The Verizon 2024 Data Breach Investigations Report noted a 180% increase in exploited vulnerabilities over the previous year’s figures. The importance of keeping an up-to-date vulnerability management policy for remediating and controlling security vulnerabilities cannot be understated.
1. Overview: Summary of Vulnerability Management Policy
Taking the time to give a short summary of the policy and who and what it involves will help to better flesh out the policy the organization is trying to implement. Describing what types of devices, software, and networks are subject to vulnerability scanning will decrease the likelihood of future vulnerabilities and keep an organization's information security infrastructure up to date.
Aside from keeping an organization’s information security infrastructure up to date, implementing a strong vulnerability management policy is essential to help reduce the potential financial, reputational, and regulatory risks that could befall an organization with a weaker policy.
2. Scope of the Policy: Clearly Defined Vulnerability Management Program
There is no such thing as a one-size-fits-all when it comes to security. Different areas of the IT infrastructure will require different considerations and, therefore, should be broken into policy scopes. Some scopes you might consider include network infrastructure, company-owned devices, servers, OSes, virtual machines, cloud-hosted servers, DB servers, applications, and networking gear. A clearly defined vulnerability management program will help to reduce confusion about what is expected and required to secure assets within the organization.
3. Roles and Responsibilities
Having clearly defined roles for personnel under which the vulnerability management policy is enacted helps employees understand who they should look to if an issue that's encountered falls under the vulnerability management policy. Some commonly defined roles are:
- Chief Information Security Officer (CISO)
- System/Application Administrators
- Information Assurance personnel
- General IT staff
Each of these roles represents different aspects of responsibility for the security of an organization.
4. Vulnerability Remediation/ Risk Mitigation
The term “automation is your friend” comes into play during vulnerability scanning. As an automated task, vulnerability scanning will help to identify potential software vulnerabilities by testing for unpatched software and insecure configurations.
How Often Should You Scan?
The frequency with which assets are scanned will depend on a few factors:
- compliance standards
- security program goals
There are several compliance standards that require a higher frequency of vulnerability scanning than others. These include ISO (Internal Organization of Standards), which requires quarterly external and internal vulnerability scans; PCI DSS (Payment Card Industry Data Security Standard), which requires internal and external vulnerability scanning by an ASV (Approved Security Vendor); and NIST (National Institute of Standards and Technology), which requires either quarterly or monthly vulnerability scans depending on the specific NIST framework.
Security program goals also play a significant role in determining the frequency of vulnerability scans. If the program is nascent, the company is small, or if resources are stretched thin, the organization may conclude that bi-annual scanning will suffice. However, companies with a more mature cybersecurity program, enterprises, and organizations with broader access to resources might find it beneficial to scan at least once a month to meet more stringent security program outcomes and please C-suite stakeholders.
Regular and consistent scanning helps justify patch management programs and other cybersecurity initiatives and investments that have already been put into place and keeps teams consistently accountable for maintaining and lowering metrics.
Categorizing Vulnerabilities
Once vulnerability scanning is completed, categorizing vulnerabilities that have been discovered based on severity should be the next priority. NIST scores published vulnerabilities using the Common Vulnerability Scoring System (CVSS). Under this system, a score of 7-8.9 represents a high risk, while 9 or greater indicates a critical risk.
TechTarget notes three fundamental steps to successfully categorizing security vulnerabilities:
- Determine severity | What is the largest potential impact that could be caused by exploiting this vulnerability?
- Identify sensitivity of potentially affected data | Is the data at risk highly sensitive or public domain?
- Evaluate existing controls | Which systems are already in place, which need to be bolstered, and which do not yet exist?
Once correct classifications have been assigned, different layers of protection will be added that are suited to the classification level.
Prioritizing Remediation
Vulnerabilities that are detected that could potentially put big data or mission-critical systems at risk should be prioritized first and receive the shortest time frame for implementing recommended mitigation. Introducing a stern time frame for remediation based on the severity of the vulnerabilities is a step in the right direction. Threat intelligence data can also be leveraged to further prioritize remediation efforts based on the perceived likelihood that a given condition will be exploited.
Conclusion
It’s important to maintain perspective on how this is a layered approach. There are many moving parts in a vulnerability management policy, so incorporating other aspects of security by expanding education and searching for other initiatives like bug bounty programs, penetration testing, and red teaming will help an organization take its vulnerability management to the next level.
