147
Summary
Solutions Fast Track
Introduction
Back in the good old days, the typical approach to vulnerability management was to have the security group identify threats and then “toss” them to infor- mation technology (IT) administrators for remediation. As the number of security threats mounted over the years, this casual approach was no longer viable. In previous chapters, we discussed vulnerability discovery through the use of vulnerability assessment (VA) scanners, patch management, and config- uration management tools. However, vulnerability management requires more than just the use of one of these previously mentioned tools.
Vulnerability managementis best defined as the overall process of managing the risk presented to an enterprise due to vulnerabilities, whether they are software or hardware related. Vulnerability management ties directly into vul- nerability discovery and vulnerability assessment in many ways, and depends greatly on the patch management process as well.
Vulnerability management also includes the grouping of security practices and processes which assist in managing security liabilities, allowing you to integrate vulnerability management into existing information security and IT workflows.
This chapter outlines the building blocks of a vulnerability management program and discusses what’s necessary to maintain an effective program.
N
OTEDon’t assume that large enterprises solve the vulnerability management problem simply by throwing people at it. Regardless of an organization’s size, you can’t address vulnerability management by adding more people to the team. For example, one large international corporation created a team of more than fifty people dedicated to vulnerability management and patch deployment. Despite having labs dedicated to testing patches and fixes, the company still couldn’t keep up with the tide of work, pri- marily because of poor and undocumented processes.
The Vulnerability Management Plan
As with any plan, unless it’s documented, receives appropriate sponsorship, and is effectively communicated, it’s probably not very attainable.The same holds true for a vulnerability management plan.You must document the plan’s goals, objectives, and success criteria.To help the plan along, you also must receive executive buy-in and sponsorship if you hope for the plan to be effec- tive. Without senior management support, the ability to enforce vulnerability management policies, processes, and practices is forever hampered.
N
OTEHistorically, vulnerability assessment has been viewed as a technology or IT problem, and not an organizational or risk management problem.
In an effort to garner senior management buy-in, your vulnerability man- agement plan must be measurable and mapped to organizational risk as well as IT risk. By doing this, you can change senior management’s predisposition regarding vulnerability management and get them to understand that this is a business issue and not solely an IT matter.
Planning a vulnerability management program is no different from plan- ning for any other project or program. As mentioned earlier, the plan should clearly articulate its intent and relevance to the business. If you have not established a vulnerability management program, the following five steps can help you in this endeavor:
1. Gain an understanding of your organization’s tolerance and appetite for risk.
2. Define acceptable levels of risk and timeframes in which elevated levels of risk are to be remediated.
3. Establish asset and vulnerability classifications. Understanding which assets are important to the business and coming up with a vulnera- bility classification system will increase the effectiveness and effi- ciency of your vulnerability management program.
4. Assign roles and responsibilities. Identify and document asset owners, custodians, and the entity responsible for an asset’s remediation. 5. Finally, develop a method for measuring the program’s success. If you
can’t measure it, you can’t attest that the organization is operating within or at an acceptable level of risk.
A well-thought-out and vetted vulnerability management plan will receive input from various business units and all levels of management from within the company.This is especially true when developing a vulnerability manage- ment plan for the first time, as information about security is shared across multiple layers of the organization in an attempt to map information security to business risk.
The Six Stages
of Vulnerability Management
Establishing a vulnerability management plan is pretty straightforward, but the devil is in the details of your environment. As mentioned earlier, vulnerability management comprises the identification, assessment, remediation, and moni- toring of software and hardware vulnerabilities. In total, a vulnerability man- agement plan consists of six stages, as shown in Figure 7.1.
Figure 7.1 Stages of a Vulnerability Management Plan
Monitor Identification
Assessment
Remediate Report
Stage One: Identify
The critical first step in vulnerability management is to identify, check, and track all the information assets attached to your network. Establishing an asset inven- tory is the first port of call for understanding the “vulnerability terrain.”
Maintaining an accurate asset database often is unattainable for many companies; however, without an accurate asset inventory, a vulnerability management plan will be severely hampered and possibly doomed to failure.The accuracy of your inventory impacts your ability to know which security alerts are applicable to your environment.
N
OTEInevitably, you’ll forget about some of the technologies in place at your organization, only to stumble across them years later, littering the dark corners of your data centers and closets. Typically, such technologies include machines in development labs, nomadic home/work machines, machines hidden behind a network address translator device, vendor- maintained devices, fax machines, printers, and many other rogue and network-aware devices.
Other, more obscure examples include production machinery (factory robots), supervisory control and data acquisition devices, and medical equipment. These devices are just as susceptible to vulnerabilities as mainstream technologies are (sometimes they’re even more susceptible). Don’t discount them!
The types of technologies that you have implemented within your organi- zation map directly back to the types of vulnerabilities present in your envi- ronment. Leveraging an accurate asset inventory will help you to ensure that only applicable vulnerability information is processed or considered within your environment.
