First start with you information asset register. The current version, responsibility, where/what it resides on. This should be your guide for assessing and implementing controls to address technical vulnerability. These should include monitoring, risk assessment, patching (average is currently 192 days between release and patch!), asset tracking and knock on responsibilities. Effective asset management brings additional benefits, organisations can see a reduction in the number of software applications – this involves defining which types of applications meet the guidelines that support the IT objectives, and working to remove the applications that don’t meet them. The elimination of each application, moving data to a more reliable/resilient/manageable repository gives increased security because that’s one less application to harden, patch, monitor and audit. Be aware that these exercises should not be undertaken lightly as firstly security should be considered (availability, integrity and confidentiality) and that data migration projects are not normally small or clean affairs.
Just as an aside this website which runs on WordPress does not see a vast amount of traffic, yet it receives dozens of hack attempts daily. These are of two types generally, script injection and brute force attempts to login in as an administrator. I like to keep this information available to all but where the attacks come from non-English speaking countries (meaning I can’t help them anyway) I block the IP range (which could be over a million IP addresses in one go, down to just a few hundred) or the individual IP or in some cases the whole country, depending on the firewall settings. Against brute force, my password is computer generated, dozens of characters long and very unlikely to be guessed, I also change it regularly. Most attacks seem to stem from Eastern Europe but no continent is left out when it comes to cyber warfare. I’ve even been attacked from Nepal!
Back to patches – establish a KPI here – how long does it take you to patch – what is an effective timeline to notifications? What should you include as part of this – servers, firewalls, AV are easy – but how about your other systems – control software, employee devices, mobiles all need patching too. Patches should be evaluated before installation and depending on the risk assessment, migrated as appropriate. If a vulnerability is identified, but no patch currently exists, you should think about turning off the service, adapting access control, increasing monitoring and raising awareness. Maintain an audit log of patch activity and monitor this for its efficacy. A procedure should be established to address all of the above. Note: waiting to apply a patch to affect other (external) users is often a way to ensure there are
A Policy for installation of software should be established, who can install what and what? What is permitted and most importantly what is not. I know this is often an unpopular area of InfoSec so much effort should be placed on the awareness programme explaining how a secure business (and this is one of the tenets) is more likely to succeed than a seat of the pants maverick one. Everyone wants to be the maverick, no-one wants that in their colleagues though!