Is Vulnerability Management Enough to Prevent Ransomware?

Ransomware has proven to be the number one issue for organizations of all sizes and verticals in the past few years. Nearly all of the organizations that have been breached and ransomed had a vulnerability management solution or process in place. So, it begs the question whether vulnerability management alone is enough? 

The Vulnerability Management Play 

I think vulnerability management is a common and known solution. It is geared to find and prioritize all operating systems, applications, services, devices, etc. vulnerabilities. Nearly every electronic and systematic platform has vulnerabilities. From basic Windows OS to even the most sophisticated nuclear power plant system. Why? Well, these systems are running some program, which was designed, built, and tested by a human. Humans make mistakes and can’t fully understand where there might be a vulnerability that can be exploited by an attacker.  

Where Vulnerability Management Comes Up Short 

There are many areas where vulnerability management solutions have let organizations down.  

1. Everything can’t be “critical”! – When organizations are given a voluminous list of vulnerabilities that need to be remediated, it can be daunting to the point that nothing is fixed.  
   
   
2. You can’t fix everything! – The amount of effort, time, and dedication to fix every possible vulnerability is just too much. There is no way, in a normal business environment, that every vulnerability can be patched. It is just not possible.  
   
   
3. Vulnerability management is just one piece! – Many organizations have been sold or convinced that vulnerability management is the most important security effort that can be performed to prevent breaches. That is just not true!  

What Other Security Needs to be Considered? 

We have learned a lot over the past few years of attacks and breaches regarding what attackers leverage to enter and move through an organization. It is this real-world experience and analysis that shows us exactly what we need to consider to truly secure an enterprise. In addition to vulnerability management, the following areas should be considered at the same level: 

1. Misconfigurations – of everything! Operating systems, databases, network devices, communication platforms, remote connectivity platforms, etc.
    
2. Patching – Yes, patching is still a “thing” and still not given the effort it needs. Attackers look for unpatched systems to exploit well-known tactics against them.  
   
   
3. Identity – Gartner states that identity is one of the top 3 areas that attackers exploit to breach a network. From authentication attacks to complete credential impersonation, identities must be secured.
   
   
4. Network segmentation – Microsoft claimed years ago to “assume breach”. If this is the case, then separating networks from one another will help with the lateral movement between different networks.
    
5. External facing devices and networks – Attack surface management from the outside world into your network is real and common. Ensuring that your domains and devices that can be seen from the outside world are secured is essential in your overall quest to secure the network.  

Summary 

There is much more than vulnerability management when it comes to truly securing an organization against attacks and breaches. Ideally, every possible security configuration and control needs to be evaluated and secured. Of course, that is not possible, so looking at the most essential and critical settings and devices is what needs to be done. With this analysis, a prioritization across the entire network needs to be built, so the IT and security teams know what to fix as a priority, to reduce the attack surface with efficiency.