A risk reduction recipe for vulnerabilities


Kobalt’s study of over 1000 Canadian SMB tech companies showed over a third have highly vulnerable, internet facing services. Identifying this risk is helpful, but having a clear recipe to follow on how to address and reduce this risk and prevent reoccurrence is also important. Here’s a simple five step process to follow.

  1. Identify the asset owners

  2. Deprecate unmanaged and unowned assets

  3. Develop and publish an IT Asset and Vulnerability Management policy

  4. Measure and track progress against your policy

Identify your assets

Every asset that regularly connects to your production networks counts. BYOD devices. Servers. Laptops. Firewalls. Mobile devices. IoT devices. The Raspberry Pi plugged into the wall, the smart thermostat, the IP CCTV, printers, fax machines, the wifi unit. You can buy and use an inventory management tool to track these assets, or a simple spreadsheet. A few ways to build out your list:

Nmap – network scanner – run against your IP blocks.

WiFi routers, Firewalls – list devices that get an IP address or send traffic.

In addition to the top level asset, software stacks on a given system also need to be monitored and updated. The Linux server OS needs to be patched, but so does the Apache server running on top and the Drupal content management system, PHP plugins and more.

Cloud services also count as assets. SaaS services are typically patched and maintained by the provider. Hosted servers, WordPress sites, anything that shows up in your DNS records needs to be identified and tracked.

What doesn’t count? Devices with no IP address devices (dumb water coolers, fridges, toasters). Devices that only connect infrequently to fully segmented guest networks (although a best practice is still to keep a record of those devices but that’s beyond most small organizations).

In order to do this with any level of success, automation eventually becomes key or the mundane aspect of this work will lead to it never getting done.

"If the asset doesn’t have an owner, decommission it, or an owner needs to be found if critical to the business."

Identify the asset owners

Someone needs to be responsible for every asset. Track this in your asset management tool or spreadsheet. Put a name or a role against every asset listed. Know who is the admin for any cloud services as well.

Deprecate unmanaged and unowned assets

If the asset doesn’t have an owner, decommission it, or an owner needs to be found if critical to the business. Don’t just recycle old servers – make sure you identify any data that needs to be retained and destroy stored data before donating the device or recycling it. Printers and fax machines also have hard drives and store data that can be sensitive and need to be properly disposed of.

Develop and publish an IT Asset and Vulnerability Management policy

In short, your policy needs to outline the responsibilities of asset owners (keeping their device secure with appropriate software controls, up-to-date, patched). Asset owners should subscribe to security updates and notifications, and decommission assets when no longer needed. Your vulnerability management policy should have timelines for patching and resolution of any vulnerabilities, ideally with a shorter time frame associated with vulnerabilities with high Common Vulnerability Scoring System (CVSS) scores. Typical examples include minimum monthly updates for all systems, and timeframes of two to seven days for critical or high vulnerabilities, sometimes with faster resolution times for internet connected hosts or systems that store sensitive data. There should be plans for compensating controls if you can’t patch quickly – monitoring, additional levels of security, etc.

Measure and track progress against your policy

Develop a mechanism for tracking progress against your policy. In a small organization, this might be a quarterly review that is conducted somewhat manually. In a larger organization, this might involve using a commercial tool (like Tenable) that does automated scanning and patching and provides regular reports. Start with a baseline (understand your current level of vulnerability) address any long standing issues, and then work towards shorter patch cycles and a consistent process. Identify areas of strength and weakness, and consider changing asset owners or administrative roles when certain areas lag.

It’s not all bad news

The good news is that increasingly, systems and software auto-update. Generally, with the exception of mission critical systems that need to maintain high degrees of availability, these auto-update features should be applied everywhere possible. Cloud services also help – the provider of these services are typically responsible for updates and patches to their systems – although in some cases (WordPress sites being a prime example) that responsibility is passed back to the administrator.

Areas of focus should be systems that contain sensitive data, security tools, BYOD devices and policies, and any internet facing services. Forgotten, unpatched systems are a frequent source of breaches and data loss in organizations small and large. Following the recipe above will help your organization avoid these incidents, and also reduce day-to-day security issues by making certain your systems are up-to-date and not vulnerable to wide-spread attacks.