Identify vulnerable systems and apply a patch accordingly. Sounds easy enough, but for many businesses this is harder and slower than it should be. Insufficient institutional awareness of their own systems is common among businesses and this blind spot isn’t just weakening organizations’ ability to address major security vulnerabilities – it’s making them less secure all the time.
The System and Application Inventory Problem
Applying patches and otherwise updating your system isn’t an occasional necessity prompted by big bugs like Heartbleed and Shellshock – it’s a common process. At least, it should be. Less dramatic bugs and related patches emerge constantly, and keeping your systems up-to-date is one of the first lines of defense for your network. But in order to update your systems effectively, you have to understand the devices, software, and data that constitute the system. Otherwise, your updates likely won’t be comprehensive.
Unfortunately, what you see when you watch businesses apply a particularly urgent patch is that many organizations simply don’t have a good inventory of their systems. To accomplish a relatively straightforward fix, these businesses have to put in a great deal of time to find out which systems they’re using and which systems need the patch. The process can be costly, in terms of time and productivity, and until it’s finished, the systems in question may remain vulnerable. When you can’t immediately identify the relevant details about your network, it adds an entire extra phase to your response process, a sometimes lengthy and expensive stage that didn’t have to happen at all. Or if you don’t make a comprehensive survey of your systems even when you apply the patch, you may never truly address the vulnerability, leaving your network open to attack.
Good Network Hygiene - Detailed Inventory Document
For all the reasons above, network hygiene more generally is keeping a comprehensive, detailed inventory of your systems. This inventory should be kept up-to-date as a living document that may be accessed quickly and easily during a security event. You can do this manually or using software designed to keep track of your systems in a continuous, automated way. Most organizations have a small subset of systems that process their most sensitive data, such as financial information or protected health information. As businesses conduct their inventories, they should ensure that they are keenly aware of these systems in particular. Ultimately, the most important thing is for organizations to make the inventory process regular, disciplined, and methodical. The issue boils down to a simple truth about problem-solving: in order to develop the most effective possible solution to a challenge, you have to understand the full scope of the problem as well as you can. If you have a detailed and accurate inventory, you’ll be better prepared to respond to the kinds of vulnerabilities we’ve seen with Heartbleed and Shellshock – and any new challenges that lie on the horizon.