Is the real threat to our security APTs or apathy? We all know that the software on our systems contains vulnerabilities and needs constant patching. And malware generally attacks well-known vulnerabilities that we have the ability to fix. So why isn’t it done?
“If you can implement a good vulnerability management programme, to identify where you are vulnerable, and then have a good patching regime to get rid of those vulnerabilities, malware becomes less of an issue. And this is something we’ve known about for years,” explains Gavin Millard, EMEA technical director at Tenable Network Security.
Conflicting goals between security, IT operations and the business have led to patchy patching. And people like to go for ‘silver bullet’ solutions, like fancy new firewalls or anti-malware solutions. But these don’t address the core problem – of knowing what you have – what systems, what software – in your IT estate, and what vulnerabilities these systems contain.
Too many firms are scanning their networks for vulnerabilities infrequently. But while it’s easy to blame people for not patching, this is becoming an increasingly complex task.
“The complexity of IT environments has changed dramatically,” says Millard. And this is especially now that firms commonly have at least some of their environment hosted in the cloud. Work practices have changed too and so has the variety of devices we’re connecting. So the old approach of scheduled scanning now needs to be backed up by some form of continuous monitoring.
Ultimately, a lot comes down to understanding what risk a vulnerability presents to your business – the potential impact – and prioritising.