In today’s information age, to simply say you have business security from an IT support team is no longer sufficient and severely understated. Attacks on information systems and against business’ proprietary Information occur on a 24/7 basis, so without a full on vulnerability management program as a core part of your IT and security team you may be risking your company’s data. According to SANS Critical Security Controls , a Vulnerability Management Service (VMS) is no longer an option but a critical requirement. To directly quote SANS, “The [security] Controls take the best-in-class threat data and transform it into actionable guidance to improve individual and collective security in cyberspace. Too often in cybersecurity, it seems the “bad guys” are better organized and collaborate more closely than the “good guys.” The Controls provide a means to turn that around.” Sounds like a doomsday prophecy, but we’re here to walk you through Vulnerability Management (VM).
Cyber Security
In business security, or better known globally as cyber security, it’s important to know that VM is the main foundation of your business security program. Although it’s not the end all for everything on your network, it’s critical to have a thorough understanding what your network looks like and what’s stored on it. Only then can we gain a full understanding of the risks and move forward to mitigate them. To begin, VM consists of four processes: Discovery, Assessment/Reporting, Prioritization, and Response. These all work on a continuous cycle in order to provide a defence for your IT network security program—it’s all about mitigating risk!
Discovery. Think computer scans on your home computer for virus checks, but it’s so much more than just that. This is a deep dive into every asset on your network to investigate any current vulnerabilities, your network’s configuration, patch states, compliances, and inventory. Network scanners are used to map an organization’s network and identify open ports, vulnerable software, and misconfigured services. Since networks are in a state of constant flux, the discovery process give us a good baseline but will have to be continuously refreshed. There are several types and levels of scans depending on VM service, but all of them start your network down the road of mitigation.
Assessment
With proper experts, this turns all the raw data taken from the discovery stage scanning and produces a well-defined prioritization report that can be viewed at all levels of management to create a strategic plan to correct any immediate vulnerabilities or problems, baseline metrics, as well as a way ahead to mitigate future risks.
Prioritization
Hopefully, vulnerability rankings are self-evident from your assessment, but this stage introduces the human element as analysis and decisions are made to determine how important each risk is and how much time and resources are we using to mitigate any vulnerabilities in the network? Does the cost outweigh the risk? Is it sustainable or is it an acceptable risk? The impact of choices made at this stage will determine how effective your vulnerability management system is running. Bill Gates could be running your Business IT security program, but if your management doesn’t give serious consideration to your business security program then this is essentially only a paper exercise.
Response
This is essentially the action part of the decisions made in the prioritization process by either correcting, mitigating, or accepting the risk. Correcting is fairly straightforward when you discover, for example, a missing patch for your windows system, the vulnerability is simply corrected. Mitigation tackles the vulnerability from another perspective and instead of taking on, for example, a software vulnerability, your management may lessen the risk by building an effective firewall. The vulnerability still exists, but the firewall mitigates the risk. Finally, there is acceptance. As an example, the IT security team may recommend antivirus software for your lab computers. However, management decides not to use AV software because it would affect test cases. In this case, they’ve accepted a known risk.
Continuous
Vulnerability management for your business or cyber security is a continuous process. It’s not a one-time fix and is only as good as the last time it was put into practice. This may mean running at least monthly if not on a weekly basis. Unless your network is predominantly static, the rate of change is constant and must be monitored and effectively managed for cyber vulnerabilities.
Scope
Understanding what vulnerability management is and what VM is not… Many folks tend to confuse it with intrusion detection tests. With knowledge of the network and the systems in use, there are teams out there that will attempt to break into your network with a list of known exploits. Essentially, hacking into your network to show you the holes in your network. This type of testing involves more than the IT side of the house as it involves both physical security as well as social networking of your employees—at the very least thorough interviews to determine knowledge and protection of your data. While both services may give you the same results, a VM service is a much more passive detection scan that can highlight the same vulnerabilities in your network without the disruption in your day to day activities.
Verify
Your IT team or system administrators should verify that they have remediated or mitigated vulnerabilities as intended. The benefits in confirming that the remediations have been implemented appropriately, thus avoiding potential security incident or unplanned downtime. Your IT or VMS team will know how best to scan or recheck for your responses and any unintended future vulnerabilities.
At the end of day, it takes a fully certified team and support of management to create a real and effective vulnerability management service that will support your business security networks. Your professionals over at NST can help you get started today!