The Changing Vulnerability Landscape
How much does your organization know about the software vulnerabilities that put data and users at risk? Chances are it is less than you think. Software vulnerability management can significantly reduce enterprise risk, and this paper offers a risk reduction plan, demonstrates why vulnerability management is important today, and offers eye-opening statistics as to the nature and breadth of the issue.
It is not surprising that keeping data secure and keeping users safe continues to challenge organizations of every size and type. There has been an explosion in the number of applications used to conduct business in recent years. This multidimensional expansion includes continued growth in mobile devices and enterprise application spending exposing new attack surfaces that malware can prey upon.
Businesses rely on a large number of commercial offthe-shelf software (COTS) and may develop custom applications for specific functions. Unfortunately, software of all kinds – whether written in-house or by a third party – can introduce new risks. First, the vendor code itself may contain exploitable vulnerabilities. Secondly, commercial software products are increasingly created using opensource tools and libraries. Although this open source code is not necessarily in itself a security risk, there is risk in the inherent simplicity of bundling contributed open-source libraries and code in a variety of products and contexts that could unknowingly put systems at risk.
Additionally, there are millions of server and client PCs running obsolete Operating System (OS) versions. The end of support for MS Windows Server 2003 in April 2015 has left innumerable organizations to rely on servers that are no longer receiving security patches and thus are at tremendousrisk of attack. The same is true for Windows XP. Two years after end of support, the operating system holds 10.9% of market share. This figure is just smaller than the share for Windows® 7 and Windows 10 and larger than other Windows versions and all Mac OS® X and Linux® systems.
As the attack surfaces evolve, so too do the malware writers. They have morphed over the past decade from “script kiddies” of years past trying for a little internet notoriety into global criminal enterprises whose sole purpose is to uncover information of value and sell it to the highest bidder, or hold a business owner hostage by encrypting their disks and demanding a king’s ransom for the key.
What can an enterprise do today to be prepared for tomorrow?
Action Strategy: What every enterprise can do now to reduce threats
- Play to strengths and know your weaknesses You cannot fix what you cannot see. The road to threat reduction begins with an assessment of the applications in use and the attack surface they present. Every business should begin by taking an enterprise-wide inventory that encompasses every server and every client PC (Windows, Mac or Linux) regardless of their physical location to create a comprehensive inventory of all software, including SaaS and web applications in use. Businesses are often surprised to discover they had greatly underestimated the number of applications believed to be in use, often thanks to line of business users who provision their own applications (either SaaS or on-premises COTS) without IT’s knowledge or blessing.