From Running Scans to Building a Vulnerability Management Program
I perform the Vulnerability Assessments and Payment Card Industry Approved Scanning Vendor (PCI ASV) Scans at our information security firm. I have been running scans for over 100 different companies for the last year, and I see the same recurring vulnerabilities again and again. What I have also seen is that people do not understand what it means to manage vulnerabilities.
In the ever changing world of new vulnerabilities and associated threats, it is essential that an inventory is kept of the external systems, associated ports, services, and applications. If any one of these is unknown, or insecure, then the associated Risk Level changes. If you have not implemented a Vulnerability Management Program you could run into a couple of problems. First, you do not know what vulnerabilities you have, or you are not remediating the vulnerabilities that you are aware of. Second, if you are remediating vulnerabilities, then the allocation of resources is ineffective. The prioritization of remediation efforts is not being done and non-critical systems will have the same priority as mission-critical systems.
Proactive vs. Reactive Scanning
There are two types of scanning: Proactive and Reactive. Scanning because you are told to in order to comply with certain regulations such as the Payment Card Industry Data Security Standard (PCI DSS), amounts to Reactive Scanning. With regulations such as the PCI DSS requiring scanning on a regular basis, the effect of Reactive Scanning will have a diminishing return.
Contrast that approach with Proactive Scanning–which encompasses the following:
- Understanding what your network looks like internally and externally
- Running a scan on your internal and external systems on a regular basis
- Applying fixes to the vulnerabilities
- Running scans on new systems that are added to the network
This is Vulnerability Management. There is a common misconception about Vulnerability Management: simply running scans against your network and calling it a day is not Vulnerability Management.
The Problem – So many vulnerabilities, so little resources
If your company makes a billion dollars or less, there is a possibility that you have a security department of one. I had a client tell me they cannot afford to do a penetration test because he does not have the time to remediate everything that would be found. How can one person manage the vulnerabilities on the external presence as well as maintain the integrity of the internal network? Peter Drucker, a management visionary and author said, “You can’t manage what you can’t measure.” I would have to disagree. In my experience, when it comes to vulnerabilities and Vulnerability Management, even when you measure the vulnerabilities, it can still be hard to manage them.
The Solution – There IS Light at the End of the Tunnel
A solution to this chaos of managing vulnerabilities is a Managed Vulnerability Service. This service will assist you in securing your organization’s external as well as your internal presence.
There are three main components of a Managed Vulnerability Service:
Establishing a baseline of systems (categorized), ports/services, and vulnerabilities.
Continuously updating this baseline of known systems and ports/services; and ensuring a “clean” baseline (no vulnerabilities) is maintained.
Producing timely reports that reflect changes in the external posture, focusing on the “anomalies.”
In addition, IPs can be grouped by assets or business processes–a far superior approach than what is currently available.
When it comes to Vulnerability Management, the ultimate goal is to help generate a more mature security program. A Managed Vulnerability Service is a good way to get accurate information on the security of your systems. This information can also allow you to operationalize the remediation efforts on vulnerabilities that are found.