If you don’t already possess an up-to-date asset database, you should leverage the following best practices before creating one:
■ Establish a single point of authority for the inventory.
■ Establish a process to update the asset management system via inputs and outputs from the change management process.
■ Use an asset numbering scheme and consistent abbreviations and notations when entering data.
■ Validate the inventory at least annually to ensure its accuracy.
■ Ensure that the classification of each asset is recorded (refer to Chapter 1 for asset classification guidance).
■ Ensure that the inventory database is extensible, because you might add additional information to the asset record down the road (for example, the last day and time that the asset was assessed for vulnerabilities).
Stage Two: Assess
Having established the list of assets to be assessed, you can now turn your attention to assessing your corporate assets for vulnerabilities. As part of the assessment, you must classify as well as identify the level of criticality each dis- covered vulnerability represents. Categorizing a vulnerability as having a high, medium, or low level of severity will help you to prioritize your remediation efforts later.
Vulnerability identification is the cornerstone of the vulnerability manage- ment process, and we covered it in more detail in Chapter 2. As noted in that chapter, you should make scanning and remediation a priority.You should first assess your highly sensitive, mission-critical systems and line-of-business sys- tems, followed by the rest of the assets within your organization. How you prioritize the remaining assets is subjective, and each company does it differ- ently.You may choose to scan the testing and development environments first, for they represent the organization’s next generation of corporate assets, or you could elect to scan all employee desktops. Once again, this is up to you, but you should make sure that whatever process you choose reflects which assets are most important to your organization.
■ Before performing your vulnerability assessment, keep these best practices in mind:
■ Begin your assessment with the output from your asset inventory system.
■ Ensure that you have the authorization to conduct an assessment, and follow appropriate company protocol during the assessment.
■ Test new scanners and new vulnerability checks in a lab to identify any false positives, false negatives, and potential service disruptions prior to the assessment.
■ Document the assessment methodology.This ensures that the assess- ment process is consistent and repeatable across the organization.
Stage Three: Remediate
Remediation is a key part of every vulnerability management program. We will cover remediation in more detail in Chapter 9, but it’s important to high- light some of the key aspects of it here because it’s so integral to your vulner- ability management plan.
In the remediation stage, you develop your strategy for remediating the vulnerabilities you’ve discovered within your environment.This course of action reflects of a combination of technologies, processes, policies, and training. Because vulnerabilities impact the entire organization, this step will typically include multiple business groups. Depending on the breadth of exposure and presented risk, all business units within an organization may hold a level of remediation responsibility and accountability.
To ensure that your remediation efforts are repeatable and sustainable, you should formalize your remediation process. As part of formalizing these efforts, you should also ensure that the organization’s most critical assets receive priority. By doing this, you can establish a systematic method by which vulnerabilities are remediated within the organization.
Before remediating any vulnerabilities, you should keep these best prac- tices in mind:
■ Consider utilizing a tool or suite of tools that can notify asset owners and custodians of vulnerabilities present on their systems. Otherwise, your teams will have to spend time sending out notification e-mails to users.
■ Specific remediation goals may vary based on the criticality of the system. Focus on the highest-risk vulnerabilities present on your most critical assets. For example, some organizations may rely heavily on Web presence as a source of revenue (for instance, an online auction site, an online retail site, etc.). For such organizations, their Internet infrastructure (Web server, applications, back-end systems, and net- work devices) may have the highest priority.
■ Track and measure remediation efforts.You can break out this process by individual, team, or division, depending on whom within your organization is responsible for remediation.Tracking remediation efforts in this manner allows you to analyze efforts, measure them for effectiveness, and track them against agreed-upon goals.
■ Work with business units in advance to determine acceptable levels of risks. Get the business units to agree on remediation time frames and have them acknowledge the risks of not remediating vulnerabili- ties in a timely manner. Having business units sign off on risk helps champion the seriousness of vulnerability management.
Stage Four: Report
As with anything, especially anything within the realm of security, you must be able to attest to the level of effort you’ve put forth. Vulnerability manage- ment reporting provides you with this level of attestation for your vulnera- bility management program. It also helps you to communicate the importance of vulnerability management throughout the organization. Without such reports, it would be hard to assess the organization’s security posture and asso- ciated level of risk. Reporting also provides that gap analysis between what is fixed and what needs to be fixed, and you can use it as the tangible asset given to management to measure the success and failure rates of your vulner- ability management program.
You can perform the reporting step before the remediation step, but per- forming it after the remediation step allows you to report on the quick wins. You can use this to demonstrate to management that actions are being taken to mitigate organizational liabilities.
