I had a completely different article typed up, however after catching up on my morning news and seeing a huge amount of controversy regarding Coordinated Vulnerability Disclosure (CVD) from Microsoft, I decided to reach out to the NetWorks Group Community and help our customers (past, current, and prospective) understand what that means to them.
Vulnerability management is a crucial part of an organizations security posture. But that is a given, I want to talk about the why. The article from Microsoft talks about Coordinated Vulnerability Disclosure (CVD) which, in short, is a way for security researchers to disclose security information in coordination with the vendors to prevent exploit code from being utilized in the wild ahead of security patches. For those who have not spent a lot of time in this arena, there is a constant battle between how quickly can security researchers find vulnerabilities, and how quickly can companies get them fixed. It is the essential “chicken and egg” problem. We need researchers to find vulnerabilities and release them to the public, so that scan vendors can create scanning signatures, so that we can defend our networks with more agility. However, the industry still struggles with what a good vulnerability management program looks like.
The basic areas for vulnerability management can easily be visualized by breaking it down into four distinct areas: Baseline, Assess, Resolve, and Lifecycle (See figure below).
During the “Baseline” phase, organizations need to prioritize establishing where their technological debt is in the enterprise. Believe it or not, most organization do not know where all of their assets are on the network, what their purpose is, or the risk they pose to the integrity of the network. Secondary to that is policy development, especially as it pertains to obtaining new systems and decommissioning retired systems. I’ve been to organizations that will “decommission” systems only to leave the network cable attached. I would compromise a decommissioned system as part of a penetration test and the organization would swear that it was no longer on the network only to find out that it was never unplugged.
Phase two is the “Assess” phase. We need this phase in the enterprise. This is the organizations “eyes” into the threat footprint of the organization. We want to assess our networks threats on a monthly basis, at a minimum. The great thing about a vulnerability management program, is that it can be incredibly affordable when compared to services like penetration tests. At the same time, with the proper evaluation of the information, it can be a great indicator to the results of a penetration test when utilized effectively.
Equally important, at phase three, is the “Resolve” phase. Believe it or not, this is where your organization will struggle the hardest. There is no other way to say it, but your organization must develop a plan to remediate or mitigate anything identified in the Assess phase. Otherwise: What is the point? One concept that is often overlooked, and causes the biggest stumbling block, is the misconception that everything must be patched. Poorly equipped Infosec people are to blame for this. Organizations must make a risk decision regarding remediation. By prioritizing assets from phase one based on criteria such as business impact, and using threat assessment information from phase two, you are better equipped to make informed decisions about when and how to remediate or mitigate your assets.
Finally, we include a phase called “Lifecycle”. This is about building a culture of good security practices inside of the organization. We want to have organizations identify how the system got into the vulnerable state to being with. Was the patching process flawed? Did the system get added to the inventory outside of the normal purchasing process? Is there a delinquent equipment refresh process that prevents systems from being upgraded timely? We need to evaluate how we got into this situation so that we can realistically change those habits and make for a more productive security mindset in the organization.
In the end, organizations should employ a robust and cyclical vulnerability management program. That program should provide the organization with information that helps them to assess the threat and risk of all information technology assets within the enterprise. The vulnerability management program as a whole is key to ensuring constant information is being provided to the teams that need to make strategic and dynamic changes to the posture of the network.