The second step in securing your priority assets is discovering if there are security or compliance gaps within the application, software, or operating system that a cybercriminal could leverage as an entryway into the network. For example, unattended vulnerabilities could be the cause of some security gaps. Vulnerabilities come in many forms, but are typically one of the following:
- Out of date software versions
- Unpatched operating systems
- Siloed applications
- Human error
According to VulnDB, 76.8 percent of all vulnerabilities disclosed in 2017 had fixes available. These types of vulnerabilities can be fixed in as few as 24 hours. On the other hand, the average time it takes vulnerabilities without a fix immediately available – from disclosure to full repair – is 37.5 days.
Given these timelines, it is important that security teams have the tools and security policies in place to minimize the impact these vulnerabilities can have while these patches and updates are made.
Think back to the WannaCry ransomware attack that compromised critical data at organizations around the world. This ransomware was disseminated through a known vulnerability that had a patch available. Had these organizations had a better understanding of their high-risk assets and where they were vulnerable, they may have had this patch in place, or security controls to manage this risk while the patch was disseminated.
In addition to the location of security gaps in high-priority assets, security teams must also identify compliance gaps. As Cyber-Attacks become more sophisticated and frequent, various regulatory bodies have issued guidelines and standards that organizations must comply with to minimize the likelihood and impact of a data breach. When developing a security strategy and considering which tools to implement, compliance must be top of mind. This is especially true as organizations increasingly adopt multi-cloud environments – each of which have separate controls and policies in place for data security. This means that security teams need to understand where additional controls must be added to augment those included to ensure compliance