More focus needed on vulnerability management
All cyber attacks have something in common – the exploitation of vulnerabilities. The increase in attacks has forced individuals, businesses and SA as a whole to intensify focus on cyber security.
Speaking at the 2020 ITWeb Security Summit, hosted virtually, Kudakwashe Charandura, director – Cybersecurity, SNG Grant Thornton, said the advent of 4IR has resulted in greater reliance on IT, but also new risks and opportunities.
Referencing the recent Experian data breach incident involving the potential exposure of some personal information of up to 24 million South Africans and 793 749 businesses, Charandura said these incidents reflect the need to beef up cyber security.
“Some of the attacks are even targeting countries now. Some people argue that the next war is going to be using computers, it’s going to be a cyber war. It has already started….hackers attacking systems, Russians getting involved in US elections. All these things basically highlight the need to focus on cyber security, on all cyber security processes including vulnerability management.”
Charandura walked the audience through the steps or processes that typify a cyber attack, starting with information gathering or reconnaissance.
“Where a hacker tries to gather as much information about your organisation or business as possible, and then from there scan your network, ruminate your devices and from there identify your vulnerabilities… and then attack your environment. It’s much like a thief walking across the road, scanning houses, looking across the yard to see what house he can go into to steal something. So the same process. Attackers even go to the extent of even digging through your dustbins to try to pick up information about individuals or companies. So we need to really address these vulnerabilities and find a way of effectively managing and minimising the vulnerabilities in the network.”
Charandura reminded delegates that vulnerability management, defined as the cyclical practice of identifying, classifying, prioritising, remediating, and mitigating vulnerabilities in computer systems, applications and network infrastructures, involves various types of vulnerabilities – including technical and non-technical.
Examples include insecurely configured systems, outdated systems, insecure network systems, inadequate processes, default passwords not changed, and employees disclosing passwords.
According to Charandura, vulnerability management extends to people, processes and technologies. It forces business owners to ask how vulnerable are employees? Are they aware of security risks? Is there adequate policies, procedures and standards in place?
Businesses looking to get on top of their vulnerability management are advised to consider various types of vulnerability assessments, such as wireless network scans, Web application vulnerability scans, database scans and social engineering assessments.
But people often make a mistake of focusing on technology, as if cyber security is only an IT problem, said Charandura.
"Cyber security has to be embedded across all the layers of the business - it has to be a culture, something we live by," he concluded.