Vulnerability management program best practices
Security vulnerabilities can be disastrous if not addressed. These vulnerability management practices may help improve the security of your network and equipment.
Security vulnerabilities might be a more significant cybersecurity threat than most organizations realize. Though email phishing and social engineering get a lot of attention today (and rightfully so), bad actors also seek out ways to exploit vulnerabilities, or security weaknesses, in networks, software, operating systems, and equipment. Unfortunately for us, there are quite a lot of them.
The Cybersecurity & Infrastructure Security Agency (CISA) vulnerability catalog currently lists over 800 known exploited vulnerabilities. Each of these entries represents an identified vulnerability bad actors have or are exploiting to infiltrate networks, install malware, and steal confidential data.
Remaining vigilant against both known and unknown vulnerabilities requires careful and constant attention.
We sat down with David Birkemeier, Cybersecurity Director of Huntington’s Threat and Vulnerability Management team and discussed best practices that can help organizations safeguard against exploitation tactics to improve the security of their networks and equipment.
Patch frequently and often to avoid security exploitation
"The number one piece of advice for individuals and organizations is to stay as current as possible on applications, software, devices, and operating systems. Patch or update frequently, and often. It’s easy to say but can be hard to execute if it’s not a priority."
Cybersecurity Director, Threat and Vulnerability Management, Huntington Bank
Organizations that don’t prioritize vulnerability management could face costly consequences. The infamous Equifax data breach is evidence of this.
The Equifax breach in 2017 is one of the most notorious breaches resulting from a known vulnerability. Even after the Apache Struts vulnerability was identified and a patch deployed, 147 million U.S. citizens’ data remained at risk†. The result was a massive blow to the credit reporting agency’s reputation and finances.
While this incident with Equifax is one of the most notorious breaches, it’s just one of many examples of vulnerability exploitation. Frequently applying patches and searching for security holes within your network and equipment can help your organization avoid the same fate.
Implement security scanning tools to detect vulnerabilities
An IT administrator or cybersecurity team along with asset support groups typically handle vulnerability management in a corporate environment. Manually identifying vulnerabilities and implementing patches can be burdensome, especially in a larger organization, so Birkemeier recommends scanning tools to assist with the work.
“Security tools continuously scan networks, endpoints, databases, and equipment for vulnerabilities and verify whether patches have been released to address them,” says Birkemeier. “They can also identify irrelevant software to ensure updates are installed to address possible avenues for exploitation.”
Even organizations without a dedicated vulnerability management team can lean on scanning tools to help lower their risk of network compromise.
Consider an automated patching approach
Deploying patches can be tricky if you don’t know they’re available. Automatically downloading and installing patches can take some of the pressure off keeping your systems current, so Birkemeier recommends implementing this approach when possible.
“New patches are always becoming available. For example, browsers such as Chrome or Firefox release patches about twice a month,” he says. “You can set those up to automatically download, so end users’ browsers stay current.”
While you should always be aware of the current threat landscape, auto-patching tactics help offer greater ease of mind when critical vulnerabilities surface. Patches for these threats are often deployed quickly, meaning your exposure may be reduced.
Some organizations might disable automatic updates to avoid downtime or software issues, but this can make you a cyberattack target. If automated patching isn’t an option for your operations, stay on top of manually installing them as soon as patches are available. Organizations should establish Service Level Agreements (SLAs) and remediate vulnerabilities within expected SLAs.
Keep employees in the loop about updates and known issues
Employee cybersecurity training often highlights the danger of clicking on desktop pop-ups or accepting software downloads. Those notifications also pop up when deploying critical patches or updates. IT administrators or support groups within an organization should endeavor to notify employees when they will implement patches to help ensure every device remains up-to-date and to avoid employee confusion.
“Informing your teams about which patches are coming and when will lead to greater awareness,” says Birkemeier. “Since patches often follow a regular schedule, your end users will get used to that cadence of installing updates and restarting their computer.”
That familiarity with the organization’s patch installation schedule also serves another purpose. An update notification out of sync with the company’s typical pattern could trigger an employee to pause and report it, possibly helping to avoid a potential security incident, which could lead to a breach.
“Education and communication won’t stop threats, but a vigilant workforce can help prevent bad actors from infiltrating your systems,” says Birkemeier. “Employee awareness is part of a layered security approach to put your company in a better position when an attack occurs.”
Stay in the know about critical network and equipment vulnerabilities
Your organization can’t protect itself against threats it isn’t aware exist. New vulnerabilities and cybersecurity threats are constantly popping up, so paying attention to those trends can help you avoid potential risks.
“Subscribe to cybersecurity newsletters so you can be aware of current, critical vulnerabilities and quickly verify whether or not you’re vulnerable to those threats,” recommends Birkemeier. “If you are exposed to one of these critical vulnerabilities, your organization needs to respond as quickly as possible.”
Below are a few resources to stay up to speed on known threats and vulnerabilities:
Remaining vigilant against vulnerabilities can help protect your organization. Following these best practices can help avoid vulnerability exploitation to keep your network, equipment, and software safer.
For more information about better protecting your organization against cybersecurity threats, contact your relationship manager.
The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.
Lending and leasing products and services, as well as certain other banking products and services, may require credit approval.
†Federal Trade Commission. 2019. Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach. Accessed September 6, 2022.