Vulnerability Management: Patching? Why do I need to patch?

Lynnetta Eyachabbe

Vulnerability Analyst, Adam Maxey, is sharing information on why you need Vulnerability Management and how OU IT Security can help.

Data security is a big topic in today’s news cycle. Stories of data and personal information breaches are reported almost daily. Most people think these are caused by an elite group of hackers breaking into very secure infrastructures. However, most of the time this isn’t the case.  Sometimes the front door is left wide open.

Take for example the Equifax breach last year which compromised the personal data of 143 million people. This breach could have been prevented by simply applying a patch for the web server software the company used; a patch which had been released months before. The Panama Papers leak (11.5 million documents that detail financial and attorney–client information for more than 200,000 offshore entities) was due to unpatched Drupal and WordPress sites, which are both used by millions of people to create websites, blogs, and apps. From higher education, Michigan State had student data stolen when a website they created was left vulnerable to SQL injection, which is a well-documented type of vulnerability. All of these were preventable. Hackers look for easy targets to compromise, and today, off the shelf tools can make anyone a hacker with little effort. These are all situations where Vulnerability Management could have helped.

Vulnerability Management is the continuous process of identifying, classifying, remediating, and mitigating vulnerabilities. Vulnerabilities can be many things – out of date software and operating systems, default password, open ports, or misconfigured applications, just to name a few. It can be very hard to keep up with all these susceptible areas, even for IT professionals. OU IT Security uses tools like Nessus Pro and IP360 to scan for vulnerabilities. We then take the data produced and populate it into tools like Kenna and VulnWhisperer which helps to aggregate the data. Putting all the data in one location allows us to focus on high priority concerns and recognize trends. We also subscribe to several security content feeds which alert us when a new vulnerability is discovered. Through careful analysis and knowing our environment, these tools help us to notify users about issues relevant to them as quickly as possible.  Using the tools we have can help focus effort while maximizing effectiveness.

Vulnerability Management is important for any organization. The University environment makes it especially important, because of the number of different devices, operating systems, and types of communication between systems internally and externally. If you support a college, we want to help. If you’re a system administrator, we want to help. If you’re a professor running your own server, we definitely want to help keep your system secure!

How do you get that help? Requesting a vulnerability scan is easy. There is a form located on the IT Service Catalog, and we have a link to it on the IT Security website. We’re happy to scan one machine, or if you have the authority, to scan a range of IP addresses. We’ll supply a report detailing the vulnerabilities found, and if you need assistance, we can help guide you on how to remediate them. If patching your system isn’t an option, due to age or functionality, we can help develop compensating controls to limit the risk. For you self-starters, check out our Best Practices  and Cyber Hygiene pages for tips you can follow on your own.

The more secure the systems using the University’s network are, the safer the University’s information will be.  Let’s make sure we keep our house safe, and not leave the front door (or any door) open to hackers.