Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:22 PM
Connect Directly

When Vulnerability Management Meets Compliance

New Dark Reading report offers advice on building a vulnerability management process that even your auditors will love

[Excerpted from "Compliance 101: Creating A Strong Vulnerability Management Strategy," a new report published today in Dark Reading's Vulnerability Management Tech Center.]

Finding and fixing security vulnerabilities in an enterprise is tough enough without someone looking over your shoulder. But when regulatory compliance requirements are involved -- and the auditors who come with them -- the process of vulnerability management brings on a new set of challenges.

So how can IT create a comprehensive vulnerability management plan? To crack this nut, we recommend a three-pronged approach that combines strong policies, well-disciplined operational procedures, and effective software validation tools.

The traditional approach to vulnerability scanning is to drop a system on the network, grab a network range, tweak a few configuration settings, and then start scanning away. Once the software is done, a report is generated to provide the next step: a to-do list. Simple enough.

The problem, however, always seems to come when the report is actually scrutinized, and voluminous action items are being generated. There are just too many false positives. And if incremental delta scans are not being performed, it can be difficult to determine what has changed in the environment, so time is wasted reanalyzing items that have already been reviewed.

With a good vulnerability management process and proper selection of tools, you can minimize the false positives and reduce duplicate efforts.

The main weapon in IT's unending struggle to stay ahead of the bad guys isn't the hottest new security system. It's a process in which we identify vulnerabilities, rank them in a meaningful way based on business and compliance realities, and then decide whether to accept the risk, mitigate problems with appropriate fixes, or offload the risk to a third party. Not sexy, but vital.

As a first step, let's define the environment in which we'll be working. Security controls can be grouped loosely into three broad areas: management, operational, and technical.

Management controls include topics such as policies and the security posture. Operational controls involve how things are done in production, and technical controls address the more tangible software and/or hardware protections that implement the requirements specified by our policies. In practice, all three of these areas are required for a complete vulnerability management strategy.

To achieve compliance, IT must have a comprehensive, risk-based approach to managing security. This approach, regardless of the actual vulnerability management structure selected, must include strong supporting policies, some form of regular scanning for validation, and ongoing control enhancements to fix identified weaknesses.

We recommend a standardized approach for network scanning that includes:

Preparation: Before conducting any type of potentially invasive scan, proper preparations must be made. For consultants working at a client site, a rules of engagement (ROE) document must be drawn up that outlines the types of testing to be conducted and the proposed targets.

Initial tool configuration: This is where parameters for the test are established. Although specifics will vary according to each product, common options include the depth of testing to be conducted, TCP/UDP ports to scan, username/passwords for authenticated scans, and other performance settings. These settings help determine exactly what the tool is going to be doing in the testing.

Discovery: Once testing parameters are decided and traffic is ready to begin traversing the network, targets must be identified and selected. Scanning tools allow for IT to input specific network ranges, host names, or IP addresses when there is prior knowledge about the desired targets. Devices can also be discovered.

Port discovery: Now that we have our target list, we seek to profile the hosts and see what ports they might be listening on. This process will give us some insight into the services and daemons that are running and set the stage for even deeper testing.

More invasive testing: So our initial checks have been performed, and we now have targets and available ports. The next step is to probe more deeply to understand what's running on the various open ports, try to discover possible version information, and gather even more data to profile our targets.

To complete the vulnerability management process, enterprises must also perform even deeper tests, including full-scale penetration testing. To learn more about these tests, and how to document and report the results, download the full report for free.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Rick is co-founder and president of WaveGard. With nearly 20 years of experience in the cybersecurity and related enterprise technology fields, Rick enjoys solving complex business IT problems. He has an EE/BME degree from Duke University and a Masters of Computer Engineering ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.