Vulnerabilities / Threats
11/6/2008
10:45 AM
50%
50%

Vulnerability Management That Works

IT must align its program with business values in order to succeed.

Alerts started firing from a system server sitting in the DMZ at a remote site of an oil producer. Analysts concluded that a vulnerability scanner had identified a significant security hole. Several e-mails, a few phone calls, and within a few minutes the organization had the information it needed.

The facts: The system in question was responsible for forwarding reports, which would be double-checked using other methods. It wasn't tied into any critical operations, it was relatively isolated, it didn't contain overly sensitive information, and exposure wouldn't affect nearby systems. And it was very remote. Patching would mean putting an IT person on a plane. The company decided that flying an IT administrator out to immediately patch wasn't worth the trouble or expense. The alert was noted and scheduled to be handled the next time someone did routine maintenance on the server.

The lesson here: For effective vulnerability management, apply risk management principles and logic relative to the business value.

InformationWeek Reports

Today's vulnerability landscape is mined with custom application exposures, infrastructure deficiencies like improperly secured wireless networks, and desktop- and end-user-centric attack methods. As recent breaches have illustrated, a criminal element has moved us from a world of chatty and poorly developed worms to one of stealthy, professionally developed, targeted malware.

IT must work with business units to determine a company-wide security posture that is within acceptable risk tolerance levels, create operational processes that address the computing environment as a whole, and select the right technology platforms to bolster those processes.

A WORKING PROCESS
Effective vulnerability management programs require the right balance of technology, business intelligence, and process.

Necessary technology includes vulnerability scanners, such as McAfee's FoundScan, Qualys' QualysScan, or Tenable Network Security's Nessus; application scanners, such as Hewlett-Packard's WebInspect and IBM's AppScan; and configuration and patch management tools. However, without several critical vulnerability management processes, these tools won't be as effective.

One vital process is reducing the exposure a company presents to adversaries--sometimes called "attack surface reduction." The term "attack surface" can refer to a program's susceptibility to various avenues of attack or to systems as a whole. Companies often use a combination of network design exercises, access management, and configuration management to reduce attack surfaces. For example, a system's attack surface can be reduced by exposing only required services to the network, disabling or removing unnecessary software, or limiting the number of users authorized to log on to a system.

An effective vulnerability management program also can help manage a company's overall security posture and risk tolerance. By aggregating vulnerability and incident data, IT can improve security. Trending and data correlation help show how internal activities and external events affect a company's risk profile. This analysis helps gauge the success of projects, such as patching and system maintenance, while identifying areas where more investment is needed.

Another benefit to vulnerability management programs is they that can help achieve compliance objectives. Technical standards, operational frameworks, regulations such as Sarbanes-Oxley, and industry-specific frameworks such as HIPAA and PCI have spurred companies to implement controls and report on their success. An effective vulnerability management program can help demonstrate compliance with established controls, as well as alert management to compliance problems. Tools and data correlation within a mature vulnerability management program can extract stats about default password length, expiration, and complexity requirements, and pull them into compliance reports.

DIG DEEPER
IT'S NOT A DREAM
Learn how your peers are targeting security investments based on risk management principles.
Nevertheless, we've watched organizations sink a lot of money into security tools and elaborate scanning deployments, only to see teams stuck reviewing similar results, report after report, month after month, year after year. The monthly patch cycle is a necessary but relatively well-understood evil that likely won't end anytime soon. However, most companies regularly find problems in homegrown apps, missing patches that are quite a bit older than 30 days, and devices that aren't compliant with approved standards. Many of the failures leading to these findings are systemic in nature, and the ability to address root causes is often what separates an effective vulnerability management program from an ineffective one.

So how do we break the cycle of ineffectiveness? A few steps are critical.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.