As a security professional with over 20 years’ experience working with multiple frameworks and verticals across the security industry, one of the issues I’m most commonly asked about is Vulnerability Management. Organizations of all sizes struggle with how to properly identify and manage vulnerabilities within their environments. But as daunting a challenge as Vulnerability Management can be, there are some key elements that can quickly and easily be implemented to help you build an effective program to manage vulnerabilities efficiently.
This two-part post will provide you with concepts and ideas that will help you to identify some of those critical items that you should be considering as you build or mature your organization’s specific Vulnerability Management Program.
Definition of a Vulnerability
The ISO 27001 standard for ISO Information Security Management Systems defines a vulnerability as “a weakness of an asset or control that could potentially be exploited by one or more threats.” Additionally, ISO further defines a threat as any “potential cause of an unwanted incident, which may result in harm to a system or organization.”
Now that we know what defines a vulnerability, let’s look at some of the steps/best practices that will help you identify your threat landscape and help you to effectively manage risk.
Systems Inventory and Classification
In order to build an effective vulnerability management program, you must first determine what it is that you are protecting. This applies to not only computing systems and storage networks, but also data types and third-party systems as well. Below is a list of best practices for you to consider:
- Inventory all assets connected to your network; you can’t manage what you don’t know about.
- Identify critical systems as well as at-risk systems; these will require increased scan frequencies.
- Review and classify all vulnerabilities and associated threats.
- Establish a patch management process and Computer Emergency Response Team (CERT).
- Establish Remediation Timelines (example: Normal = 90 days, Medium = 30 Days, High Risk/Zero Day = Immediate).
- Rate risks according to your organization’s stated risk categorization and assign a remediation timeline to each risk.
The next step is to find those vulnerable systems, partners and ingress points on your network through a vulnerability testing/scanning process.
Vulnerability scanning is designed to be detective in nature. In order for this to be effective and provide the maximum benefit for your efforts, you must establish a clear scanning process and schedule. Scanning should be conducted on a regular basis, as new threats are being identified continually. Best practices for vulnerability scanning include:
- Established scanning frequencies should be based on the criticality and risk associated with each asset or group of assets.
- Ongoing scans should minimally encompass critical and high-risk assets.
- All systems should be scanned routinely; establish a strategy to ensure a systematic scanning frequency for less critical assets.
- When conducting scans, do so in a random order to ensure potential threats cannot use your schedules against you to plan attacks.
The next phase in the vulnerability management lifecycle is to review the findings and determine where the organization should focus its efforts for remediation. Several factors come into play here, and it’s important to understand that, although a vulnerability may be issued with a severe or high-risk identifier, it may not be a high risk to you. Always evaluate vulnerabilities based on your environment and controls. A low vulnerability could potentially be a high risk for you and vice versa based, on your environment and implemented security controls.
Vulnerability Risk Analysis and Review
Scanning results are not of value unless they are being fully reviewed and evaluated for inherent risk. Therefore, scan results should be reviewed on a regular basis and assigned a remediation priority based on your organization’s accepted risk tolerance. Core best practices include:
- Review and understand the results of the scan data. Cross-reference the results to ensure multiple vulnerabilities cannot be combined, resulting in an increased threat/risk to the security of your organization.
- Review and validate findings with system and technical owners to ensure any false positives are eliminated from your Vulnerability Management lifecycle.
- Assign a remediation timeline to each vulnerable asset with due dates and milestones, and assign the workflow to the appropriate system owner for remediation.
Part 2 of this post will focus on the final steps and approaches to proper Vulnerability Management within your organization:
- Remediation strategies
- Executive reporting and tracking of vulnerability statistics
- Some additional program considerations to help you mature your program
As your trusted partner in security, Pivot Point is here to help you develop your security program and minimize risk. If you are interested in learning more about how we can help you to build an effective vulnerability management program, please contact our team today to discuss our process and options.