge and expertise.
- IT staff think they’re scanning but they’re only doing part of the job.
- Sometime’s we’ll find IT only patching Windows programs while programs like Adobe Acrobat and Google Chrome are several patch-versions behind.
- Other times we’ll find IT using an inferior quality scanning tool rather than the high quality ones used by the information security management community. These lower quality scanners are often part of a tool suite used for network administration. While they’ll find some of the vulnerabilities on a network, other known vulnerabilities will be missed.
- Citadel uses the Nessus vulnerability scanner made by Tenable. Licensing costs are low enough that it can easily be purchased by an IT department or IT vendor / MSP. There’s no reason an organization having its own scanner can’t scan their network weekly. Even companies having to pay for a network vulnerability scan should consider doing so quarterly.
Given the cost and disruption of even a minor security incident, the Risk Return on Investment from implementing rigorous vulnerability management is extremely high. Consequently, the prudent executive will want to gain assurance that IT is effectively managing this critical IT security management function.
We invite you to contact us for more information.