Create and implement a vulnerability management program
If you, as an information security professional, are tasked with maintaining the cyber defenses of an information system (IS), this is a responsibility that you cannot carry out in a haphazard manner. Given the complexity of modern computer networks, a standardized approach to IT security is necessary to ensure that all facets of the IS are protected to the utmost. As with network connectivity troubleshooting, it is simply better to follow a plan of defined steps rather than attempt to achieve your goal in an unorganized way.
As you are aware, threats to the security posture of an IS come in many forms. Unpatched software, default software settings, unnecessary software installations, weak user account policies, porous physical access control, and the absence of effective emergency response plans can all be exploited by human attackers, malicious software (malware), or unfavorable (possibly disastrous) circumstances. All of these vulnerabilities (weaknesses which could be exploited by adversaries to compromise the security posture of an IS) are what you try to eliminate in the field of information security (also known as information assurance, or IA).
To help prevent occurrences of unauthorized IS access or data breach, a systematic methodology for identifying and remediating security weaknesses is required. Vulnerability management, when implemented in such a precise and thorough manner, becomes a vulnerability management program (VMP).
Benefits of a vulnerability management program
The main aim of any VMP is to ensure that current vulnerabilities within an IS are identified, evaluated, and resolved in a timely and cost-effective manner. This goal is achieved by successfully carrying out the following steps:
- Accurately identify vulnerabilities in the overall network infrastructure;
- Monitor and verify the remediation of the vulnerabilities;
- Examine the root causes of the vulnerabilities; and
- Modify standards, policies, and processes to fix those root causes to reduce the occurrence of future vulnerabilities.
A properly functioning VMP also brings about the following desirable results:
- Prevents the loss and/or unauthorized modification of sensitive data;
- Maintains client and partner confidence in the enterprise and upholds its reputation by preventing embarrassing incidents;
- Demonstrates compliance with legal regulations and industry best practices, and consequently enables the IS to better pass audits and certification & accreditation efforts.
As an effective VMP matures, it becomes increasingly efficient and streamlined while the quantity and severity of discovered issues decrease. In other words, the CIA operational standards are strengthened and the overall resiliency of the IT infrastructure is increased. “CIA” in the information security field stands for:
- Confidentiality – the prevention of unauthorized data access.
- Integrity – the maintenance of data in a trusted state.
- Availability – the ease of IS access and operation for authorized parties.
Initiating a vulnerability management program
Senior management. First you must gain the approval and support of upper management. It would be foolish to attempt to roll out a VMP only to have key management personnel, such as the company chief information officer (CIO), cancel the whole program. Senior management, who ultimately bear the responsibility for the operational quality and security for the IS, must set the goals and expectations of the VMP and be the force that drives it forward, particularly when the VMP encounters organizational resistance.
Roles and responsibilities. When you have received the green light from upper management to proceed, you next need to define the roles and responsibilities of all the individuals who will be contributing to the success of the VMP. This task will pay dividends after you have discovered vulnerabilities and you need to assign remediation responsibilities. You will also need to determine who the system owners and administrators are of the network hosts that you will be scanning and analyzing. This is necessary for scheduling and logistics purposes, and to ensure that you have the required level of access (both physical and logical) and privileges to perform vulnerability scans and manual inspections.
Network inventory. Next you have to ascertain what exactly it is that you intend to protect. You need to create an accurate and informative network inventory to know which network hosts perform which functions, and which hosts are more critical to the functionality of the IS (based on the value of the data they store or process). Ideally, this inventory will specify the type of host, role, operating system, host name, physical location, and owner/administrator name. You can see a sample inventory below.
|Hostname||Operating system||IP address||Role||Responsible party|
|Server1||Windows Server 2003||18.104.22.168||Domain controller, DNS||Frodo Baggins|
|Server2||Windows Server 2008||22.214.171.124||Exchange email||Samwise Gamgee|
|Server3||Windows Server 2008 R2||126.96.36.199||SQL 2005 database||Peregrin Took|
|Server4||Red Hat Linux 5||188.8.131.52||Apache web||Meriadoc Brandybuck|
|Server5||Solaris 10||184.108.40.206||File server, DHCP||Gandalf Grayhame|
|Router1||Cisco IOS v12.4||220.127.116.11||Perimeter router||Theoden Ednew|
|Switch1||Cisco IOS v12.2||18.104.22.168||Infrastructure switch||Dain Ironfoot|
|Firewall1||Cisco ASA v8.0||22.214.171.124||Firewall, IDS||Tom Bombadil|
|Workstation1||Windows 7||126.96.36.199||Workstation||Elros Tar-Minyatur|
Vulnerability assessment. Now that you have full approval to implement your VMP and you know exactly which sites, networks, and hosts need to be secured, you are ready to begin your search for vulnerabilities. It is common for information security professionals to simply equate vulnerabilities with missing patches. Remember the definition of an IS vulnerability is: “a weakness which could be exploited by adversaries to compromise the security posture of an IS.” These weaknesses manifest themselves as much more than unpatched software. Vulnerabilities can also take the form of:
- Open ports.