There is a challenge, however, of in balancing vulnerability management reporting against remediation efforts. Without the proper information at the beginning of your program (quantifiably fiscal information and vulnerability statistics), it is difficult to bring vulnerability management full circle. Many organizations, especially those with little or no documentation, will also have problems connecting the right people with the correct vulnerability manage- ment reports. When people and assets are aligned, reporting helps you to hold business units and departments accountable for patching and fixing vulnerable hosts; provided you don’t have a centralized remediation team.
When you are ready to create your reports, keep these best practices in mind:
■ Determine which reports are relevant to your organization’s respec- tive lines of business.
■ Determine which reports indicate the risk present within the envi- ronment.
■ Focus your reports on the highest risk vulnerabilities associated with the most critical assets first.
Stage Five: Improve
Whether you’ve just established your vulnerability management program or have had one for some time, your program probably can stand a little
improvement. As part of improving and enhancing your vulnerability manage- ment program, you should review the wealth of data collected from each pre- ceding stage and look for opportunities to modify your organization’s security policies, practices, or procedures to improve your program’s effectiveness and, more important, reduce organizational risk.
Common areas to improve include:
■ Asset management process. As mentioned previously, most orga- nizations struggle to maintain an up-to-date asset inventory database. However, maintaining such a database is critical to any vulnerability management program and organizations should strive to accomplish this. In populating your database, you need to decide which assets
belong in it and which ones don’t. Does an asset you own, but out- source from a monitoring and management perspective, belong in the database? Some companies incorporate these assets into their asset management systems. If you follow this practice, and the asset does become a corporate-managed asset, you need to ensure that its infor- mation is input into your corporate database.
■ Configuration management process. From time to time, organi- zations change the tools they use to manage their environments. When such a change occurs in your organization, you need to ensure that your previous tool set is removed from all supported systems and that the system documentation referencing the tools is updated. Doing this has a twofold effect: you reduce your attack surface on your assets because you’re removing a tool you no longer need that may possess existing or future vulnerabilities, and you potentially ensure the integrity of your asset management system if you are leveraging your management tool to populate your asset database.
■ Assessment process. Tools used to discover vulnerabilities have changed over the years (accelerated by recent acquisitions and
mergers within the security space), and may become less effective and require replacement over time. Because of this, you should pay atten- tion to the process and technology you use to discover vulnerabilities within your environment. As mentioned in Chapter 2, you can leverage configuration, remediation, and security technologies to aid in assessing systems and applications for vulnerabilities. Over time, you may need to rethink and adjust how you leverage these tools for assessment purposes, though.
Stage Six: Monitor
This step involves ascertaining applicable vulnerabilities against your organiza- tion’s assets.To be effective, monitoring efforts should be proactive. As a reg- ular course of business, security staff should track vulnerabilities through security advisories and vulnerability information sources.
Monitoring consists of more than simply checking security newswires for the latest vulnerabilities and exploits, though. It also entails evaluating security
information to determine its applicability within your organization based upon your technology usage and any underlying compensating controls. Evaluating adequate protection and compensating controls, as they relate to the applicability of a vulnerability, is a very time-consuming and potentially arduous task, but it’s a vital part of any vulnerability management program.
In Chapter 1, we identified resources of vulnerability information. All vendors of commercial vulnerability management tools embed this informa- tion within their products and frequently update their products via functions included within the technology, but reliance on this or any one source for this information is not a sound practice. Often we focus solely on security data pertaining only to the technology our organization consumes, but it’s also important to have a general level of understanding for the vulnerabilities pre- sent in other platforms or applications because one day, we may be asked to weigh in on the security liabilities of a technology not currently present within our environment.
N
OTENot every post to a vulnerability disclosure list should cause you to panic and set off the corporate alarms. Eight vulnerabilities, on average, are discovered daily (as of August 2006). Trying to assess each newly
announced vulnerability is a waste of time and resources, because only a fraction of new vulnerabilities will actually apply to most organizations.
Monitoring vulnerability data can be challenging due to the sea of infor- mation available and the disparate methods by which it is shared. Most orga- nizations find it difficult to manage the breadth of new security information and use it effectively.
However, it can be done. In essence, monitoring is composed of two key steps: collating the new vulnerability information, and communicating the fil- tered information to the appropriate recipients. In-house or external sources can be responsible for gathering the VA data; internal members generally gather the information from locations such as vendor notices, vulnerability disclosure groups, security groups, and National CERTS (Computer
according to the systems they affected; you should be able to leverage your current inventory data to draw this correlation. Once you know what systems are subject to each vulnerability, you can communicate this information to the asset owner or custodian.This enables faster and more effective resolution.
Here are some best practices to assist in vulnerability monitoring:
■ Centralize the acquisition of vulnerability data/information.
■ Disseminate vulnerability data to impacted parties.
■ Utilize tools to assist in prioritizing and alerting the organization of vulnerability data.
■ Have a process in place to ensure that urgent alerts are sent in a timely manner.
■ In situations where patches have not yet been released but vulnerabil- ities are publicly known, consider the use of other defenses, such as