Keeping track of what makes an IT environment vulnerable is an ongoing and often difficult task – especially with complex IT estates such as the NHS. Plus, when vulnerabilities are identified within existing security set-ups, how do you know which ones to prioritise and address before others? And how do you keep track of remediation efforts to demonstrate to the board that improvements are being made?
Vulnerabilities are ongoing: a robust management process is required
All modern software contains vulnerabilities; either software defects that require patches to remedy, or configuration issues that require administrative activity to resolve. New vulnerabilities are disclosed all the time and exploitation of these known software vulnerabilities remains the greatest cause of security incidents (take WannaCry, for example).
For this reason, organisations should have a vulnerability management process in place which enables them to know what vulnerabilities are present within their IT estate, so they can address them effectively and close any potential ‘open doors’ for attacks.
The board should ideally be as aware of the major vulnerabilities that exist within their IT estate as they are of their financial status.
Run regular assessments
A regular assessment regime is essential to ensure that organisations are aware of the risks that are present. For NHS organisations, we recommend that a vulnerability assessment of their entire estate be performed on a monthly basis, at the very least. Many software vendors release updates on a monthly cycle (such as Microsoft’s monthly ‘Patch Tuesday’), so a monthly basis seems a logical place to start. Regular assessments will ensure rapid detection of vulnerabilities, allowing mitigating controls to be determined and deployed in a timely fashion.
Prioritise vulnerability fixes
Once vulnerabilities have been identified they, of course, then need to be addressed and prioritised. Assessment of vulnerabilities should take into consideration a number of factors:
- Which are accessible to the largest number of potential attackers?
- Which have the largest impact if exploited?
- Which are affordable to fix?
- And which, if fixed, won’t cause disruption?
The number of potential attackers depends on the accessibility of the vulnerability (for example, is it accessible from the Internet or only from within a secured network?) and also the complexity of the exploitation. If there are publicly available exploits, then the number of possible attackers is much higher than if a weakness is known about but attackers would have to develop their own exploit code.
The impact of exploitation also takes into consideration the possible business and technical impacts. For example, will service be disrupted? Will data be compromised? Will the attacker have the ability to run their own software on the target system? And so on…
Of course, the safest possible practice is to fix all vulnerabilities as soon as the relevant patch is released for affected systems. However, there are also real-world limitations that explain why this is not always possible.
- cost — upgrading servers and workstations to a new platform is costly
- disruption — upgrades disrupt business and resources must be taken away from other IT projects
- compatibility — specialist applications may not operate reliably on newer operating systems
- operations — major software upgrades are inherently risky, and user tools may work differently
Plenty of tools and resources exist to assist in the prioritisation of upgrades and vulnerability management, one such being ITHealth’s Assurance Dashboard Service.
The dashboard service simplifies vulnerability management enabling a more systematic process for vulnerability remediation work. It has been specifically tailored for NHS organisations so it only summarises information pertinent to NHS IT security defences and adheres to NHS Digital best practice. It ranks and prioritises vulnerability and remediation actions so you know exactly where to focus your security efforts and alerts you to any nearing non-compliance issues before they become a problem. Even better, through regular and consistent scanning the dashboard always shows a live view of your estate so you can be confident in your true assurance and vulnerability levels at all times. Since ITHealth is solely dedicated to serving the NHS, you also benefit from technical consultants who have a genuine understanding of NHS infrastructures and the limitations and issues which may pose challenging to effective NHS vulnerability management.
Whatever technology you use, vulnerability management should most certainly form the foundation of any robust security strategy. It is much better to start small and make progress than feel overwhelmed by the task and do nothing.
Take advantage of ITHealth’s free 30-day discovery trial to understand the true vulnerability and assurance levels of your network >>
Or read more about ITHealth’s Assurance Dashboard Service >>