Components of an effective vulnerability management process
Vulnerabilities continue to grab headlines. Whether it is a zero-day that affects “tens of millions” servers around the globe or an old unpatched flaw that leads to a data compromise, we will keep reading about them. The modern security landscape demands a process to manage and keep on the top of the ever-evolving threats and vulnerabilities. This process is known as a vulnerability management program and it is designed to identify, classify and proactively prevent the exploitation of vulnerabilities within an organization.
We often hear the terms “vulnerability assessment”, “vulnerability scanning” and “vulnerability program” used interchangeably, but these terms are not synonymous. So, let’s understand what is involved in the vulnerability management program.
A successful and robust vulnerability management requires incorporation of various security components, the most critical of which are the risk, patch, asset, change and configuration management. Scanning a system will identify vulnerabilities and weaknesses that must then be addressed.
Risk and patch management
An organization must have a risk management process in place to correlate vulnerabilities discovered during the scanning with threats and exploits that pose the most danger to an enterprise. Moreover, an organization must have a patch management process in place to fix discovered vulnerabilities that require security patches. This is the process of getting, testing and applying patches to all affected areas in an efficient and timely manner. As a result of proper risk and patch management, organizations are in position to:
- Prioritize risks and vulnerabilities
- Apply required security patches
- Prevent vulnerabilities from being exploited before a patch has been released
- Manage exceptions
- Remediate, avoid, transfer and/or accept the risk.
Asset management/discovery
The asset management is designed to discover, classify and document assets. Without a proper inventory, it would be nearly impossible to know what to scan and assess within an organization. The nature of our network is in a constant state of change; the new assets must be discovered and the inventory must be continuously updated.
Configuration and change management
An organization must have a secure configuration process in place to ensure misconfigured systems do not become a bridge for malicious attackers to exploit an enterprise. The attackers have automated their process and constantly search for misconfigured servers that are externally exposed.
On the other hand, the role of change management process is to ensure the ability to catch misconfigured servers, applications and services before being implemented into a production environment.
Vulnerability management policy and processes
The first step of vulnerability management process is to develop a policy and necessary processes. Your policy should dictate the scope and frequency of scans. Processes are essential piece of the program and you might consider a zero-day vulnerability process where you would establish a team that would be brought together every time there is a zero-day vulnerability announced to analyze it. The process would be assembled of components such as the notification, assessment, analysis and action. You should also adopt a process to scan each new server for misconfigurations and vulnerabilities before you allow it to be in the production.
Tip 1: Ensure your security team is subscribed to known vulnerability alerts, so that they can be notified immediately upon a vulnerability release.
Tip 2: If your organization utilizes the public cloud, ensure your policy covers it.
Vulnerability scanning
Hackers scan our external assets on a daily basis free of charge; we just don’t get to see the reports. Vulnerability scanning is a one piece of vulnerability management process, but an extremely important one. It is an automated process that assesses your system, network or application for vulnerabilities and weaknesses. It is essential to conduct both internal and external vulnerability scanning. If your organization hosts a web application, perform a web application vulnerability scanning to discover any web application vulnerabilities such as SQL Injection and Cross Site Scripting.
Good vulnerability management process will require you to perform both authenticated (credential) and unauthenticated (non-credential) vulnerability scans. Authenticated scans are more intense and will find vulnerabilities that otherwise you would not be able to discover with unauthenticated scans such as the missing patches and configuration issues. An unauthenticated scan typically discovers open ports, operating system versions, listening services, etc.
As an organization, you can compare the results from both scans (authenticated Vs. unauthenticated) to determine the risk surface as unauthenticated scan presents an attacker’s view of your network. You might consider authenticated scans on high risk assets and unauthenticated on low-risk assets. Your vulnerability management program should dictate that balance, but typically organizations run unauthenticated external scans and authenticated internal scans. Scans are ongoing activity and must be run at least quarterly and after major changes to your network. Also, you might adopt an approach where you scan your high-risk assets once a month and medium and low risk assets once per quarter.
Penetration testing
We all encounter situations where a vulnerability scan is sold as a penetration test. On a few occasions, I have been handed a 100+ pages “penetration test” listing only vulnerabilities identified during the vulnerability scan. A penetration test is designed to exploit weaknesses and vulnerabilities within an organization and requires both automated and manual testing.
Penetration testing is another important piece of vulnerability management program that needs to be performed at least annually. Be sure to integrate physical testing and social engineering into your penetration testing. Furthermore, if you host a web application, you should conduct a web application penetration testing.
Vulnerability assessments
You might ask, “What is the difference between a vulnerability scan and vulnerability assessment?” The short answer is the scope. Vulnerability assessment will include vulnerability scanning as well as vulnerabilities not particular to technology such as policies, processes and standards.
Consider an organization with a weak password policy that does not require the complexity requirements; due to the use of weak passwords this organization becomes a victim of cybercrime. Consider also the same organization with the cryptography standard that allows the usage of SSLv2. The vulnerability assessment is an ongoing process and should be conducted at least annually.
Tracking, metrics and reporting
Tracking, metrics and reporting are key for demonstrating the value and effectiveness of vulnerability management program to executive management. It is important that tracking, metrics and reporting of vulnerabilities are risk-based, rather than just comparing the number of vulnerabilities over the certain period of time.
An effective vulnerability management program is much more than scanning and patching your systems. Multiple regulatory compliance standards such as the PCI DSS and HIPAA require creation and implementation of the program. Vulnerability management is a living process that is a part of your overall information security program lifecycle and requires continuous monitoring, improvement and assessment.