The Importance of a Well-Run Vulnerability Disclosure Program, Part 1
Developing a systematic program to manage vulnerability disclosure and patching is an important component of any IT and cybersecurity professional’s skillset within the physical security industry. In this blog, we discuss the components of a vulnerability management program.
Vulnerabilities are the bugs, flaws or weaknesses in applications, operating systems and software components that can be exploited by threat actors. The threat landscape is ever expanding in complexity and attack surfaces. In 2020, more than 20,000 vulnerabilities were publicly disclosed. That averages to more than 55 vulnerabilities being disclosed every single day. Additionally, each PC, smartphone and server is running an operating system. The growth of the Internet of Things (IoT) connected smart devices like IP video security cameras, smart thermostats, and smart appliances adds to this.
All these computing systems are running software that needs to be updated regularly as new vulnerabilities are discovered and patches are made available by their software vendors. Some of these patches are installed automatically while others require the software end user to install the patches manually. Even when you are up to date with patches, it is likely that you are running vulnerable software but just haven’t found all of the vulnerabilities yet. This is why managing vulnerabilities is essential, and should be part of an ongoing program within your organization.
Basics of Vulnerability Management
The basic structure of a vulnerability management program includes these three elements:
- Discover the vulnerability
- Report it to the vendor
- Coordinate public disclosure of the vulnerability with a patch
The process begins with the discovery of a vulnerability. Malicious threat actors and ethical security researchers are constantly looking for vulnerabilities in popular software. Hackers seek to exploit these vulnerabilities for personal and financial gain. Ethical researchers seek to have these vulnerabilities fixed. Typically, when a security researcher discovers a vulnerability in a product, they will alert the software vendor who owns and manages that product. The researcher then works with the vendor to identify the vulnerability, mitigate it by creating a patch, and test it to ensure that the patch fixes the vulnerability. Once that is completed, we move into the public disclosure component of the process.
Check back next week when we’ll discuss the public disclosure process in more detail on the HikWire blog.
You can also download a copy of our Vulnerabilities white paper here.