A recent spate of data breaches has highlighted the fact that, even in 2011, many organizations still have not managed to grasp the concepts of vulnerability management. It is certainly the case that no organization, no matter what sort of controls are in place, can eliminate risk completely. However, the apparent ease with which some of these attacks have been carried out makes one wonder what sort of vulnerability management practices, if any, these organizations had in place. At the most basic, vulnerability management should be a cyclical process that involves the identification, analysis, reporting, and remediation of weaknesses in system configurations and software. Before vulnerability identification can begin, though, it is necessary for an organization to have an understanding of what assets (i.e., systems and data) exist and where they live. This, of course, is itself an ongoing process, as few IT environments are very static. Vulnerability identification is, believe it or not, often one of the easier steps in the vulnerability management process. There are numerous options available to assist organizations in identifying weaknesses in their environments, including automated scanners, patch and configuration management utilities, and assessment service providers. Regardless of the sources of this information, it should provide insight into vulnerabilities in system and software configuration, patch levels, and application code. Analysis of the identified vulnerabilities should include prioritization based on risk to the organization’s assets. Information such as CVSS score can be helpful in this regard. Also, categorization based on vulnerability type, infrastructure area, and business unit may also be beneficial, particularly in larger or decentralized organizations. Internal reporting of vulnerabilities sounds simple but, in larger IT groups, can actually be surprisingly complex. A process needs to exist to ensure that vulnerability information is distributed to the proper individuals in a timely and organized fashion. Ticketing systems can be a useful tool in this regard, particularly if your vulnerability assessment, analysis, or correlation tool can integrate directly with the system. Finally, identified vulnerabilities should be remediated. In the ideal scenario, this simply means applying a patch or changing a configuration setting. However, it is not uncommon for this to be a sticking point. Whether due to patch incompatibility or a business need for particular features or configurations to exist, it is all too common for identified vulnerabilities to go unmitigated for long periods of time. This is somewhat understandable and sometimes risks do need to be accepted but, often, the business impact of a vulnerability is not fully understood by the risk owners. Ultimately, risk owners need to realize the implications on the entire environment if they choose to allow vulnerabilities to persist (see Scott Sutherland and Antti Rantasaari’s “When Databases Attack” presentation for some great examples). Ultimately, vulnerability management does have some complexities but it is an absolutely critical component of a comprehensive and effective information security program. Security can never be a sure thing and threats will always exist. However, in this day and age, there is really no excuse for organizations to lack a formal approach to identifying and treating vulnerabilities, particularly in their Internet-facing infrastructure.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.