You may be hearing more and more these days of new security vulnerabilities being discovered in the news and may be wondering what exactly it may imply? Simply, a vulnerability represents the ideal opportunity for cyber criminals to infiltrate your system to compromise your data or to perform data theft.
According to current data now, we can see that these vulnerabilities will be popping up more often as 2017 had a record-breaking year for reported exploitable vulnerabilities, with almost 20,000 security flaws reported over the year. For the year 2018, the data is still being tallied however, a report from RiskBased Security has already noted that more than 10,000 vulnerabilities have been reported in which 3,000 potential flaws which enterprises have failed to patch.
To better understand vulnerabilities, our friends from Trend Micro has segregated them into types in which to classify them:
Traditional vulnerability – is a programming error or other type of software issue that hackers can use to sidestep password protection or security measures and gain unauthorized access to legitimate systems. These are the most rampant types of security vulnerabilities.
Zero-days – are brand new software issues that have only just been identified and have not yet been patched by vendors. As Trend Micro explained, “that’s because the vendor essentially has zero days to fix the issue or has chosen not to fix it.”
Undisclosed vulnerability – these are flaws that have been identified and reported, but are not yet disclosed to public users, giving vendors time to patch the issue.
So, what can you do to help address these vulnerabilities?
To help keep your enterprise safe from these vulnerabilities, Trend Micro suggests that you pay attention to current security research so that you can apply the necessary findings to help keep your business safe. Another would be to make sure that you keep yourself up to date with updates and patches. However, with the number of vendors and patches, it can sometimes be too much for your IT to patch immediately due to the volume. Trend suggests the following patching prioritization scheme to help ease the load of your IT team:
- The severity of the patched issue. Microsoft and other vendors will rate vulnerabilities according to how critical they are to overall risk. More critical patches should be applied as soon as possible, whereas less critical updates can represent a lower priority.
- Vulnerabilities impacting your enterprise’s particular key software. Similarly, updates for software systems that are used on a daily basis within the enterprise and provide essential functionality should be prioritized over other updates. A patch for a software that is only intermittently used, or only impacts a small number of users in a single department of the company, for instance, can be put on the back burner.
- Those currently being exploited. It’s important to prioritize patches for vulnerabilities that hackers are currently using to mount attacks.