Vulnerabilities / Threats
11/6/2008
10:45 AM
50%
50%

Vulnerability Management That Works

IT must align its program with business values in order to succeed.

Alerts started firing from a system server sitting in the DMZ at a remote site of an oil producer. Analysts concluded that a vulnerability scanner had identified a significant security hole. Several e-mails, a few phone calls, and within a few minutes the organization had the information it needed.

The facts: The system in question was responsible for forwarding reports, which would be double-checked using other methods. It wasn't tied into any critical operations, it was relatively isolated, it didn't contain overly sensitive information, and exposure wouldn't affect nearby systems. And it was very remote. Patching would mean putting an IT person on a plane. The company decided that flying an IT administrator out to immediately patch wasn't worth the trouble or expense. The alert was noted and scheduled to be handled the next time someone did routine maintenance on the server.

The lesson here: For effective vulnerability management, apply risk management principles and logic relative to the business value.

InformationWeek Reports

Today's vulnerability landscape is mined with custom application exposures, infrastructure deficiencies like improperly secured wireless networks, and desktop- and end-user-centric attack methods. As recent breaches have illustrated, a criminal element has moved us from a world of chatty and poorly developed worms to one of stealthy, professionally developed, targeted malware.

IT must work with business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.

A WORKING PROCESS
Effective vulnerability management programs require the right balance of technology, business intelligence, and process.

Necessary technology includes vulnerability scanners, such as McAfee's FoundScan, Qualys' QualysScan, or Tenable Network Security's Nessus; application scanners, such as Hewlett-Packard's WebInspect and IBM's AppScan; and configuration and patch management tools. However, without several critical vulnerability management processes, these tools won't be as effective.

One vital process is reducing the exposure a company presents to adversaries--sometimes called "attack surface reduction." The term "attack surface" can refer to a program's susceptibility to various avenues of attack or to systems as a whole. Companies often use a combination of network design exercises, access management, and configuration management to reduce attack surfaces. For example, a system's attack surface can be reduced by exposing only required services to the network, disabling or removing unnecessary software, or limiting the number of users authorized to log on to a system.

An effective vulnerability management program also can help manage a company's overall security posture and risk tolerance. By aggregating vulnerability and incident data, IT can improve security. Trending and data correlation help show how internal activities and external events affect a company's risk profile. This analysis helps gauge the success of projects, such as patching and system maintenance, while identifying areas where more investment is needed.

Another benefit to vulnerability management programs is they that can help achieve compliance objectives. Technical standards, operational frameworks, regulations such as Sarbanes-Oxley, and industry-specific frameworks such as HIPAA and PCI have spurred companies to implement controls and report on their success. An effective vulnerability management program can help demonstrate compliance with established controls, as well as alert management to compliance problems. Tools and data correlation within a mature vulnerability management program can extract stats about default password length, expiration, and complexity requirements, and pull them into compliance reports.

DIG DEEPER
IT'S NOT A DREAM
Learn how your peers are targeting security investments based on risk management principles.
Nevertheless, we've watched organizations sink a lot of money into security tools and elaborate scanning deployments, only to see teams stuck reviewing similar results, report after report, month after month, year after year. The monthly patch cycle is a necessary but relatively well-understood evil that likely won't end anytime soon. However, most companies regularly find problems in homegrown apps, missing patches that are quite a bit older than 30 days, and devices that aren't compliant with approved standards. Many of the failures leading to these findings are systemic in nature, and the ability to address root causes is often what separates an effective vulnerability management program from an ineffective one.

So how do we break the cycle of ineffectiveness? A few steps are critical.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Why else would HR ask me if I have a handicap?"
Current Issue
The Changing Face of Identity Management
Mobility and cloud services are altering the concept of user identity. Here are some ways to keep up.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio

The cybersecurity profession struggles to retain women (figures range from 10 to 20 percent). It's particularly worrisome for an industry with a rapidly growing number of vacant positions.

So why does the shortage of women continue to be worse in security than in other IT sectors? How can men in infosec be better allies for women; and how can women be better allies for one another? What is the industry doing to fix the problem -- what's working, and what isn't?

Is this really a problem at all? Are the low numbers simply an indication that women do not want to be in cybersecurity, and is it possible that more women will never want to be in cybersecurity? How many women would we need to see in the industry to declare success?

Join Dark Reading senior editor Sara Peters and guests Angela Knox of Cloudmark, Barrett Sellers of Arbor Networks, Regina Wallace-Jones of Facebook, Steve Christey Coley of MITRE, and Chris Roosenraad of M3AAWG on Wednesday, July 13 at 1 p.m. Eastern Time to discuss all this and more.