Your business operates online. Whether it’s just for email, a simple website, or a full-featured application that your customers access, it all relies on connections to the wild-west of the internet.
Security vulnerabilities are weaknesses in the system. The software components of these systems are complicated, and they’re written by humans, who can and will make mistakes. Once a mistake has been uncovered, it soon becomes public knowledge. Hackers can then scan the entire internet, including your services, for indications of a system which has the same vulnerability. They then exploit it using their knowledge, and this is the first step in compromising your business.
It’s a bit like a burglar walking down a street – all the doors may look like they’re closed, but as he goes past enough houses, waggling the door handle of each, eventually he’ll find one that’s been left unlocked and makes his way in.
How do you know if your systems are vulnerable?
There are many tools out there which allow you to scan your own systems and check for such weaknesses. Some are commercial software, while other are freely available open source systems. They do require some level of IT expertise to operate, and also to understand their output, but they are very effective in helping an organisation to understand where its defences may be lacking. The most popular of these are Nessus and OpenVAS.
How often should I check for these issues?
Every day is the best answer, but as a minimum a monthly scan is adequate in providing the information in a timely manner.
We’ve found a number of vulnerabilities, what do we do now?
The first step is to check the Common Vulnerabilties Scoring System (CVSS) for the vulnerabilities in the report. The higher the score, the greater the risk, with 10 being the maximum score indicating that a system can be easily and completely compromised with little effort. (In plain English, an attacker could take control of the system and any information within it.)
Once the vulnerabilities have been assigned a priority, your IT people need to get to work. They will have to find the relevant software fix – often known as a patch, then test it before applying it to your working systems. The software fixes are usually made available by the manufacturer of the system within a few days of the vulnerability becoming public knowledge.
If they aren’t forthcoming with such a fix, and the CVSS score indicates a significant risk, then there may be other approaches that can be taken, or as a last resort the service might need to be taken offline while an alternative is put in place. This also highlights the importance of running up to date versions of software, and ensuring that the vendor has a support model in place, although with niche industry software this is sometimes easier said than done. It’s worth checking this now, in advance of such an issue emerging.
After each fix is implemented, the scan can be re-run to ensure that the vulnerabilities have been cleared before moving on to the next in the list.
By regularly reviewing and acting on the vulnerability report, you’ll be making your business a much harder target for attacks and the criminals may well search our easier targets.