17 March 2022 - BlueFort Security

Understanding what your organisation’s vulnerabilities are is a topic that every CISO needs to know, and what every Board member would rather not; as it covers off so many things such as assessing your host, network and application vulnerabilities and strategies to remediate them. Every year, thousands of new vulnerabilities are discovered meaning that organisations are trying to patch operating systems (OS) and applications and reconfigure security settings throughout the entirety of their network environment.

In this article we are going to understand in more detail what vulnerability management is, what is vulnerability, how to manage the process, how to make it a Board priority and finally, how to find solutions to vulnerability management.

What is Vulnerability Management?

Firstly we must understand what vulnerability management is. Wikipedia best describes the process as, “the cyclical practice of identifying, classifying, prioritising, remediating and mitigating” software vulnerabilities. Vulnerability management is integral to computer security and network security, and must not be confused with vulnerability assessment.”

The most important aspect about vulnerability management is that it is an ongoing process, one used to continuously identify vulnerabilities that can be remediated through patching and configuration of security settings.

This kind of analysis can help organisations stay ahead of the common issues found in cybersecurity and make the necessary changes to ensure that they are protected for present and future requirements.

What is Vulnerability?

Vulnerability is the potential weaknesses that can be exploited by criminals. These can be things such as:

Malware susceptibility – These include computer viruses, computer worms, Ransomware, Keyloggers, Trojan horses, spyware.
Insecure system configurations – This is where a configuration is just plain wrong, either from the start or after changes were made that compromise the security of the application or system. This faulty configuration can then end up getting used everywhere in the company.
Proxy attacks – This is where an attacker will install a proxy through which the user’s network traffic will be passed. The attacker can gather confidential information from the traffic, while retransmitting it back and forth between the victim and a remote website.
Botnet attacks – Botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks. The term ‘botnet’ is formed from the word’s ‘robot’ and ‘network’. Assembly of a botnet is usually the infiltration stage of a multi-layer scheme.

Vulnerability Management Process

The vulnerability management process is a way to define a process so that organisations can identify and address vulnerabilities quickly and continually.

There are 4 stages to the vulnerability management process which include:

First – Determine how critical assets are.
Second – Carry out discovery to create an inventory of assets.
Third – Identify vulnerabilities.
Fourth – Remediate and report.

Once you have identified the 4 stages, the next element to focus on is the processes which make up vulnerability management – 6 in total – each with their own subprocesses and tasks.

Discover – there is no way to secure what you’re unaware of. Firstly, you must take an inventory of all assets across the environment, identifying details including operating system, services, applications and configurations to identify vulnerabilities. This can include both a network scan and an authenticated agent-based system scan. Discovery should be performed regularly on an automated schedule.
Prioritise – You must categorise the discovered assets into groups, and assign a risk-based prioritisation based on criticality to the organisation.
Assess – You must establish the risk baseline for your point of reference, as vulnerabilities are remediated and risk is eliminated. Assessments provide an ongoing baseline over time.
Remediate – Based on risk priorities, vulnerabilities should be fixed (whether via something like patching or reconfiguration). Controls should be in place so that any remediation is completed successfully and progress can be documented.
Verify – Validation of remediation is accomplished through additional scans and/or IT reporting.
Report – Finally, IT executives and the C-Suite all have a need to understand the current state of risk around vulnerabilities. This will help onboard senior staff to the importance of the risks posed to the organisation, as well as clearly document where potential attacks can occur.

Making Vulnerability Management a Board Priority

In order to engage senior management and the Board with the progress that is being made in vulnerability management, you need to find a way to communicate not only what is being done, but the opportunities as well as threats that the organisation faces by doing so. Of course, as previously noted, the process contributes toward raising the Board’s awareness of the need for effective vulnerability management.

There is a clear benefit in having assessed the criticality of various assets and applications, but this must be communicated to everyone.
Determine the risk status to the organisation related to key assets. Think of what can be the ultimate risk to the organisation and why it matters time and money are great examples.
Report metrics to the Board and do this frequently and simply:
- Provide a clear, understandable assessment of the current status.
- Highlight what needs to change.
- Describe how this will be accomplished and what’s needed.
It can be beneficial to alert the Board to what can happen if vulnerability isn’t managed effectively. Again, you must present this as something which relates to the organisation in a way that they can understand; this has cost us x amount of operating hours, or it means that a new I.T system to manage new threats will cost you money.

