Vulnerabilities / Threats
11/6/2008
10:45 AM
Connect Directly
RSS
E-Mail
50%
50%

Vulnerability Management That Works

IT must align its program with business values in order to succeed.

Alerts started firing from a system server sitting in the DMZ at a remote site of an oil producer. Analysts concluded that a vulnerability scanner had identified a significant security hole. Several e-mails, a few phone calls, and within a few minutes the organization had the information it needed.

The facts: The system in question was responsible for forwarding reports, which would be double-checked using other methods. It wasn't tied into any critical operations, it was relatively isolated, it didn't contain overly sensitive information, and exposure wouldn't affect nearby systems. And it was very remote. Patching would mean putting an IT person on a plane. The company decided that flying an IT administrator out to immediately patch wasn't worth the trouble or expense. The alert was noted and scheduled to be handled the next time someone did routine maintenance on the server.

The lesson here: For effective vulnerability management, apply risk management principles and logic relative to the business value.

InformationWeek Reports

Today's vulnerability landscape is mined with custom application exposures, infrastructure deficiencies like improperly secured wireless networks, and desktop- and end-user-centric attack methods. As recent breaches have illustrated, a criminal element has moved us from a world of chatty and poorly developed worms to one of stealthy, professionally developed, targeted malware.

IT must work with business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.

A WORKING PROCESS
Effective vulnerability management programs require the right balance of technology, business intelligence, and process.

Necessary technology includes vulnerability scanners, such as McAfee's FoundScan, Qualys' QualysScan, or Tenable Network Security's Nessus; application scanners, such as Hewlett-Packard's WebInspect and IBM's AppScan; and configuration and patch management tools. However, without several critical vulnerability management processes, these tools won't be as effective.

One vital process is reducing the exposure a company presents to adversaries--sometimes called "attack surface reduction." The term "attack surface" can refer to a program's susceptibility to various avenues of attack or to systems as a whole. Companies often use a combination of network design exercises, access management, and configuration management to reduce attack surfaces. For example, a system's attack surface can be reduced by exposing only required services to the network, disabling or removing unnecessary software, or limiting the number of users authorized to log on to a system.

An effective vulnerability management program also can help manage a company's overall security posture and risk tolerance. By aggregating vulnerability and incident data, IT can improve security. Trending and data correlation help show how internal activities and external events affect a company's risk profile. This analysis helps gauge the success of projects, such as patching and system maintenance, while identifying areas where more investment is needed.

Another benefit to vulnerability management programs is they that can help achieve compliance objectives. Technical standards, operational frameworks, regulations such as Sarbanes-Oxley, and industry-specific frameworks such as HIPAA and PCI have spurred companies to implement controls and report on their success. An effective vulnerability management program can help demonstrate compliance with established controls, as well as alert management to compliance problems. Tools and data correlation within a mature vulnerability management program can extract stats about default password length, expiration, and complexity requirements, and pull them into compliance reports.

DIG DEEPER
IT'S NOT A DREAM
Learn how your peers are targeting security investments based on risk management principles.
Nevertheless, we've watched organizations sink a lot of money into security tools and elaborate scanning deployments, only to see teams stuck reviewing similar results, report after report, month after month, year after year. The monthly patch cycle is a necessary but relatively well-understood evil that likely won't end anytime soon. However, most companies regularly find problems in homegrown apps, missing patches that are quite a bit older than 30 days, and devices that aren't compliant with approved standards. Many of the failures leading to these findings are systemic in nature, and the ability to address root causes is often what separates an effective vulnerability management program from an ineffective one.

So how do we break the cycle of ineffectiveness? A few steps are critical.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.