Vulnerability management is an often-overlooked part of CPAs’ and accounting firms’ security position. The core of vulnerability management is vulnerability scanning and remediation through patch management.
There are many reasons vulnerability scanning is important including:
- Compliance with regulatory requirements such as those established by FINRA, PCI, HIPAA, SOX, and SEC.
- Determining vulnerability in your network now and as it changes.
Vulnerability scanning allows firms to identify threats and weaknesses across their network — including on web applications and routers, servers, endpoints, switches, and printers. Detecting and correcting vulnerabilities is an important part of a company’s security and is essential to protect data assets from internal and external threats.
It is important to remember that managing vulnerabilities in your firm is an ongoing and never-ending process. Just as today’s security teams benefit from big data, crowdsourcing, and mobile, inexpensive computing, so, too, do bad actors.
Additionally, bad actors have an advantage since they only need to locate one unrepaired vulnerability, while security management teams must find and patch them all.
Continuous Vulnerability Scans
A clean vulnerability scan today doesn’t guarantee the same for tomorrow. An accounting firm can find themselves in a cycle of identifying vulnerabilities and a race to patch them before they are exploited. To avoid this cycle of cat and mouse, accountants should employ continuous vulnerability scans to stay abreast of a constantly changing security terrain.
The scans not only benefit the firm by helping them determine and fix the discovered flaws, it can also help them identify the efficacy of the entire vulnerability management program. Security managers and organization executives can use this information to secure the proper budget for continuous scans.
Not every company has the capacity to carry on continuous vulnerability scans of its network, but there are cost-effective outsourcing options for this needed security.
Defining a Vulnerability Scan
A vulnerability scan shouldn’t be confused with a penetration test. Although the two are sometimes used interchangeably, they are different tests within a company’s vulnerability management system.
A vulnerability scan is conducted using a software package that scans IP addresses for any known vulnerabilities.
It includes four steps:
- Scanning networks by pinging accessible systems or sending TCP/UDP packets.
- Identifying open ports or services on the system.
- Logging in to gather system information.
- Relating system information with vulnerabilities.
An important point to remember about vulnerability scans is like anti-virus software they depend on a database of known vulnerabilities for which to test. Some vulnerabilities that are unknown — referred to as zero-day vulnerabilities — are beyond the scope of a vulnerability scan.
Not All Vulnerability Scans are Equal
Different vulnerability scans operate on different levels and with varying degrees of thoroughness. A simple vulnerability scan may include only a check of the Windows registry and software version to ensure the latest security patches and updates have been installed.
A more thorough vulnerability scan also involve the intentional execution of malicious code to determine if the system is vulnerable.
Prioritize After a Vulnerability Scan
The result of a vulnerability scan is a list of what is discovered, the severity of the vulnerability, and remediation steps. It is critical that an organization evaluate the risks, so they can be dealt with appropriately in keeping with a comprehensive vulnerability management strategy.
A vulnerability ranking provides a list of risks and their scores, using a system such as the Common Vulnerability Scoring System (CVSS). These rankings can be helpful to determine which risks should take priority focus, but a true assessment of the vulnerabilities should consider:
- Is the vulnerability true or is there another explanation?
- Could the vulnerability be exploited from the internet?
- Is it difficult to exploit the vulnerability?
- Is there an exploit code for the vulnerability?
- If the vulnerability is exploited, what is the business impact?
- Are there other systems in place that reduce the chance or impact of exploitation?
- How long has the vulnerability existed on the network?
Another component of CPA firm security is patch management. Patch management is critical to managing vulnerabilities because patches are often released to address security issues. They are also important because bad actors attempt to exploit software vulnerabilities as soon as the software is released. If those actors are successful, patches and a patch management process are necessary to protect your network.
To underscore the importance of vulnerability scanning and patch management consider the fact that malicious actors are using vulnerability scans themselves to find weaknesses and identify the easiest path to infiltrate your system.
A vulnerability scan and patch management system help identify security issues and resolve them before they are exploited by attackers.
Action is Important
While vulnerability scans and patch management are important to a company’s vulnerability management program, they are only valuable if the firm is willing to act based on the results.
For vulnerability scans to be worthwhile, the findings must be studied and remediated. Simply identifying vulnerabilities through a scan does little to improve security. CPAs need trusted partners to ensure their firms are protected should a claim arise from a cyber breach.
The experts at McGowan Program Administrators are here to make sure your firm has the proper risk management resources secured in the event of an unfortunate breach. Give us a call to learn what McGowan can offer as your firm’s trusted insurance provider.