- Incorrectly configured software (relating to access permissions, password policy, user rights, encryption, etc).
- Unnecessary services (daemons) or unnecessarily installed software (remember: the more lines of software code running on a host, the more likely it is that there will be bugs in that software; the more bugs there are, the higher the probability that those bugs will introduce security vulnerabilities).
- Weak physical access control to buildings or areas housing key IT infrastructure.
- Lack of an enterprise security policy and other essential IS documentation, such as disaster recovery plans, continuity of operations plans, data backup policies, acceptable use policies, configuration management plans, hardware and software inventories, etc.
- Incomplete or erroneous information security documentation. The policies contained in these documents should also be approved by key management personnel.
- Untrained or poorly trained IA personnel.
Obviously, when you take into account these various forms of vulnerabilities along with the range of threats that could exploit them (such as human attackers, malware, environmental dangers, user error), it should be a no-brainer not to confine the extent of your VMP to technical checks, and to include administrative controls (training and awareness, incident response plans, disaster preparedness and recovery plans, etc.) and physical controls (locked doors, cameras, guards, etc.) in your list.
Security configuration guidelines. Before you can start zeroing in on IS vulnerabilities, you need an authoritative source to help you determine exactly what they are and how to recognize them. Fortunately, there are several industry standard security guides that are efficient, thorough, and free. You can use one or more of the following:
- Center for Internet Security (CIS) Benchmarks (also have a look at the CIS assessment tools).
- Defense Information Systems Agency (DISA) Secure Technical Implementation Guidelines (STIGs).
- Microsoft Security Compliance Manager (SCM). The previously stand-alone Microsoft product-specific security guides are now included within the SCM tool.
- National Security Agency (NSA) Security Configuration Guides.
- National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. NIST publishes a wealth of other informative and useful documents for IT/IA personnel. Some other documents of interest are:
- NIST FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (73 KB PDF).
- NIST FIPS 200, Minimum Security Requirements for Federal Information and Information Systems (201 KB PDF).
- NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (783 KB PDF).
- NIST SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View (1,193 KB PDF).
- NIST SP 800-40, Creating a Patch and Vulnerability Management Program (844 KB PDF).
- NIST SP 800-61, Computer Security Incident Handling Guide (1.6 MB PDF).
- NIST SP 800-115, Technical Guide to Information Security Testing and Assessment (459 KB PDF).
Executing a vulnerability management program
You have been given permission to proceed with your VMP and you know what you need to identify and eliminate. Now what? This is the part where you get your hands dirty with vulnerability scanning, manual host checking, and documentation review.
Vulnerability assessment scanning. You will need to acquire at least one reputable scanning application to discover what kinds of vulnerabilities exist on your network hosts. Some of the more popular commercial tools include Nessus, Retina, GFI LanGuard, AppDetectivePro, and WebInspect. Some common freeware scanning tools include Nmap, Microsoft Baseline Security Analyzer, OpenVAS, and Secunia PSI. Whether you decide to use applications that are freeware, commercialware, or both, remember to use multiple tools to obtain the most accurate scan results and to help weed out false positives.
You should always attempt to launch authenticated scans instead of unauthenticated scans. What this means is that you need to acquire the administrative/root credentials of the hosts being scanned before you launch your scan. Many scanning applications are capable of presenting these credentials to the hosts they connect to, and once authenticated as root or an administrator, these applications will have the ability to “get under the hood” of network hosts and check settings, patch levels, and access permissions that are normally off limits to unauthenticated and standard user accounts. You can verify this fact for yourself by using Nessus and performing two scans (one authenticated, one unauthenticated) on the same hosts. Compare the results of both scans and the value of authentication will be obvious.
When you have obtained this privileged access to the hosts in your IS, you then should initiate two kinds of scans: external and internal. External scans originate from subnets outside your scope of administration, such as the public Internet, and by targeting the network perimeter (ingress and egress points) of your IS, they serve the purpose of determining whether it can be penetrated from the outside. Internal scans, in contrast, originate from within the IS (on the trusted side of firewalls) and they help determine what an attacker could do if he penetrated the network perimeter. Internal scans can also help pinpoint the attack vectors that could be used by insider threats.
