March 12, 2017

Some thoughts on vulnerability management

In this blog post I will briefly discuss about vulnerability management, what it is from a high-level perspective and what it generally requires from an organization. The processes probably varies a lot between organizations based on the size and the industry the organization operates in, but certain key elements are most probably present.

Vulnerability management is about knowing what vulnerabilities (and exploits) affect your organization and how to effectively fix or mitigate the vulnerabilities, and in some certain cases take note of the vulnerabilities and accept them as residual risk.

This requires knowledge of what is in the organization. How many devices, what operating system these are running and what software makes them tick. Effectively this means there needs to be an inventory of assets to begin with. In addition there should be some level of prioritizing done to the assets based on the role of the asset and the role of the used software. A good start would in my opinion be identifying the so-called key softwares both on desktop and server level, not forgetting about devices like printers and network devices.

With key software I mean the operating system and software tools that are daily used by the organization employees to do their work and the server software which are used to produce services, for example a web application. Any software components could be important in specific situations, but trying to embrace everything can be cumbersome and in certain cases affect the work in a negative way.

After the organization has identified at adequate level what essential components should be under the vulnerability management, they need to decide how to approach identifying vulnerabilities in these components.

In my opinion there are two possible approaches, one is credentialed vulnerability scanning of the assets and the other is monitoring different sources for information. Taking the best of both worlds is probably what I would personally do, as they complement each other.

Vulnerability scanning can identify vulnerabilities at certain point of time and it's usefulness is somewhat dependent on how often the scanning is done against the assets. For example if there is a monthly vulnerability scan, it can in theory be possible that a vulnerability is unknown for the organization for a month, until the next scan executed. This doesn't make scanning obsolete, as it can identify that a already known vulnerability hasn't been fixed or identify configuration issues that make the scanned system vulnerable to attack.

Monitoring different sources for vulnerability information, like vendor advisories, mailing lists and different vulnerability/exploit sites (or using a external service provider) gives the organization a more timely view into vulnerabilities affecting the assets. The problem here however is resourcing. Who should monitor them and is there adequate time to do the monitoring and evaluate the risk of the vulnerabilities to the organization?

It might not be very efficient to escalate a low-level local vulnerability with all alarm bells ringing whereas mis-identifying or not having time to identify a remote denial-of-service vulnerability in a externally-facing asset can have consequences to the organization if this vulnerability is attacked constantly and nobody knows why the provided services do not work.

In addition to knowing the vulnerabilities, there has to be a defined process on how the vulnerabilities should be fixed or mitigated in the organization, for example does a vulnerability require immediate reaction or can it be dealt with during normal patch cycle. Without having the proper resources to fix the discovered vulnerabilities in a prioritized manner, the organization may stay vulnerable and exploitable for unnecessarily long periods of time. This can, of course, be to some extent mitigated with IPS technologies, but it is no silver bullet.

For having a working vulnerability management requires that an organization can identify the key assets and key software, it needs to have adequate resources, expertise and means to monitor and fix their assets, and there is an established process on how vulnerabilities in the organization are generally dealt with.

It is also important to realize that even if there is a mature vulnerability management in place, attackers can still compromize an organization if they manage to gain foothold to an asset. That is where detection and response capabilities come into play.

No comments:

Post a Comment