If your organization needs a compelling reason for establishing or enhancing its vulnerability management program, circle this date in bold, red ink on your corporate calendar: May 25, 2018.
On that day, the EUâs General Data Protection Regulation (GDPR) goes into effect, intensifying the need for organizations to painstakingly protect EU residentsâ data from accidental mishandling and foul play.
While complying with GDPR involves adopting and modifying a variety of IT systems and business processes, having comprehensive and effective vulnerability management should be key in your efforts.
Why? Too many preventable data breaches occur because hackers exploit well-known vulnerabilities for which patches are available but havenât been installed.
This happens because many organizations, including large ones with sophisticated IT infrastructures and resources, lack visibility into their IT assets and their vulnerabilities. Flying blind, they fail to detect and remediate on a timely basis critical bugs, leaving them like low-hanging fruit for cyber data thieves to feast on.
In this installment of our GDPR preparedness series, weâll dive into the topic of vulnerability management and its importance for staying compliant with this regulation. GDPR carries hefty penalties and fines, including one of âŹ20 million or 4% of annual revenue, whichever is higher, and applies to companies worldwide that handle EU residentsâ personal data.
You wonât find detailed prescriptions for specific processes and technologies required for compliance in the text of GDPR. What the 88-page document makes abundantly clear is that both data âcontrollersâ and data âprocessorsâ must protect EU customer information through âappropriate technical and organisational measures.â
The regulation also stresses the need for organizations to have in place secure IT networks and systems that can âresist, at a given level of confidence, accidental events or unlawful or malicious actions.â
âThis could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping âdenial of serviceâ attacks and damage to computer and electronic communication systems,â reads the document.
In the context of GDPR, this means you must do whatever is in your power to prevent accidental or malicious incidents that compromise the âavailability, authenticity, integrity and confidentiality of stored or transmitted personal data.â
As a basic, foundational InfoSec practice, effective vulnerability management should be a core component of complying with GDPR and its requirements for the protection of EU residentsâ personal data.
Every vulnerability that has been publicly disclosed represents a potential opportunity for hackers looking to break into your network.
When you methodically, strategically and continuously detect, assess and remediate these bugs, whether through patching or mitigation, you eliminate entry points for cyber criminals, systematically and consistently lowering your risk.
With proper vulnerability management, you âimmunizeâ your IT assets against opportunistic attacks which are designed to exploit common, well-known bugs and which are the most likely to hit your network.
In its 2016 Data Breach Investigations Report (DBIR), Verizon said hackers view as âoldies that are still goodiesâ these long-disclosed CVEs (Common Vulnerabilities and Exposures) which remain unpatched in many organizations. âHackers use what works, and what works doesnât seem to change all that often,â reads that study.
To exploit these well-known vulnerabilities, hackers donât use sophisticated, carefully crafted attacks, but rather aim for volume. âThey automate certain weaponized vulnerabilities and spray and pray them across the Internet, sometimes yielding incredible success,â states the Verizon study.
For example, Kaspersky Lab recently reported that exploits to CVE-2010-2568 â the one used in the Stuxnet campaign years ago â ranked first in 2016 in terms of the number of users attacked, even though a patch for it has been available since 2010.
âThe conclusion is a simple one: even if a malicious user doesnât have access to expensive zero-days, the chances are high that theyâd succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated,â Kaspersky stated.
Even if youâre not leaving critical vulnerabilities unpatched for years, you must make sure youâre as quick as possible in your remediation work.
SANS Instituteâs second annual survey on continuous monitoring (CM) programs â titled âReducing Attack Surfaceâ and published Nov. 2016 â found that only 10% of respondents were able to remediate critical vulnerabilities in 24 hours or less, which is the ideal scenario. According to SANS, breach risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer.
A good example of why time is of the essence when dealing with critical vulnerabilities was the WannaCry ransomware rampage that created chaos worldwide in May. WannaCry spread using EternalBlue, an exploit for a Windows OS vulnerability (MS17-010) that Microsoft had patched in March and had rated as âCriticalâ due to the potential for attackers to execute remote code in affected systems.
Simply put, if most organizations had patched that vulnerability promptly, or at least within a month after its disclosure, WannaCry would have been a non-event. Instead, it infected hundreds of thousands of computers in about 150 countries, severely disrupted the operation of hospitals, utilities, manufacturing plants, telecommunications companies, transportation providers, government agencies and financial institutions, and caused an estimated $4 billion in losses.
Despite the global mayhem caused by WannaCry, which major media outlets covered exhaustively, a researcher found more than 50,000 machines still vulnerable to EternalBlue as recently as mid-July.
Thatâs just one example that illustrates why effective vulnerability management is such an important InfoSec practice.
âContinuous Vulnerability Assessment and Remediationâ stands as the fourth most important practice in the Center for Internet Securityâs (CIS) 20 Critical Security Controls.
CIS estimates that an organization that implements its first five controls â which collectively are considered foundational for cyber security âhygieneâ â is able to protect itself against 85 percent of attacks.
âOrganizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their computer systems compromised,â CIS states.
Thus, an InfoSec team with flawed or non-existent vulnerability management is at a high risk for data breaches, and, consequently, for GDPR non-compliance.
Effective vulnerability management requires continuously identifying threats, monitoring changes in your network, discovering and mapping all your devices and software â including new, unauthorized and forgotten ones â, and reviewing configuration details for each asset.
You need global visibility into your systemsâ vulnerabilities to stay ahead of attackers, especially today, as digitalization blurs the traditional boundaries of IT perimeters and exposes more and more IT assets on the Internet.
Qualysâ cloud-based Vulnerability Management (VM) continuously identifies exposures so you can defend your organization against attacks anytime, anywhere.
VM maps all assets on the network, detailing their OS, ports, services and certificates, and scans them for vulnerabilities with Six Sigma 99.99966 percent accuracy. It assigns remediation tickets, manages exceptions, lists patches for each host and integrates with existing IT ticketing systems.
In addition, VM generates comprehensive reports customized for different recipients â like IT pros, business executives or auditors â and incorporates context and insight, including progress against goals. Via VMâs APIs, the reporting data can be integrated with other security and compliance systems.
When VM is paired with the Qualys Continuous Monitoring (CM) app, youâll be alerted about potential threats â such as new hosts/OSes, expiring certificates, unexpected open ports and unauthorized software â so problems can be tackled before turning into breaches.
âContinuous monitoring is quickly coming to the forefront as a key activity for the ongoing security of networks, systems and, by extension, enterprises,â reads the 2015 SANS Institute continuous monitoring report âWhat Are Their Vulnerabilities?â
With Qualys CM, you can keep an eye on your global network from the cloud, like hackers are doing right now, and alert the appropriate people to critical security issues, like unexpected network changes.
In addition to Qualys scanners, VM also works with the groundbreaking Qualys Cloud Agents, extending its network coverage to assets that canât be scanned. These lightweight, all-purpose, self-updating agents reside on the assets they monitor â no scan windows, credentials or firewall changes needed â so vulnerabilities are found faster with minimal network impact.
VM also supports your organizationâs digital transformation efforts through its capacity to monitor hybrid IT environments that include not only on-premises hardware and software but also cloud workloads, mobile devices, IoT systems, DevOps continuous app development and deployment pipelines and other disruptive technologies.
New software vulnerabilities are disclosed daily â to the tune of thousands per year â so organizations must know at all times which vulnerabilities are present in their IT assets â on-premises, in clouds, and on endpoints â; understand the level of risk each one carries; and plan remediation of affected IT assets accordingly.
âVulnerability management has been a Sisyphean endeavor for decades. Attacks come in millions, exploits are automated and every enterprise is subject to the wrath of the quick-to-catch-on hacker. Whatâs worse, new vulnerabilities come out every day,â reads Verizonâs 2016 DBIR.
If an InfoSec team patches, remediates, and mitigates the right vulnerabilities at the right time, its organization will avoid falling prey to most cyber attacks, and slash its risk of suffering a data breach, whose consequences could include GDPR penalties.
With Qualys VM, youâll be able to consistently address critical vulnerabilities in your most important IT assets on a timely basis, putting your organization in a solid position to withstand the daily attacks from hackers seeking to exploit unpatched gaps and compromise your customer data.
With an effective vulnerability management program in place, youâll be a lot more confident about complying with GDPR when dawn breaks on the morning of May 25, 2018.
To learn more about how Qualys solutions can help you become GDPR compliant, visit _qualys.com/gdpr _where you can download our free guide and watch our** webcast**.
(Jimmy Graham is a Director of Product Management at Qualys.)