In 2014, we’ve seen two major security vulnerabilities – Heartbleed and Shellshock – that have sent many organizations scrambling to respond. Both of these bugs were extremely widespread, affecting technologies that make up the foundation of the web. The fixes for both vulnerabilities were similar, too: organizations had to identify vulnerable systems and then apply a patch accordingly. But for many businesses, the solution was harder and slower than it should have been. This year’s back-to-back sequence of bugs and fixes highlighted a troubling trend among businesses: insufficient institutional awareness of their own systems. And this blind spot isn’t just weakening organizations’ ability to address major security vulnerabilities – it’s making them less secure all the time.
The System and Application Inventory Problem
Applying patches and otherwise updating your system isn’t an occasional necessity prompted by big bugs like Heartbleed and Shellshock – it’s a common process. At least, it should be. Less dramatic bugs and related patches emerge constantly, and keeping your systems up-to-date is one of the first lines of defense for your network. But in order to update your systems effectively, you have to understand the devices, software, and data that constitute the system. Otherwise, your updates likely won’t be comprehensive. Unfortunately, what you see when you watch businesses apply a particularly urgent patch is that many organizations simply don’t have a good inventory of their systems. To accomplish a relatively straightforward fix, these businesses have to put in a great deal of time to find out which systems they’re using and which systems need the patch. The process can be costly, in terms of time and productivity, and until it’s finished, the systems in question may remain vulnerable. When you can’t immediately identify the relevant details about your network, it adds an entire extra phase to your response process, a sometimes lengthy and expensive stage that didn’t have to happen at all. Or if you don’t make a comprehensive survey of your systems even when you apply the patch, you may never truly address the vulnerability, leaving your network open to attack.
Good Network Hygiene – Detailed Inventory Document
For all the reasons above, one of the core tenets of InfoSec and network hygiene more generally is keeping a comprehensive, detailed inventory of your systems. This inventory should be kept up-to-date as a living document that may be accessed quickly and easily during a security event. You can do this manually or using software designed to keep track of your systems in a continuous, automated way. Most organizations have a small subset of systems that process their most sensitive data, such as financial information or protected health information. As businesses conduct their inventories, they should ensure that they are keenly aware of these systems in particular. Ultimately, the most important thing is for organizations to make the inventory process regular, disciplined, and methodical. The issue boils down to a simple truth about problem-solving: in order to develop the most effective possible solution to a challenge, you have to understand the full scope of the problem as well as you can. If you have a detailed and accurate inventory, you’ll be better prepared to respond to the kinds of vulnerabilities we’ve seen with Heartbleed and Shellshock – and any new challenges that lie on the horizon.
Check out our free guide, Breach: Network Security Best Practices for Prevention, Detection, and Response, for more information on ensuring the safest network security for your firm.
On LinkedIn or Twitter? Follow us on LinkedIn and on Twitter @lbmcsecurity. Learn more about how our team at LBMC Information Security can help your team armor up with a wide range of network defense services. Contact us today!