Vulnerability Management Program |Information Security & Risk Assessment Blog

Introduction

It is quite obvious that, every organization want to serve its clients with out any interruptions. If not handled properly, sometimes, presence of a small vulnerability in a system or in the network may lead to interruption of the services offerings to clients. This may result in losing the trust of clients or loss of revenue.

Vulnerability assessment is a simple process of identifying and reporting vulnerabilities.

It provides a way to detect and resolve security problems before someone or something can exploit them. By conducting periodic vulnerability assessments, management could validate the security measures they have deployed.

So, what is Vulnerability…?

In general terms, vulnerabilities are the results of programming errors and/or misconfigurations, which in turn, if exploited by people with malicious intent, may lead to the compromise of the system or the whole network.

Majority of the software related vulnerabilities are the results of, vendors’ not employing best security practices at the time of design phase of the application or coders have not been taught how to code securely or inadequate testing of application before releasing it to public.

Lack of training and lack of through understanding of the application, default installations are the sources of misconfigurations. Examples of misconfigurations include but not limited to leaving unnecessary services open, assigning incorrect file permission, and using poor controls for passwords and other settings that a system administrator can set. All the above mentioned would result in leaving the application or system vulnerable.

What is a Vulnerability Management (VM) Program?

To prevent the damage or down time it is necessary to incorporate an effective enterprise wide VM program. May be, because of the business requirements or lack of time and technology it is not possible to address all the identified vulnerabilities.

However, by employing a combination of standard operating procedures for configuring systems and applications and a strong VM program by which keeping systems up to date with latest patches will effectively close 80-90 percent of the risk. Please note that there is no 100 percent security.

Nowadays, many organizations are implementing enterprise wide VM program and only a few of them are reaping the benefits. The reason being, VA (Vulnerability Assessment) is not a one time activity and also it can not be included in ‘deploy and forget’ category. It is an ongoing activity; it must follow the complete cycle of plan, do, check and act.

The expected result of an effectively managed VM program is to reduce the time and money spent dealing with vulnerabilities and minimizing exploitation of those vulnerabilities. Proactively managing vulnerabilities of systems and applications will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred.

What happens if you don’t do it?

According to CERT, 7236 vulnerabilities were reported in 2007 and 4110 were reported for Q1 and Q2 of 2008. This list does not include non-disclosed and non-public vulnerabilities. According to ISS in 2007, over 130,000 vulnerabilities had been identified, which includes all kind of vulnerabilities.

However, each one of these vulnerabilities may not be present on every network, and each vulnerability is not as serious as the other. But there is no way to know the impact of these vulnerabilities on a given network without looking at how they affect the given network directly.

Due to the availability of the automated tools and exploitation frameworks, most hackers, script kiddies or even a person with minimal knowledge of IT could exploit the known vulnerabilities and misconfigurations, thus resulting in huge loss to the organizations.

The other reason why organizations need to develop a strong VM program is to meet the regulatory obligations of the organization.

The VM Program

Building an effective VM program requires analysis and planning. Let’s see how an effective enterprise wide VM program could be implemented.

First step towards implementing a successful VM program is to start with defining a policy, this is necessary to show that the management is aware and is committed to support the program. Policy should cover the details like scope of the program, roles and responsibilities of the stake holders, frequency or periodicity of the scans, auditing of the program etc.

VM program is culmination of interaction between people, process, products (technology) and partners (4 ‘P’s). Let’s dwell more into 4 ‘P’s.

People: VM Team
Process: VM Process
Products: Products or technology that is needed
Partners: Tie ups with the partners and solution providers.

The VM Team

After getting the management’s support, Security Department or CISO with help of senior executives, need to formulate vulnerability management team comprising representatives from security operations, IT operations and other stake holders like Engineering and QA etc., involved in this regard. These representatives should have knowledge in Networks, Operating Systems and applications which is being used in the organization. VM team is the central point for vulnerability remediation efforts. Ideally, anyone from security department should lead the team. Security department should own the process and the responsibility of scanning, notifying and implementing should be delegated to VM team members. The following are some responsibilities which the VM team would have:

Conducting VA’s
Prioritizing the findings
Identifying the remediation
Testing the remediation or coordinating the testing
Implementing or deploying the remediation.
Follow-ups

The VM Process

Let’s look at the process part of the VM Program. After formulating the VM team, it is good to define a process to conduct vulnerability scans on a periodic basis. Ideally, Security department should define the process and own the same.