Third party validation. To prevent any ‘conflict of interest’ claims, you might want to consider employing the services of a third party to scan and evaluate your IS. In fact, you may be required to do so if your organization must abide by certain legal regulations. With third party validation, a neutral organization independently performs its own assessment of your IS. The results of these efforts are considered more reliable than vulnerability data produced by members of the enterprise being vetted. Why? Because it is in the interest of the enterprise’s information security personnel to portray their IS in as secure a light as possible since it is their responsibility to lock it down. The more secure the IS, the better the IA personnel look. The services of a neutral third party can eliminate this possibility of a conflict of interest.
Manual inspection. Reputable vulnerability scanners are usually very capable and do what they are advertised to do, but in order to fully validate your hosts based on the aforementioned security guides, you will need to actually log in and examine operating system and application settings manually. Technologies like IIS, Apache, SQL, Oracle, and others need close manual inspections to assure compliance with industry standard security guides.
Documentation review. To ensure that your organization’s IA-related documentation is relevant, complete, and thorough, you need to buckle down and do some reading. You might ask how inadequate documentation could be interpreted as a vulnerability. Since efficient documentation is the backbone of an organization’s security practices, it pays to have clear, well-worded documents that are available to all IT/IA personnel. For example, the administrative staff members may think they know what to do in the event of an emergency, but when a disaster strikes and each individual is uncertain regarding his duties, this state of confusion can be traced back to the lack of a centralized document that spells out roles and responsibilities. Furthermore, what if a disaster recovery plan exists but does not mandate that IA personnel are to exercise their duties periodically to ensure they are familiar with their roles? This would be a case of deficient documentation.
These examples could be applied to all other forms of network and security documentation as well. Thorough documentation essentially takes the guess work out of the performance of an organization’s IA procedures, and it prevents roles and responsibilities from being subjectively interpreted which results in all people involved not being on the same page.
Post-assessment analysis and reporting
After you have concluded your scanning, manual checks, and documentation review, you now need to make the data you collected meaningful. The findings that result from your analysis will determine the nature and quantity of the work that will follow.
Ranking. The first step in this phase of the VMP is to analyze your findings and rank the vulnerabilities based on risk level. Risk determination is not a black-and-white process; it is subjective and involves taking into account factors such as host/application criticality, data sensitivity, operating environment, and exposure level. Then you need to combine the severity level of the vulnerability with its likelihood of occurring. Lastly, you need to consider any mitigating factors that could serve to reduce or eliminate the possibility of certain threats from taking place.
Prioritization and cataloging. When you have sorted your vulnerabilities on some scale (such as High, Medium, and Low severity), you can prioritize your remediation responsibilities. Obviously, the most serious holes should be plugged first. Hosts that are available on the public Internet, such as firewalls, routers, and servers, should be given precedence, as should servers performing critical functions or hosting high value data.
Your VMP assessment results should be cataloged and stored to facilitate the monitoring of remediation tasks, and to provide meaningful reports to you, management, and other key personnel. These catalogs and reports will serve as historical records to allow you to compare the results of VMP activities over a period of time, such as year to year or quarter to quarter. Obviously, any repeating issues need to be seriously addressed by identifying and removing their root causes.
Fortunately some vulnerability management applications exist for this purpose. Some such security event and information management (SIEM) software includes Qualysguard, Ncircle Suite360, eEye Retina CS Management, Tenable Security Center, Rapid7 Nexpose Enterprise, and SourceFire Defense Center. Risk assessment/SIEM tools such as these can improve your VMP and support regulatory compliance by providing metrics-based reporting, event management, historical analyses of vulnerability data, and data filtration.
Verification. When you are informed by your colleagues that certain vulnerabilities have been resolved, repeat the assessment steps on the hosts in question to ensure that they are no longer at risk of being exploited by the weaknesses that were supposedly eliminated. Remember: trust, but verify.
Risk acceptance. In cases in which you opt not to address a vulnerability, a risk acceptance is said to have occurred. At first thought, it may seem strange for an organization to decide not to plug a security hole. However, this scenario takes place more often than you would assume. When there is certainty or a strong suspicion that a remediation measure would break functionality and result in down time, the responsible personnel may decide that the risk presented by the vulnerability is more preferable than the likelihood of technical difficulties arising from the fixing of that vulnerability. In other similar situations, an organization could judge the cost of implementing a fix to be greater than any costs stemming from a successful exploitation of a vulnerability. Therefore, it would not be worth it to spend effort and funds addressing such a security hole. Clearly the ranking of your findings (discussed earlier) will play a major role in deciding whether certain risks will be dealt with or simply accepted.
Repeat. Effective vulnerability management is not a stop-and-go process; it is a continuous assessment effort. As described in this article, the ideal VMP should be proactive and seek out weaknesses and configuration errors before they are exploited by real threats.
If you found the content of this article helpful and want to expand your knowledge further, please consider buying a relevant book or two using the links below. Thanks!