Why Vulnerability Management is Better as a Service

Why Vulnerability Management is Better as a Service

Many things in IT are set and forget, you install a new application, you implement a new network or roll out  new visibility system. Sure, these things need to be maintained over time, but the main effort is at implementation time after which point you (hopefully) enjoy the benefits of the initial work.

By contrast, cyber security is an ongoing discipline – you can’t be ‘done’ with cyber security, hackers and hacking techniques are continually evolving, probing for vulnerabilities. A quick look at the growth of identified vulnerabilities from the Mitre Corporation CVE (Common Vulnerability and Exposure) system shows a continual nonlinear growth curve with a clear acceleration around 2017.

As an aside,  for thos interested in the growth of identified vulnerabilities over the last decade or so, Rapid7 have an excellent blog post on this very topic here https://blog.rapid7.com/2018/04/30/cve-100k-by-the-numbers/ (from which I ave borrowed the graph shown below).

Keeping  pace with this ever increasing deluge of vulnerabilities requires constant vigilance.  We often hear of organisations that implement Microsoft SCCM to keep their Windows desktops and servers up to date with the latest patch releases. There is no question that this is an excellent start, but deploying SCCM does not mean that you are ‘done’ with patch management.

What is missing here are the vulnerabilities outside of the base Microsoft ecosystem, third party applications, non-Microsoft machines,  network infrastructure and IoT devices such as cameras and access control systems all present potential points of vulnerability in your IT environment.

The ability to identify vulnerabilities and available software patches across the diverse range of systems in your environment is challenging, and not only that, you need to continually monitor these devices to ensure they are secure as the myriad of new vulnerabilities emerge daily.

This is where vulnerability management kicks in. A good vulnerability management (VM) solution will not only identify existing vulnerabilities across your complete IT environment, it will also identify the recommended patches to install to keep your systems safe (in fact a good VM solution like Qualys can do a whole lot more than just this … but perhaps the subject for another blog).

Vulnerability management should be considered an absolute must as part of any cyber security strategy, just like implementing firewalls or anti-virus, vulnerability management is key component in securing your organisation. But we shouldn’t consider vulnerability management as a ‘thing’ to deploy – vulnerability management is an ongoing discipline. At Counterhack, we often see organisations implement a vulnerability management system with the best of intentions, only to sit idle gathering dust with no one tasked with the critical job of actually running scans and keeping track of patch levels across the organisation.

By it’s very nature as an ongoing discipline, vulnerability management lends itself to being offered as a service. A discipline best outsourced to a specialist third party that understands the threat landscape and can identify weaknesses and help you to maintain patch levels. A service that helps you keep secure. This is the very reason that Counterhack offer a turnkey Vulnerability Management Service.

Speak to Counterhack today about your cyber security needs

Central West Man Inherits Fortune from Nigerian Prince

Central West Man Inherits Fortune from Nigerian Prince

(A Light Hearted Look at Phishing)

West Wyalong man Wazza Whiting is in a celebratory mood tonight after announcing the inheritance of $10 million dollars from a recently deceased member of the Nigerian Royal Family.  It was cold VB’s all round at the Crooked Mile RSL as Wazza shouted the bar stating, “I’m rich now, so when we’re done with the V-Bangers, we might even have some of those fancy inner city craft beers”.

When asked how it came about that an unemployed self proclaimed entrepeneur  from country NSW was the beneficiary of a West African fortune, Wazza was remarkable upfront. “It’s was easy”, he said, “I simply responded to an email asking for my bank account details and it just developed from there – the Nigerians have been very helpful in guiding me through the whole process”.

“What can I say, I’m a “clicker”, I just love to click on links in emails or websites, pretty much anywhere really. You never know what you will find, but there is definitely opportunity” said Wazza. Of course there have been setbacks along the way, not every click turned out for the best. Wazza has been married 7 times to Eastern European women he has never actually met and he has had to pay his fair share of ransomware demands to keep his computer working, but he believes it all worthwhile now that he has finally landed the ‘big one’.

But despite the celebrations, it seems that Wazza is actually still yet to receive any money. According to Wazza, the Nigerian legal system is very complex. It seems there are many checks and balances and hurdles to be negotiated. But the local team on the ground in Lagos has been very helpful. So far Wazza has sent around $10,000 to the Nigerian lawyers to facilitate the inheritance, and he is assured that it will only be a few more thousand before the full inheritance is released. According to Wazza, this is a small price to pay for such a large reward!

We will await further developments and keep you posted on progress to see how Wazza gets on with the delicate task of extracting money from the Nigerian Royals. In the meantime, we are happy to avail ourselves of the hospitality of the Crooked Mile RSL and enjoy another cold VB.

On a serious note though, clicking on phishing links presents a serious risk to business. And whilst (we hope at least) that most people will not fall for the old fashioned Nigerian inheritance scam, there are certainly many more sophisticated phishing attacks that are much more difficult to detect.  User awareness training is a complete field in itself and certainly worth considering to keep your envionrment and users safe. At the very least, consider these two simple strategies for helping to not get caught:

  • If it sounds too good to be true, then it probably is – just don’t click.
  • Take a second to pause, perhaps ask a colleague and think before you click.

Counterhack  offer a range of comprehensive cyber security services to ensure your business is secure. From user awareness training and penetration testing right through to vulnerability management, security event management and consulting, Counterhack have a range of services to meet your business requirements irrespective of size.

Speak to Counterhack today to see how we can meet you cyber security needs.

Speak to Counterhack today about your cyber security needs

Cyber security company stuns industry with advertisement that doesn’t feature a hacker in a hoodie.

Cyber security company stuns industry with advertisement that doesn’t feature a hacker in a hoodie.

Industry pundits are astounded with an advertisement placed by a top flight cyber security company that doesn’t feature a hacker in a hoodie in a dark room. Even more surprising is the total break from traditional techniques with no pad locks, no screens of code, no anonymous face masks, not even a space age blue graphic with latticework of connected dots.

Earl Counterthwack, the marketing manager of Sydney based We Be Number One Best Cyber Security Company,  speaking from his Covid safe remote office in a Kuta backstreet said he drew inspiration for the advertisement after downing 17 Bintangs in a particularly florid session last Friday afternoon. The Eureka moment came for Earl after waking up more than a little dusty in a beachside hammock surrounded by empty drinking coconuts, he knew that a change of direction for the cyber security campaign was perfect.

In fact, the advertisement is a compete departure from tradition, it plays on confidence rather than fear. When asked if this approach ran the risk of confusing potential customers by not trying to scare the ‘beejezuz’ out of them with an image that was, well, somewhat comforting. Earl responded by saying that it was either a guy in a hammock or a good looking swimsuit model. The final decision came down to the hammock after Earl’s last run in with HR relating to bikini image downloads which saw his work Internet privileges restricted.

It remains to be seen how effective this new advertisement will be, but the industry is certainly abuzz with chatter about this revolutionary approach. Earl has promised to keep us across developments as the campaign progresses.

On a serious note though, Counterhack  offer a range of comprehensive cyber security services to ensure your business is secure. From penetration testing right through to vulnerability management, security event management and consulting, Counterhack have a range of services to meet your business requirements irrespective of size.

Speak to Counterhack today to see how we can meet you cyber security needs.

Speak to Counterhack today about your cyber security needs