As we wind down 2019, it is a great time to think about your vulnerability management plans for the coming year. The five W’s can help guide our efforts as we resolve to improve our digital security for the coming new year.
What Is Vulnerability Management?
Vulnerability assessments are useful for detecting security issues within your environment. By identifying potential security weaknesses, these assessments help us to reduce the risk of a digital criminal infiltrating its systems. These assessments also help us learn more about their assets in a meaningful way that allows them to improve our overall security posture. Not all vulnerability assessments are the same, however. SearchSecurity notes that we might use network-based vulnerability assessments that scan the entire network for security weaknesses. However, we can also use more focused assessments to evaluate servers, workstations, applications and databases for potential security issues. It’s also important to note that vulnerability assessments may come with a penetration test in which ethical hackers receive our permission to probe our defenses. Vulnerability management involves creating a security program that formalizes the cyclical application of this type of testing. To establish such a program, we need to evaluate the criticality of each asset, determine the owners of each asset, decide on the frequency of scanning and set a timeline for remediation. It’s then our responsibility to discover and inventory assets on the network, discover vulnerabilities on the assets and report/remediate discovered vulnerabilities.
Why?
You already know that vulnerability assessments are a good idea, but many organizations must perform recurring vulnerability assessments and penetration tests due to regulatory or standards-based requirements. For instance, the Payment Card Industry Data Security Standard (PCI DSS) requires that organizations execute semi-annual penetration and segmentation tests if they are to maintain compliance. Meanwhile, the Health Insurance Portability and Accountability Act (HIPAA) compliance regulations require yearly risk analysis and verification of security controls. Similarly, the General Data Protection Regulation (GDPR) requires regular security testing and assessment. Non-compliance with any of these frameworks can give regulators cause to penalize organizations with hefty fines. This is especially the case if regulators find that organizations failed to implement proper security measures, including regular vulnerability assessments and penetration tests, prior to suffering a data breach. That being said, it is up to you to determine the specific requirements for your organization based on the standards or regulations to which you are working to comply.
When?
Per what I said above about the stages of a vulnerability management program, you have the power to set a specific time or frequency for your audits after determining your standards or compliance-based requirements and discovering all of the assets that you want to evaluate. Annual testing should be considered an absolute minimum, though the goal should be as often as is possible for your organization. We can decide to scan for vulnerabilities quarterly, monthly or even continually if we so choose.
Where?
A good vulnerability management program will include tests performed both internally and externally to our networks. Differences in network architecture and security controls can have vastly different effects on discovered vulnerabilities. It is important to understand your attack surface area for both internal and external attackers. Those are the types of things that vulnerability assessments and penetration testers can help find. For an even more proactive stance, we might want to consider publicly partnering with security researchers under our own bug bounty programs. Doing this will help us refine our security efforts even further when it comes to in-scope assets.
Who?
Similar to the concept of internally and externally located scans, a good vulnerability management program will use both organizational and outside resources. While you may already employ security staff, some regulations require penetration testing and vulnerability assessments performed by specific third-party groups that adhere to a particular standard. It is also advantageous to have multiple points of view when it comes to your assessment results, as it helps to uncover bias or oversight. As such, a mature vulnerability management program should include cyclical vulnerability scanning and penetration testing performed both internally and externally. Outside assessments performed by a neutral third party can validate that unbiased testing is performed and that the results are correctly interpreted. We should also remember that vulnerability management programs are constantly evolving. So we need to make sure that we’re constantly configuring our programs to account for our evolving security needs. Digital security writer Anastasios Arampatzis is well aware of this fact:
Vulnerability and risk management is an ongoing process, and it should continuously adapt to the evolving cybersecurity threat landscape. Therefore, the process should be reviewed on a regular basis, and staff should be kept up to date with the latest threats and trends. Continuous development for the people, process and technology will ensure the success of the enterprise vulnerability and risk management program.
One of the ways that organizations can keep their vulnerability management programs flexible is by investing in a scalable solution that provides visibility across the enterprise. Learn how Tripwire’s solutions can help in this regard.
Mastering Security Configuration Management
Master Security Configuration Management with Tripwire's guide on best practices. This resource explores SCM's role in modern cybersecurity, reducing the attack surface, and achieving compliance with regulations. Gain practical insights for using SCM effectively in various environments.
