The National Institute of Standards and Technology (NIST) defines a cybersecurity vulnerability as a weakness in:
Vulnerabilities are quite common, and cyberattackers are adept at finding and exploiting them. So, every organization needs a vulnerability management program. Ideally, that program would take a risk-based approach — more on that in a bit.
Last year, MCP published its first analysis-and-insights report based on the Model for Advancing Public Safety® (MAPS®), which is a proprietary assessment methodology based on industry standards and best practices, as well as the collective knowledge and experience of its 200-plus subject-matter experts. The report’s security chapter identified numerous common vulnerabilities that were uncovered during dozens of MAPS assessments conducted since 2018, as follows:
So, the reader might wonder, where do I start crafting a vulnerability management program? The answer is penetration testing and vulnerability scans. Penetration tests and vulnerability scans sound very similar, but they are actually quite different. Penetration tests simulate how a cyberattacker might gain access to the network environment and what will happen to systems and devices afterward. Such tests are done manually and should be conducted at least quarterly, or annually. In contrast, vulnerability scans are automated processes that dive more deeply into the identified vulnerabilities to understand better why they exist — such understanding is the key to eliminating each vulnerability. These should be conducted weekly.
But this only scratches the surface. A deeper dive into vulnerability management requires a significant change in thinking. Typically, when people think of vulnerability management, they consider using a tool that scans the environment and reports the findings with a common vulnerability scoring system (CVSS) score. And this is where the effort ends — which is a big mistake. The truth is that there are too many vulnerabilities to address. Similarly, cyberattackers don’t have time to try to exploit them all. So, a system needs to be developed that will prioritize vulnerabilities and threats based on impact, for both the organization and the cyberattacker. This is the foundation of the risk-based approach to vulnerability management.
The risk-based approach accounts for factors such as severity, exploitability, and potential impact on the organization and the critical services it delivers. An example of a high-priority vulnerability is one that could lead to a ransomware attack. Such attacks often are catastrophic.
For example, the city of Dallas suffered a ransomware attack last month that affected numerous city servers and caused several noteworthy service interruptions. The police and fire department websites reportedly were knocked offline while the municipal court system’s records-management system stopped operating, forcing the postponement of numerous cases. The 311 system also was affected — while calls still were answered, nonemergency service requests were delayed — and the city’s water department could not process online payments. The attack also affected the police department’s computer-aided dispatch (CAD) system, but a backup system quickly was turned up, so emergency response was unaffected, according to news reports.
This example illustrates that the stakes concerning inadequate cybersecurity vulnerability management have reached unprecedented heights. A single data breach can cripple an organization’s operations, create severe financial distress, and/or destroy the organization’s reputation. Alarmingly, the frequency of such breaches in the public sector has escalated consistently year after year. Hence, vulnerability management has transcended beyond a mere information technology (IT) expenditure — it has morphed into an indispensable business imperative.
MCP’s cybersecurity team is eager to help you develop a vulnerability-management strategy that embraces a risk-based approach — please reach out.
Jason Franks is an MCP cybersecurity analyst. Email him at JasonFranks@MissionCriticalPartners.com