Vulnerabilities / Threats
11/6/2008
10:45 AM
50%
50%

Vulnerability Management That Works

IT must align its program with business values in order to succeed.

Alerts started firing from a system server sitting in the DMZ at a remote site of an oil producer. Analysts concluded that a vulnerability scanner had identified a significant security hole. Several e-mails, a few phone calls, and within a few minutes the organization had the information it needed.

The facts: The system in question was responsible for forwarding reports, which would be double-checked using other methods. It wasn't tied into any critical operations, it was relatively isolated, it didn't contain overly sensitive information, and exposure wouldn't affect nearby systems. And it was very remote. Patching would mean putting an IT person on a plane. The company decided that flying an IT administrator out to immediately patch wasn't worth the trouble or expense. The alert was noted and scheduled to be handled the next time someone did routine maintenance on the server.

The lesson here: For effective vulnerability management, apply risk management principles and logic relative to the business value.

InformationWeek Reports

Today's vulnerability landscape is mined with custom application exposures, infrastructure deficiencies like improperly secured wireless networks, and desktop- and end-user-centric attack methods. As recent breaches have illustrated, a criminal element has moved us from a world of chatty and poorly developed worms to one of stealthy, professionally developed, targeted malware.

IT must work with business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.

A WORKING PROCESS
Effective vulnerability management programs require the right balance of technology, business intelligence, and process.

Necessary technology includes vulnerability scanners, such as McAfee's FoundScan, Qualys' QualysScan, or Tenable Network Security's Nessus; application scanners, such as Hewlett-Packard's WebInspect and IBM's AppScan; and configuration and patch management tools. However, without several critical vulnerability management processes, these tools won't be as effective.

One vital process is reducing the exposure a company presents to adversaries--sometimes called "attack surface reduction." The term "attack surface" can refer to a program's susceptibility to various avenues of attack or to systems as a whole. Companies often use a combination of network design exercises, access management, and configuration management to reduce attack surfaces. For example, a system's attack surface can be reduced by exposing only required services to the network, disabling or removing unnecessary software, or limiting the number of users authorized to log on to a system.

An effective vulnerability management program also can help manage a company's overall security posture and risk tolerance. By aggregating vulnerability and incident data, IT can improve security. Trending and data correlation help show how internal activities and external events affect a company's risk profile. This analysis helps gauge the success of projects, such as patching and system maintenance, while identifying areas where more investment is needed.

Another benefit to vulnerability management programs is they that can help achieve compliance objectives. Technical standards, operational frameworks, regulations such as Sarbanes-Oxley, and industry-specific frameworks such as HIPAA and PCI have spurred companies to implement controls and report on their success. An effective vulnerability management program can help demonstrate compliance with established controls, as well as alert management to compliance problems. Tools and data correlation within a mature vulnerability management program can extract stats about default password length, expiration, and complexity requirements, and pull them into compliance reports.

DIG DEEPER
IT'S NOT A DREAM
Learn how your peers are targeting security investments based on risk management principles.
Nevertheless, we've watched organizations sink a lot of money into security tools and elaborate scanning deployments, only to see teams stuck reviewing similar results, report after report, month after month, year after year. The monthly patch cycle is a necessary but relatively well-understood evil that likely won't end anytime soon. However, most companies regularly find problems in homegrown apps, missing patches that are quite a bit older than 30 days, and devices that aren't compliant with approved standards. Many of the failures leading to these findings are systemic in nature, and the ability to address root causes is often what separates an effective vulnerability management program from an ineffective one.

So how do we break the cycle of ineffectiveness? A few steps are critical.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?