If your organization needs a compelling reason for establishing or enhancing its vulnerability management program, circle this date in bold, red ink on your corporate calendar: May 25, 2018.
On that day, the EU’s General Data Protection Regulation (GDPR) goes into effect, intensifying the need for organizations to painstakingly protect EU residents’ data from accidental mishandling and foul play.
While complying with GDPR involves adopting and modifying a variety of IT systems and business processes, having comprehensive and effective vulnerability management should be key in your efforts.
Why? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but haven’t been installed.
This happens because many organizations, including large ones with sophisticated IT infrastructures and resources, lack visibility into their IT assets and their vulnerabilities . Flying blind, they fail to detect and remediate on a timely basis critical bugs, leaving them like low-hanging fruit for cyber data thieves to feast on.
In this installment of our GDPR preparedness series , we’ll dive into the topic of vulnerability management and its importance for staying compliant with this regulation. GDPR carries hefty penalties and fines, including one of 20 million or 4% of annual revenue, whichever is higher, and applies to companies worldwide that handle EU residents’ personal data.GDPR: A Fierce Regulation for EU Customer Data Protection
You won’t find detailed prescriptions for specific processes and technologies required for compliance in the text of GDPR . What the 88-page document makes abundantly clear is that both data “controllers” and data “processors” must protect EU customer information through “appropriate technical and organisational measures.”
The regulation also stresses the need for organizations to have in place secure IT networks and systems that can “resist, at a given level of confidence, accidental events or unlawful or malicious actions.”
“This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems,” reads the document.
In the context of GDPR, this means you must do whatever is in your power to prevent accidental or malicious incidents that compromise the “availability, authenticity, integrity and confidentiality of stored or transmitted personal data.”
As a basic, foundational InfoSec practice, effective vulnerability management should be a core component of complying with GDPR and its requirements for the protection of EU residents’ personal data.Immunize Your IT Environment Against Vulnerability Exploits
Every vulnerability that has been publicly disclosed represents a potential opportunity for hackers looking to break into your network.
When you methodically, strategically and continuously detect, assess and remediate these bugs, whether through patching or mitigation, you eliminate entry points for cyber criminals, systematically and consistently lowering your risk.
With proper vulnerability management, you “immunize” your IT assets against opportunistic attacks which are designed to exploit common, well-known bugs and which are the most likely to hit your network.
In its 2016 Data Breach Investigations Report (DBIR) , Verizon said hackers view as “oldies that are still goodies” these long-disclosed CVEs (Common Vulnerabilities and Exposures) which remain unpatched in many organizations. “Hackers use what works, and what works doesn’t seem to change all that often,” reads that study.
To exploit these well-known vulnerabilities, hackers don’t use sophisticated, carefully crafted attacks, but rather aim for volume. “They automate certain weaponized vulnerabilities and spray and pray them across the Internet, sometimes yielding incredible success,” states the Verizon study.
For example, Kaspersky Lab recently reported that exploits to CVE-2010-2568 ― the one used in the Stuxnet campaign years ago ― ranked first in 2016 in terms of the number of users attacked, even though a patch for it has been available since 2010.
“The conclusion is a simple one: even if a malicious user doesn’t have access to expensive zero-days, the chances are high that they’d succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated,” Kaspersky stated.
Even if you’re not leaving critical vulnerabilities unpatched for years, you must make sure you’re as quick as possible in your remediation work.
SANS Institute’s second annual survey on continuous monitoring (CM) programs ― titled “Reducing Attack Surface” and published Nov. 2016 ― found that only 10% of respondents were able to remediate critical vulnerabilities in 24 hours or less, which is the ideal scenario. According to SANS, breach risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer.
A good example of why time is of the essence when dealing with critical vulnerabilities was the WannaCry ransomware rampage that created chaos worldwide in May. WannaCry spread using EternalBlue , an exploit for a windows OS vulnerability ( MS17-010 ) that Microsoft had patched in March and had rated as “Critical” due to the potential for attackers to execute remote code in affected systems.Simply put, if most organizations had patched that vulnerability promptly, or at least within a month after its disclosure, WannaCry would have been a non-event. Instead, it infected hundreds of thousands of computers in about 150 countries, severely disrupted the operation of hospitals, utilities, manufacturing