My favourite myth is “I use a Mac/esoteric Linux/FreeBSD so I’m safe.” There’s also the myth that scanning, even continual scanning, will find vulnerabilities. Unless you have a complete view of all the IT assets in your organisation, including that EC2 instance that one of your third-party devs span up last night, you can’t possibly hope to scan everything. Time to look at IT Asset Management?…:
[…] The importance of vulnerability management is often discounted or overlooked. Let’s look at and debunk the top vulnerability management myths, so that enterprises may opt to change their practices in ways that make fortifying cyber defenses and reducing risks significantly easier.
Myth 1: Periodic scanning is enough
One common and dangerous myth to dispel is that periodic vulnerability scans are good enough. Not true. Even once a day is no longer enough. New apps and endpoints are added to corporate networks each day — and this does not happen in unison at 8 am. Changes are made throughout the day, which means network compromise can happen at any time. And it can take a mere 18 minutes for hackers to go from foothold to a full-on breach.
Companies can’t just scan once per day, even if they fix a number of vulnerabilities every day. The rate at which new vulnerabilities appear is simply too high. Enterprises must scan continuously to be protected. Fortunately, new vulnerability management solutions make scanning at scale significantly faster and easier without impacting network performance, so there is really no good reason why enterprises should put networks at risk unnecessarily.
Myth 2: Vulnerabilities = patching
Many people equate vulnerabilities with patching. In reality, vulnerability management can be much more detailed and complex. For example, a configuration change might solve an issue, or if a company is running an old piece of software, a patch or configuration update might not be available. In this case, teams might need to put in a mitigating control, such as a firewall or routing change, to prevent certain types of traffic from getting to a port or application. In fact, sometimes mitigating controls work better than patches.
The bottom line is this: to think solely in terms of patching is short-sighted. Taking a broader view of vulnerability management will serve organizations better.
Myth 3: Fixing critical vulnerabilities ensures safety
The view that organizations have to fix Level 5 vulnerabilities first is outdated. Conventional logic goes that the most serious vulnerabilities demand immediate attention. The problem is that cybercriminals are aware of this mentality. As a result, they’ve begun attacking lower hanging fruit in middle-layer vulnerabilities. These are not as attention grabbing; they don’t have people playing beat-the-clock to remediate them, which gives hackers longer to figure out a way in, and they can ultimately cause tremendous damage as they go undetected for long periods of time.
When it comes to vulnerability management, companies need to adjust their approach. They either need to adopt new considerations and ranking systems for how they address vulnerabilities or they should opt for a two-pronged strategy, leveraging automated vulnerability management solutions to immediately remediate lower level vulnerabilities while freeing up team members to fix higher level vulnerabilities simultaneously.
Myth 4: Vulnerability management is no big deal
There is a distinct lack of respect for vulnerability management. Whether it is from teams that adopt a certain arrogance about their abilities — a “my guys can fix anything manually” attitude — or those that operate under the assumption that vulnerability management is a low priority background task, the result is the same: vulnerability management has taken a back seat.
The problem is that there are simply too many vulnerabilities popping up too quickly. Even the most talented, best staffed teams are not equipped to deal with all of them. By viewing them as a lower priority or letting vulnerability management fall by the wayside due to a lack of time or resources, companies open the door to cyberattacks, ultimately making their jobs exponentially more difficult in the long run — not to mention potentially costing their companies millions of dollars if/when a breach occurs.
Some companies that hold cyber insurance policies may feel a false sense of safety. I would urge these organizations to take a look at Merck or Mondelēz, which held policies they perceived will protect them financially in the event of an attack. They were wrong. After NotPetya, their claims have been denied through a loophole that declared NotPetya an act of war. Today, these companies are hundreds of millions of dollars out of pocket and are tied up in legal battles with their insurance companies – battles that are expected to take years to resolve.