Managing Cybersecurity Risks and Vulnerabilities from Discovery to Disclosure
Download New Hikvision White Paper for Insights to Understand Vulnerabilities
As a slate of hackathons and cybersecurity conventions including Black Hat and DEF CON kicked off in early August, hackers and cybersecurity specialists descended upon Las Vegas to workshop and discuss the latest developments in threats and methods to safeguard data. Conventions like DEF CON and Black Hat allow cybersecurity specialists and engineers from a wide range of backgrounds to learn from industry leaders and experts to hone their skills in managing and assessing risks at every stage of the vulnerability management process. As we discussed in our most recent white paper, understanding the various stages of the vulnerability lifecycle is critical for software vendors and security researchers who want to deliver safe and secure software for end users.
How are vulnerabilities discovered?
Vulnerabilities are discovered through many different avenues—both internally by developers who write software and externally by third parties who intentionally look for vulnerabilities in software. Internally, software companies and technology vendors will conduct security testing during software development before putting software into production and making it available to the public. Externally, good-faith security researchers and malicious threat actors constantly look for vulnerabilities in popular software. Some vendors even have bug bounty programs where they award researchers for discovering and disclosing vulnerabilities to them.
How are vulnerabilities disclosed?
The main goal of disclosing vulnerabilities is to reduce the risk of end users’ systems becoming compromised by a threat actor who exploits an unpatched vulnerability. Typically, companies and security researchers follow a coordinated vulnerability disclosure process where both entities wait until the vulnerability has a working patch assigned to it that mitigates further interference from threat actors. Once a patch is ready, the vendor will release the patch alongside a statement that a vulnerability was discovered and that a patch has been released. After a vulnerability has been formally patched, the vulnerability will be logged into the Common Vulnerabilities and Exposures Database (CVE).
How are vulnerabilities managed?
Many vendors are turning to contract workers to assist with the growing number of vulnerabilities discovered and patches released every month due to the constant pressure to manage vulnerabilities in a timely manner. This also expands vendor resources to better safeguard their own systems.
For organizations to adequately protect themselves, they must implement a comprehensive risk-based vulnerability management process. While large organizations are able to hire staff expressly for discovering and patching vulnerabilities, a small organization with limited resources can benefit from an established process that thoroughly assesses risks and prioritizes patching and mitigation based on the level of risk.
Cybersecurity is an ever-evolving challenge and experts must keep up to date with best practices. Events like Black Hat and DEF CON, and insights from our vulnerability white paper, play an important role in helping cybersecurity professionals keep current on how to best protect data and systems.
Download your copy of the report here, “Understanding Vulnerabilities: Insights Into the World of Software Vulnerabilities and Vulnerability Management.”