When Vulnerability Management Meets Compliance

New Dark Reading report offers advice on building a vulnerability management process that even your auditors will love

Richard Dreger, Contributor

January 13, 2010

4 Min Read

[Excerpted from "Compliance 101: Creating A Strong Vulnerability Management Strategy," a new report published today in Dark Reading's Vulnerability Management Tech Center.]

Finding and fixing security vulnerabilities in an enterprise is tough enough without someone looking over your shoulder. But when regulatory compliance requirements are involved -- and the auditors who come with them -- the process of vulnerability management brings on a new set of challenges.

So how can IT create a comprehensive vulnerability management plan? To crack this nut, we recommend a three-pronged approach that combines strong policies, well-disciplined operational procedures, and effective software validation tools.

The traditional approach to vulnerability scanning is to drop a system on the network, grab a network range, tweak a few configuration settings, and then start scanning away. Once the software is done, a report is generated to provide the next step: a to-do list. Simple enough.

The problem, however, always seems to come when the report is actually scrutinized, and voluminous action items are being generated. There are just too many false positives. And if incremental delta scans are not being performed, it can be difficult to determine what has changed in the environment, so time is wasted reanalyzing items that have already been reviewed.

With a good vulnerability management process and proper selection of tools, you can minimize the false positives and reduce duplicate efforts.

The main weapon in IT's unending struggle to stay ahead of the bad guys isn't the hottest new security system. It's a process in which we identify vulnerabilities, rank them in a meaningful way based on business and compliance realities, and then decide whether to accept the risk, mitigate problems with appropriate fixes, or offload the risk to a third party. Not sexy, but vital.

As a first step, let's define the environment in which we'll be working. Security controls can be grouped loosely into three broad areas: management, operational, and technical.

Management controls include topics such as policies and the security posture. Operational controls involve how things are done in production, and technical controls address the more tangible software and/or hardware protections that implement the requirements specified by our policies. In practice, all three of these areas are required for a complete vulnerability management strategy.

To achieve compliance, IT must have a comprehensive, risk-based approach to managing security. This approach, regardless of the actual vulnerability management structure selected, must include strong supporting policies, some form of regular scanning for validation, and ongoing control enhancements to fix identified weaknesses.

We recommend a standardized approach for network scanning that includes:

Preparation: Before conducting any type of potentially invasive scan, proper preparations must be made. For consultants working at a client site, a rules of engagement (ROE) document must be drawn up that outlines the types of testing to be conducted and the proposed targets.

Initial tool configuration: This is where parameters for the test are established. Although specifics will vary according to each product, common options include the depth of testing to be conducted, TCP/UDP ports to scan, username/passwords for authenticated scans, and other performance settings. These settings help determine exactly what the tool is going to be doing in the testing.

Discovery: Once testing parameters are decided and traffic is ready to begin traversing the network, targets must be identified and selected. Scanning tools allow for IT to input specific network ranges, host names, or IP addresses when there is prior knowledge about the desired targets. Devices can also be discovered.

Port discovery: Now that we have our target list, we seek to profile the hosts and see what ports they might be listening on. This process will give us some insight into the services and daemons that are running and set the stage for even deeper testing.

More invasive testing: So our initial checks have been performed, and we now have targets and available ports. The next step is to probe more deeply to understand what's running on the various open ports, try to discover possible version information, and gather even more data to profile our targets.

To complete the vulnerability management process, enterprises must also perform even deeper tests, including full-scale penetration testing. To learn more about these tests, and how to document and report the results, download the full report for free.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Richard Dreger


Rick is co-founder and president of WaveGard. With nearly 20 years of experience in the cybersecurity and related enterprise technology fields, Rick enjoys solving complex business IT problems. He has an EE/BME degree from Duke University and a Masters of Computer Engineering from Villanova University.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights