Mitigate software vulnerabilities

February 8, 2022 By    
Photo: solarseven/iStock / Getty Images Plus/Getty Images

Photo: solarseven/iStock / Getty Images Plus/Getty Images

Apologizing for a mistake or being the first to say “I love you” requires showing vulnerability. Psychologists believe showing vulnerability is necessary for creating authentic relationships.

The same cannot be said for your software.

Software vulnerabilities are weaknesses in a program that can be used to gain access to sensitive data and perform unauthorized actions. In early December, a flaw in a Java library for logging error messages in applications, known as Log4j, was identified as one of the most high-profile security vulnerabilities ever on the internet. Almost any device that is connected to the internet is at risk.

Vulnerabilities appear the moment code is written. Developers, often pressured to push software and innovation to the market, may overlook vulnerability or give it short shrift. Even if a software developer follows best security practices, creative hackers and other malicious agents constantly identify or create new or unknown vulnerabilities. Developers also frequently use prebuilt components procured from open-source, third-party vendors that introduce vulnerabilities into their software. That is the source of the current Log4j vulnerability and, because it is part of a Java script that is used in almost everything, it’s an extremely serious breach.

Protecting digital information isn’t much different than protecting information stored on good, old-fashioned paper. Your sensitive financial, business and customer information should be locked in a secure location with limited access and protected with appropriate security systems. Locks and security codes should be changed periodically, and reviewing all of this should be a part of your annual review of your security action plan. Here’s how you do the same digitally:

  • If you don’t know what you are doing, hire somebody who does. Most of you probably use alarm companies and locksmiths. Third-party technology experts stand ready to do the same. You should exercise the same caution in identifying and retaining these experts that you exercise when hiring an alarm company or an employee you will entrust with sensitive information.
  • Follow applicable standards. If you accept credit cards, you are familiar with the payment card industry data security standard, or PCI/DSS. Many of the steps mentioned below are addressed by PCI/DSS. In fact, the PCI/DSS questionnaires provide a useful checklist for making sure your network is secure.
  • Maintain a firewall. Traffic on your Wi-Fi needs to be limited and protected. If you want to provide customers access to free Wi-Fi, set up a network for them that’s separate from your network. All devices, including phones, that access your system should have firewall protection installed and active.
  • Don’t use default settings. Wouldn’t it be embarrassing if your network was breached because a hacker was clever enough to type “Administrator” or “Admin” in both the user ID and password boxes of your system? Cyber insurance carriers will tell you it happens too often.
  • Require limited, secure access. Every employee should have a unique password for every application to which they have access that is not shared with anybody else, including you. Employees should not have access to an application unless it’s absolutely required for their job functions. Sometimes access may be limited within an application. If the application permits this, employee access should be limited only to information required to perform the job function.
  • Make sure the software requires periodic password changes.
  • Make sure all software has appropriate password standards.
  • Real-time antivirus protection: This needs to be installed and running on any device that is connected to your network, including cellphones.
  • External vulnerability scanners: External vulnerability scans look for holes in your network firewalls where the bad guys can break in and attack your network. If you accept credit cards, chances are your credit card processor already runs them. However, it’s a good idea to have your own scanner and stay on top of it on your own or with your technology expert.
  • Internal vulnerability scanners: Internal vulnerability scanners look at what’s going on inside your firewalls to identify real or potential vulnerabilities in your network. Commonly used browsers and applications often are sources of vulnerabilities. The internal vulnerability scanner we use identifies these vulnerabilities, installs available patches and provides certain kinds of patchless protections if a patch is not yet available.

With a fresh new year upon us, resolve to address your network and software security to protect both you and your customers.

Christopher Caywood is a co-owner of Caywood Propane Gas Inc. 

Comments are currently closed.