How to Stay on Top of Vulnerabilities

One of the biggest challenges that CISOs face is communicating just how hard it is to stay up to date with developments in modern cybersecurity and privacy, along with ever evolving vulnerabilities.

Cybercriminals are becoming smarter and using technologies which can have some major organisations struggling to keep up pace with. The average organisation will be exposed to thousands of vulnerabilities every year. Knowing which ones can cause widespread damage to your organisation is essential – and getting prepared for it is even more important.

There are two sources that security practitioners and developers commonly consult:

The Common Vulnerability Enumeration (CVE) program, run by Mitre.
The National Institute of Standards and Technology’s National Vulnerability Database (NVD).

However, there are many unreported vulnerabilities not included in these databases. So it is even more important that future strategies adopt a risk mitigation strategy for unreported vulnerabilities. For example;

Asset management
- Knowing the software titles / versions currently on the network

Vulnerability Management Solutions

There are two principle methods for vulnerability management solutions. These are manual vs modern vulnerability management.

A modern vulnerability management solution is a consistent, systematic approach to ongoing, discovered risk within the enterprise environment. It’s a data-driven approach that helps companies align their security goals with the actions they can take. A manual vulnerability management solution is based on something called, ‘Penetration testing’, which is a manual process relying on the knowledge and experience of a penetration tester to identify vulnerabilities within an organisation’s systems.

Modern vulnerability solutions simplify and automate the process of vulnerability management. Some of these deal with specific elements in the process (such as scanning only), others provide a comprehensive toolkit. Others go beyond vulnerability management to provide additional cybersecurity functionality.

Keep Your Vulnerability Management Up To Date

Understanding what your organisation’s vulnerabilities are is a topic that every CISO needs to know. Vulnerability management is the “cyclical practice of identifying, classifying, prioritising, remediating and mitigating” software vulnerabilities. By understanding how to prioritise the issues and bringing your organisation’s board for greater buy-in, vulnerability management is a process that can protect the present and future success of an organisation.

If you’re looking to protect your organisation or evaluate your cybersecurity requirements or challenges: Tel 01252 917000, email enquiries@bluefort.com or get in touch with us via our contact form

Skills gap analysis is a way to get a better understanding and picture of your teams, and just what they are capable of doing.

When it comes to your cybersecurity skills gap assessment, this is no different, and in today’s ever-changing and fast-paced world, having advanced skills in dealing with issues is more important than ever.

In this article, you will learn about what cybersecurity skills gap affects the marketplace, how to conduct a cybersecurity skills analysis, how to address the skills gap, and finally how to automate certain areas of your requirements, in order to maximise your team’s capabilities across the organisation.

The Cybersecurity Skills Gap

There is a growing concern that we are not equipped to deal with a global individual skills gap in the cybersecurity sector, and the statistics aren’t alleviating the concerns. By 2025 we can see up to 3.5 million openings in the marketplace, meaning that there will be a lot of potential for cyber criminals to inflict greater damage to organisations and systems in the years to come.

The pandemic saw a mass upswing in cyber criminal activity with online transactions sky rocketing, thanks to many forced to stay at home or work from home scenarios. This opened the door to many of the cybersecurity risks that industry experts have been seeing for years including: ransomware, malware, cyber attacks and so on.

With more of us having to change the way we work and our behaviours switching to more internet-based living with the arrival of the Internet of Things, it means that the demand for cybersecurity professionals is set to increase; when there is already a massive shortage of talent. In the UK alone, a Government study found the UK’s cybersecurity recruitment pool has a shortfall of 10,000 people a year.

So what is this all pointing to? In short, cybersecurity is one of the most sought after tech skills in the UK and there aren’t enough people to fill the roles. It also points to the following:

The UK’s cyber skills shortage has surged by more than a third in the past 12 months.
Recent breaches in cybersecurity shows the value of cybersecurity

How to Conduct a Cybersecurity Skills Gap Analysis

There is a need for organisations to better understand what they have, in regards to their cybersecurity skills, and what they need more of. One of the best ways to do this is by carrying out a skills gap analysis.

A skills gap analysis is understanding what the gap between the set of talent required for a job, and the set of skills that a person actually possesses. A skills gap analysis is understanding what your organisation needs from a skill-based level in order to strategically execute plans for the future.