The VM process ideally would begin with taking the inventory of the systems followed by base lining the systems and grouping of the systems.

Inventory of the Systems: VM team needs to capture and maintain the inventory of the organization’s IT resources. The database should contain updated details of systems and software being used in the organization. The minimum details that need to be captured are IP address, MAC address, Host Name, OS details, OS patch level, Software installed, services and if possible physical location and the owner/custodian of the system.

Baseline the Systems: All the systems should be configured according to the defined baseline standards. Standard should cover the list of authorized software with latest updates/patches that can be installed along with their configurations. At the end of the VM process resultant findings and remedies should be incorporated into base line standards.

Grouping the systems: Once the inventory is ready, it is necessary to group the systems logically based on their criticality. All the systems should be classified into critical and non critical systems. Further, critical and non critical systems can be classified based on the geographical location or time zones (if the organization has multiple locations) for scheduling the scans. This would help in managing the systems in an effective manner in terms of scheduling the scans, controlling the load/bandwidth in WAN environments.

Vulnerability Scans: Scanning should be carried out as per the periodicity defined in the policy, apart from that it is recommended to conduct a scan whenever vendor releases a patch or any changes made to the infrastructure.Scan profiles or templates should be created based on the base line standards defined as explained in the earlier section. This will help in reducing the scan time by eliminating the unwanted checks/plug-ins.

Prioritizing the findings: Based on the scan results VM team should prioritize the findings in terms of High, Medium or Low for a particular scan and repeat the same exercise for the rest of the scans.

Identifying the remedies: Based on the type of vulnerability identified in the scans, VM team should identify appropriate solution in terms of either latest update/patch or configuration change for the vulnerable systems.

Testing the remedies: All identified remedies or solutions needs to be tested before deployment. Testing should be conducted in a controlled environment. A dedicated testing lab with identical systems should be used for the same. VM Team can take help from concerned departments for testing the remediation.

Implementing or deploying the remedies: Once the testing is completed, VM team can start deploying the remedies to the vulnerable systems. Base line standards or base builds should be updated with the identified remedies. VM team can take the help of operations for deploying the remedy.

Products or Technology

VA Tools: There are numerous tools available for enterprise wide vulnerability assessments; some vendors are also providing services in this arena. Therefore, organization needs to evaluate and decide the best tool which suits to their needs. Examples: Nessus, McAfee Foundstone and QualysGuard etc.
Testing: Virtualization software like VMware, MS Virtual Server could be considered for evaluating the remedies.
Patching or deployment tools: GFI Languard, Windows SMS etc.

Partners

The last link in the VA program is Partners. VA Team needs to be in touch with product vendors with respect to latest updates or patches to their products.
VA team also needs to subscribe to various public mailing lists in order to get the details about various security threats and related remedies.
The entire VM program can be outsourced to a partner, who shall be responsible to carry out this program as defined in the organization policy

Critical Success Factors

Management Support: The initial requisite for this, like any other enterprise wide initiative, is management support in terms of backing the team, providing resources and sufficient budget.

Co-ordination: VM team needs to be supported by various other departments who will help them carry out testing of remedies and deploy the same on systems/applications that particular department owns.

Related Processes: VM process needs to be supported by other processes like incident, change and patch management.

Governance

CIO or CISO needs to monitor and check the effectiveness of VM program. For this, independent security audits/reviews should be performed periodically and the audit reports should be submitted to CIO or CISO.

This entry was posted on Friday, October 10th, 2008 and is filed under Information Security. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

#1 by Amit on January 28th, 2009

Reply Quote

I am working as an ISMS auditor in my organization. I am new in this role and require assistance from you. I need checklists to identify vulnerabilities in router, switch, firewall, vlan etc as well as other steps to harden the information security. Please guide me in this endeavour.

#2 by Praveen Reddy on January 28th, 2009

Amit,

For Audits:
I would suggest you to use Information Systems Security Assessment Framework (ISSAF) from http://www.oissg.org, it covers all the aspects that are required to assess Network Infrastructure.

For Hardening:
NIST has published some hardening documents, you can also refer to http://www.cisecurity.org/

-Praveen

M	T	W	T	F	S	S
« Sep				Jan »
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

InfoSecMinds

For like-minded people

Vulnerability Management Program

2 Comments

Recent Posts

Blogroll

Who's Online

Tags

Admin