Vulnerability Management is Best Achieved via a Risk-Based Approach

The National Institute of Standards and Technology (NIST) defines a cybersecurity vulnerability as a weakness in:

• An information system
• System security procedures
• Internal controls
• Any implementation that a cyberattacker could exploit

Vulnerabilities are quite common, and cyberattackers are adept at finding and exploiting them. So, every organization needs a vulnerability management program. Ideally, that program would take a risk-based approach — more on that in a bit.

Common Vulnerabilities in Public Safety

Last year, MCP published its first analysis-and-insights report based on the Model for Advancing Public Safety® (MAPS®), which is a proprietary assessment methodology based on industry standards and best practices, as well as the collective knowledge and experience of its 200-plus subject-matter experts. The report’s security chapter identified numerous common vulnerabilities that were uncovered during dozens of MAPS assessments conducted since 2018, as follows:

• Processes and tools that enable the organization to manage its cybersecurity vulnerabilities are lacking.
• Network and system monitoring tools are lacking.
• An automated patch-management process is lacking.
• Port scanning, which enables an organization to determine whether any ports have been left open inadvertently, is lacking.
  • Typically, ports should always be closed until they need to be opened and closed immediately when the need no longer exists.
• An inventory of devices operating on the network is not conducted regularly, if at all.
• Password auditing tools or processes are lacking.
• The organization fails to keep up with security patches that vendors issue.
• The organization fails to stay abreast of information and emerging or evolving vulnerability trends.
• Organizations that do stay abreast often fail to act upon what they learn promptly.

Vulnerability Management - Where to Start

So, the reader might wonder, where do I start crafting a vulnerability management program? The answer is penetration testing and vulnerability scans. Penetration tests and vulnerability scans sound very similar, but they are actually quite different. Penetration tests simulate how a cyberattacker might gain access to the network environment and what will happen to systems and devices afterward. Such tests are done manually and should be conducted at least quarterly, or annually. In contrast, vulnerability scans are automated processes that dive more deeply into the identified vulnerabilities to understand better why they exist — such understanding is the key to eliminating each vulnerability. These should be conducted weekly.

Prioritize Vulnerabilities and Threats Based on Impact

But this only scratches the surface. A deeper dive into vulnerability management requires a significant change in thinking. Typically, when people think of vulnerability management, they consider using a tool that scans the environment and reports the findings with a common vulnerability scoring system (CVSS) score. And this is where the effort ends — which is a big mistake. The truth is that there are too many vulnerabilities to address. Similarly, cyberattackers don’t have time to try to exploit them all. So, a system needs to be developed that will prioritize vulnerabilities and threats based on impact, for both the organization and the cyberattacker. This is the foundation of the risk-based approach to vulnerability management.

A Risk-Based Approach

The risk-based approach accounts for factors such as severity, exploitability, and potential impact on the organization and the critical services it delivers. An example of a high-priority vulnerability is one that could lead to a ransomware attack. Such attacks often are catastrophic.

For example, the city of Dallas suffered a ransomware attack last month that affected numerous city servers and caused several noteworthy service interruptions. The police and fire department websites reportedly were knocked offline while the municipal court system’s records-management system stopped operating, forcing the postponement of numerous cases. The 311 system also was affected — while calls still were answered, nonemergency service requests were delayed — and the city’s water department could not process online payments. The attack also affected the police department’s computer-aided dispatch (CAD) system, but a backup system quickly was turned up, so emergency response was unaffected, according to news reports.

No Longer an IT Expenditure - Now a Business Imperative

This example illustrates that the stakes concerning inadequate cybersecurity vulnerability management have reached unprecedented heights. A single data breach can cripple an organization’s operations, create severe financial distress, and/or destroy the organization’s reputation. Alarmingly, the frequency of such breaches in the public sector has escalated consistently year after year. Hence, vulnerability management has transcended beyond a mere information technology (IT) expenditure — it has morphed into an indispensable business imperative.

MCP’s cybersecurity team is eager to help you develop a vulnerability-management strategy that embraces a risk-based approach — please reach out.

Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com