Vulnerability management is viewed by some as an esoteric security management activity. Others see it as a simple process that needs to be done with Microsoft Corp.’s monthly patch update. Yet another group considers it a marketing buzzword made up by vendors.
This article will look at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas.
remediation activities as well as the actual act of patching, hardening or reconfiguration.
benefits than a high-tech patch management system will. There are many glaring weaknesses in IT policies and infrastructures. Let’s not forget that policy weaknesses are vulnerabilities, too. For example, if you do not enforce a policy for a minimum password length, you have a clear policy weakness that scanners are not likely to discover and that patching will not resolve.
Thus, weak passwords, lack of data-confidentiality awareness and lack of a standard, hardened, workstation configuration can do more to ruin your security posture and increase your risk than any single hole in a piece of software.
According to Gartner Inc. analysts, “The vulnerability management process includes policy definition, environment baselining, prioritization, shielding, mitigation as well as maintenance and monitoring.”
Indeed, the vulnerability management process starts from a policy definition document that covers an organization’s assets (such as systems and applications) and their users. Such a document and the accompanying security procedures should define the scope of the vulnerability management effort as well as postulate a “known good” state of those IT resources.
The first mistake is scanning for vulnerabilities, but then not acting on the results. Vulnerability scanners have become a staple at many organizations. Scanning technology has matured in recent years, and the tools’ accuracy, speed and safety have improved dramatically.
However, modern commercial and open-source scanners still suffer from the same disease that troubled early intrusion-detection systems (IDS): They are too noisy, since they produce too many alerts, for various reasons. In addition, they don’t tell you what you should do about those vulnerability notices, just as most IDSs don’t tell you whether you should care about a particular alert.
Thus, vulnerability management is not scanning; it includes it, but what happens after the scan is even more important. This includes asset inventory, prioritizing and researching the
It’s true that patching is the way to repair many widespread vulnerabilities. Even some industry experts proclaim that vulnerability management is simple: Just patch all those pesky problems, and you’re done.
However, many vulnerabilities can’t be fixed by simply updating to the latest product version. They require tweaking and reconfiguring various system parameters. Indeed, vulnerability management was born out of a need to intelligently prioritize and fix discovered vulnerabilities, whether by patching or other means.
So if you are busy every second Tuesday but not doing anything to eliminate a broad range of enterprise vulnerabilities during the other 29 days in a month, you are not managing your vulnerabilities.
If you think that vulnerability management is only a technical problem, then you’re in for a surprise. To be effective, it also involves attention to policy and process improvements. In fact, focusing on process and the “softer” side of the vulnerability conundrum will often bring more
The fourth mistake is committed by those who try to follow a proper vulnerability management process, but when they get to the critical challenge of prioritizing the vulnerabilities, they ignore the threat angle of the prioritization. Namely, they try to assess the importance of the vulnerabilities (and, thus, the urgency of their response) based only on the vulnerabilities themselves without looking at the threat profiles and business roles of the affected systems.
For example, a Web server with an unpatched vulnerability deployed in the DMZ, where it is subject to constant probing and attacks, needs to be patched much sooner than a test system deep in the bowels of the en-
References:
Archives