By Julia Sowells – Senior Information Security Specialist at Hacker Combat,
Software vulnerabilities – issues that every company, every organization has to face consistently; still, there are many companies that leave security vulnerabilities unpatched.
It’s really important that companies keep tracking all the different software that’s used in their environment. They need to keep themselves updated as regards security risks that are there in any software that they use and they need to ensure that these vulnerabilities are patched as and when they are detected.
To be noted is the fact that delay or failure in patching vulnerabilities have led to major security breaches. The WannaCry outbreak, the Equifax breach etc are examples.
There are some very basic things that organizations need to attend to, in regards to detecting and patching vulnerabilities. Let’s take a look at the same:
Inventory your software
Just as it’s important to know about vulnerabilities in your software, it’s equally important to know where the software is running in the organization and also which version is being used. Hence, it’s really important for any company to inventory the software that’s being used. The time spent on this is never misspent, it’s always for the good of the company.
Look for vulnerabilities in non-traditional technology as well
This is important as well. Companies use non-traditional informational technology as well, like for example IoT devices. IoT devices like routers, digital video recorders that are used for conference calls etc could also have vulnerabilities and these vulnerabilities could be exploited by hackers waiting to sneak into enterprise networks. There are criminals who exploit vulnerabilities in IoT devices and then use them as botnets to carry out further attacks, like DDoS attacks, The Satori botnet, which was formed exploiting a vulnerability in Huawei routers is a good example. Hence every company should look for vulnerabilities in non-traditional technology as well and keep patching them from time to time too.
Make it a point to secure legacy apps with known vulnerabilities
There are many legacy apps with known vulnerabilities- apps the companies have to depend on a lot for carrying out their business. For example, there are some versions of Java that have known vulnerabilities, and companies have to depend on Java to a great extent. Similarly, there are known and exploitable vulnerabilities in Adobe Flash too. Companies must have a proactive approach as regards identifying all their business applications and monitoring the health of their software. It’s not advisable to wait until an attack is in the wild before going for a patch, it’s always good to do it on time.
Always mitigate vulnerabilities that impact the company’s basic IT technology
There are many vulnerabilities that would not lead to cyber attacks but would directly impact the information technology of a company. Such vulnerabilities could also help hackers too in data harvesting. Companies should focus on mitigating such vulnerabilities as well.
Always manage dependencies and third-party components
For any company, it’s important to manage and monitor all dependencies plus all the third-party components that are incorporated into the software that are used. Regular audits would help companies detect and fix vulnerabilities that could exist in components provided by third-party vendors.It’s good for any company to have the practice of checking for known security vulnerabilities in its dependencies.
Julia Sowells is a security geek with almost 5+ years of experience, writes on various topics pertaining to network security.