Drriiiinnng! You’re in the office and a fire alarm goes off. There’s no heat. No flames. No smoke. But everyone’s standing up and heading outside anyway. As you leave, you wonder: why do companies have fire drills so often, when the chance of fire is low?
It’s because exercises like fire drills aren’t, at core, about fires. They’re designed to discover vulnerabilities – doors that stick, departments that don’t react fast enough, corridors that get too crowded as people leave the building. By noting and addressing these weak points, a normal day in the office gets a little safer, every time a drill is carried out.
And IT vulnerabilities are no different. Your web applications change over time, as old features are deprecated and new APIs are added; each change brings risks as well as opportunities. Which means your network security needs to change and adapt to cope with fresh challenges, too. Fortunately, there’s a way to do it that mitigates all these risks, thanks to Strypes.
This article covers Part 2 of our mini-series on network security, looking at vulnerabilities in your IT infrastructure and seeking solutions. In Part 1, you learned the Strypes approach to penetration testing, where friendly hackers deliberately attack your web applications from outside, seeking administrative privileges that can be used to cause you harm. Here, we’ll look at a complementary approach: vulnerability management.
Vulnerability management today: keeping a watchful eye on weaknesses
It’s a safe bet that if your business systems contain value, bad actors are looking for ways to cause trouble. And it’s not limited to your own company, or even your own country. The internet and its cloud infrastructure are infested with hackers and bots hammering away at every open port, trying to access every directory, compromise every user account.
Sometimes the attacks are brutally simple – guessing combinations of characters in a password – and sometimes they’re highly skilled and co-ordinated, involving dozens of black hatted experts. But in a surprising number of cases, they’re opportunistic: criminals seeing a weak point in your walls and trying their luck.
The penetration testing described in our earlier blog can close many of these gaps. But pentesting can’t do everything. It tends to be project-based and limited in scope, for business reasons like resource allocation and cost control.
Vulnerability management, by contrast, is longer-term and less invasive. It’s an ongoing attitude of watchfulness, taking intelligent decisions about your risk level and where attackers are most likely to take advantage – culminating in a comprehensive vulnerability management plan to be executed over an extended timescale.
You’ll recall Strypes’ pentesting had four main stages, plus an obvious fifth stage of fixing any problems found. Similarly, the vuln management process has five parts.
Part 1: Determining your scope
First comes a discovery phase. What’s to be included in your vulnerability management plan, and what isn’t? It’s where we list every asset on your network that might be at risk from a bad actor attack. And it’s not limited to software and servers.
Obviously, your servers – real, virtual, and cloudsourced – are on the list. As are all the mission-critical web applications on them. But a scope isn’t just what to look at; it’s how you look at them. An API may look secure from one threat, but be vulnerable to a different type of attack. A good scope covers all possibilities. Since your scope may stay in place for a year or more, this stage is important.
Part 2: defining roles and responsibilities
In any area of cybersecurity, the people factor is huge. So this part is all about building that list of who does what. Much vulnerability testing is done by software agents active on your network infrastructure: who installs those agents on your systems, and under what permissions? Who needs to be informed of vulnerabilities discovered, and how should information be cascaded to other stakeholders? Most important of all, who’s responsible for taking action when risks are identified?
This part is where we answer these questions together – making sure that for every problem, there’s someone able to deliver a solution. Whether it’s a cybersecurity consultant from Strypes, a Subject Matter Expert within your organisation, or an IT administrator new to your team.
Part 3: Selecting the tools – scan, scan, and scan again
As mentioned, a key difference between pentesting and vuln testing is invasiveness. Pentesting is about prodding, pushing, and breaking in, getting down and dirty with the web applications hackers may target; vulnerability management is lighter-touch, taking a view on things and critically assessing. In short, it’s all about the scan.
There’s a huge variety of scanning tools for sniffing out your vulnerabilities. In general, they’re divided into types based on what they scan. Here are a few:
- OS scanners look for vulnerabilities in your file permissions, system settings, and system services. Sometimes, all it takes is an out-of-date permissions table to compromise your entire infrastructure.
- Database scanners target authentication and access processes, since many are used by many applications creating multiple soft points; they also look for points where SQL queries designed to crash the database can be “injected” from outside by malicious actors.
- SaaS scanners. The security of Software-as-a-Service applications depends on effective setup and configuration – an unoptimized setting or default configuration can often present a juicy attack vector.
- Custom scanners. If your systems are unique to your business (and most are!) it may be time for a custom-created script that looks for specific vulnerabilities across your infrastructure. Rest assured: if the risk isn’t answered by standard tools, a custom scanner can get the job done.
- And of course, there are web application scanners, for the software created specially for your business that often contains your biggest competitive advantages. Any number of risks can be present here – invalid data requests, forged data requests, cross-site scripting that wreaks havoc if it gets into your data structures, and more. That’s why web application vulnerability management is our major focus at Strypes.
So in this part, we’ll determine which scanning tools to use, including any combination of them that identifies the risks most effectively.
Part 4: Setting policies and the Service Level Agreement
At Strypes, we’ve built our reputation on understanding each other – a level playing field where our customers know exactly what they’re getting and how we’ll respond to every actionable event. In your vulnerability management system, that’s the job of policies and SLAs.
By the end of this part, you’ll be fully aware of what’s covered in your vulnerability management process, what the tools are and how they’ll be used, and how processes lead to outcomes at every stage of your vulnerability management lifecycle. This enables you to treat vuln testing as a natural part of your IT process – and stay constantly alert to risks and red flags.
Part 5: Taking a meta view on your IT assets
The last part of your vulnerability assessment takes a broader look at your entire IT landscape: understanding the context your assets operate in, and seeing how they work together to deliver value to your business. Because it’s in those connections – sometimes complex – that the riskiest vulnerabilities can often hide.
This provides the missing piece of the puzzle: prioritization of action. Obviously, we want the biggest risks to be dealt with first – and that can include human factors like outdated passwords and permissions as well as faults with the web application codebase. Seeing your data environment as the “whole fruit” is the final step in an effective vulnerability management program, setting you up for an ongoing optimization of your network security without unpleasant surprises.
CONCLUSION: Vulnerability Management is an ongoing process
So that’s vuln assessment and management: not an event, but a process that happens over time. Our approach to it keeps some of the world’s most important companies safe and ready to respond to threats – on timescales that can span years.
We’d like to show you how vulnerability testing with Strypes can improve security and confidence at your business, too. After all, you spent years building your business processes and tuning them for competitive advantage; why risk losing that value to a bunch of criminally-minded hackers from the web’s darker parts? Planning and assessing today can mitigate major risks tomorrow.
To see how it all works, contact us now:
How to Keep Your Organization Safe in 2024
Download our cybersecurity whitepaper
Add a header to begin generating the table of contents