Skill gap analysis system

The method best prescribed for conducting a skills gap analysis is the following:

Confirm/clearly define business objectives
- Where is the organisation going?
- What roles need to be filled to get there?
  What is the timeframe for the organisation to achieve the goals and are they able to based on the current skills available?
Determine what’s needed for success
- The process starts by identifying what skills are actually required. What do you really need in order to execute your business strategy for the present and future? What is going to bring ultimate success?
- What skills are anticipated to be needed?
- Are there future roles/jobs – that don’t currently exist?
What are the current capabilities?
- Can be assessed using SWOT analysis
  - Strengths / Weaknesses / Opportunities / Threats
Identify the skills gaps that need to filled to achieve success
Create appropriate strategies to fill those identified gaps

How to Address Your Cybersecurity Skills Gap

Once you have carried out the skills gap analysis, you need to ask what your organisation can do to fill the identified gaps. Luckily, there are some quick fixes and long-term solutions as well.

Insource or outsource cybersecurity?
- Sometimes your business needs to move faster, and training is a solution that takes longer to implement. That’s where outsourcing/contracting comes into play.
- You can bring in outsourced cybersecurity expertise to fulfil your cybersecurity requirements, and have a short-term solution in place while you look to implement a recruitment or training program in this area for your organisation.
Invest in training
- This could be done internally by someone who has a much deeper understanding of the subject, and can create a learning environment for your team members who need upskilling to thrive. If you had the budget to succeed, you may be able to hire a team to come in from the outside and train your teams. Many cybersecurity organisations will have regular training sessions with third-party trainers, and seasoned experts who teach this type of content for a living.
Hire people with the right/required traits
- Cybersecurity is a discipline that requires ongoing learning, and not just something that you can pass on to a member of your team who doesn’t have the necessary skills or knowledge to perform. It is a skill – skills are learnt over time with training.
- It is therefore important that those engaged in these roles are self-starters who are keen to keep their knowledge and skills up to date.
- Skills and behavioural assessments can give insight into who in the organisation can transfer their skills and knowledge into these areas best.
Make cybersecurity the responsibility of every staff member
- Of course you are only as strong as your weakest link, so it is important to train all staff in how to remain safe and secure when using business IT resources.
- With the rise of ransomware attacks in the last five years, giving your teams the basic knowledge and understanding of what security measures are needed and what the threats are is essential.
Identify cybersecurity threats and weaknesses
- Understanding of an organisation’s threats and weaknesses informs what needs to be done to fill identified gaps. Performing a vulnerability assessment will help to identify where these threats are and what more needs to be done.

Security Automation

Without question, one of the biggest concerns is that thanks to the advanced and rapid pace of cyber attacks increasing, can security automation fill the cybersecurity skills gap?

Following interviews with 500 UK IT decision-makers, Trend Micro found that more than two-fifths (41%) believe that AI will replace their role by 2030. While many others believe that automation is actually causing the issues because of the speed of scriptwriting used to break into analysis systems in the first place.

The answer isn’t so simple. There is a lot to be said about pros and cons of skills gap analysis that many in the industry believe that automation can help deal with a wide range of tasks.

Monitoring
- Software is best at automatically processing huge volumes of IT data, such as log files and script searches.
- Using automation as part of a business’s intrusion monitoring processes can make the task less burdensome, less prone to human error and more timely.
Analysis
- Software is able to analyse huge amounts of data for security issues.
- Robotic Decision Automation (RDA) helps speed up IT security analysis, using machine learning and probability.
Improving staff morale
- Machines and technology can do much of the heavy lifting on cybersecurity, freeing IT staff to focus on the elements of their jobs that require human intelligence and ingenuity.
- This eliminates various boring, repetitive, unappreciated tasks that would otherwise be required to deliver solid cybersecurity.

Assessing Your Company’s Skill Gap

When it comes to running a successful business and the successful teams that lie inside of them, knowing what skills you have and don’t have is an essential component to success. One Government study found the UK’s cybersecurity recruitment pool has a shortfall of 10,000 people a year, and it is expected that there will be a shortage of 3.5 million people in cybersecurity roles by 2025.

Having the right people in place, with the right skills to carry out the roles, is essential to protect organisations and keep cybercriminals at bay. You do this by first analysing your skills gap requirements, and then implementing the right strategy for your organisation.

If you’re looking to protect your organisation or evaluate your cybersecurity requirements or challenges: Tel 01252 917000, email enquiries@bluefort.com or get in touch with us via our contact form.