Step #1 – Admit That You Have a Problem
Many IT professionals live in a world of denial. Assumptions are made about the security of systems and risks are often ignored. These stances are not taken out of ignorance or irresponsibility, but are instead often-pragmatic decisions based on the number of resources available and the number of hours in a day. IT managers are frequently forced to hope that the diligence that went into the deployment and configuration of network equipment and servers 3 years ago will continue to protect that equipment today. Unfortunately, that is often far from reality.
The first and most important step for all IT professionals is to recognize and admit that vulnerabilities are real and that they are a problem to be tackled consistently and systematically. Attack vectors change, software evolves, and firmware gets revised. Very little if any part of information technology is static. Recognizing this fact is key. Once you admit that problems exist, solutions become a possibility.
Step #2 – Define and Understand Your Boundaries
Once you recognize that there is a vulnerability problem to be tackled, the next step is to start to define the battle and the related battlefield. Certain questions must be answered initially. What tools do I currently have at my disposal (vulnerability scanners, logs, discovery tools, monitoring tools, asset management information, etc.)? How many locations and subnets do I need to evaluate? What impact will this work have on my network? What are my potential maintenance windows?
The answers to these questions will help to define your next steps including what needs to be purchased, who needs to be called, and how quickly you can dig in and start working the problem. Rome was not built in a day, so remember that patience is key. The development of a strong plan is the foundation for success.
Step #3 – Know Thyself
Knowing thyself means a lot of things to a lot of people but in terms of vulnerability management it means understanding how many devices you have on your network, where those devices are located and what potential function they have. This process usually begins with a discovery scan across all subnets. In a perfect world (and I know all IT shops are generally utopic J), this type of scan validates all of the existing asset management inventories and there are no surprises. In reality, a good discovery scan can identify lost or forgotten components, expose unauthorized devices, backfill or create asset inventory lists, and provide a strong starting point for vulnerability remediation.
Step #4 – Address the Obvious Problems First
Most IT professionals do not need to perform extensive testing or run numerous scans to identify their “problem children” on the network. Every organization has certain servers and network devices that are adverse to patching or downtime or both. Build a plan, schedule the necessary downtime and patch these devices. There is no need to wait for a vulnerability assessment to know that these machines will need to be addressed. Plus, the cleaner the initial vulnerability assessment, the faster remediation can begin.
Also, remember Step #3. Review your discovery scan and target any anomalies. All unknown or unexpected devices should be investigated and all unnecessary and unused machines should be decommissioned.
Step #5 – Assess Your Situation
At the heart of every good vulnerability management strategy is a thorough vulnerability assessment utilizing an established and exhaustive scanning tool. Several important decisions go into a strong initial vulnerability assessment. Select a reputable scanning tool with a mature vulnerability signature database. This will limit false positives and ensure valuable initial scan results. Using the results of your initial discovery scan, target all assets on your network. Do not make assumptions as to which devices should or should not be scanned. Scan them all. Target a maintenance window that will allow for as much potential down time as possible. This will allow for a more thorough and intrusive scan of all nodes without impacting business functionality. Finally, be patient. A thorough scan takes time and monitoring. Be aware of your maintenance window and be prepared to pause your scan to ensure production is not affected.
Step #6 – Remediation is Fundamental
This particular step is quite possibly the most important and the most easily forgotten step in good vulnerability management. A strong vulnerability assessment is only as good as the time and effort put into the remediation of the assessment’s findings. Far too often organizations diligently scan their networks only to set aside the resulting report and never fix any problems. Scanning becomes a compliance checkbox effort while the remediation work falls to the bottom the tasks list.
Review your vulnerability scan results. Build a remediation plan starting with your most vulnerable and critical systems first. Then work the plan. Realize and accept the fact that all findings cannot be remediated quickly and some findings may find their way onto the next scheduled scan. That’s ok. Be methodical and eventually those results reports will be smaller and smaller and your network will be more and more secure.
Step #7 – Reassess Your Situation Every Few Month
Simply completing a vulnerability scan and successfully remediating all of the related findings is not the same thing as reaching the end of the vulnerability management rainbow. You are not done. The clock starts all over again. Like its close cousin patch management, vulnerability management is a continuous process and, as such, requires a consistent methodology. Develop a set of quarterly procedures including discovery scans, vulnerability assessments and remediation tasks. Such a strategy will shorten vulnerability windows and give you a bit more peace of mind from quarterly interval to interval.
Step #8 – Develop Better Habits
As has been stated throughout this list, a lack of patches and up-to-date firmware is often a root cause of vulnerabilities on systems. IT professionals the world-over have the best of intentions when it comes to the development and implementation of a patch management strategy. Unfortunately, project schedules and real world challenges interfere with those strategies, leading to interruptions if not the complete abandonment of system patching. No good comes from this.
IT professionals should make patch management and, as an extension, vulnerability management methodical and habitual. Time should be built into work schedules and project plans to ensure these critical tasks are complete. Resources should be dedicated to remediation. Both planning and execution are necessary to ensure all systems are as hardened and as defensible as possible in the event of a cyber-threat.
Step #9 – Increase Your Frequency
Vulnerability management and the plans and processes associated with it should evolve over time. As remediation strategies become more effective, each follow-up vulnerability scan report should be smaller and more manageable. Once those reports become more manageable, the time between scans can shrink. The more frequently an IT shop scans for and remediates vulnerabilities, the less time that shop and its associated organization spends vulnerable to potential threats. Less vulnerability is always a good thing.
A good strategy for scanning intervals is to attempt to shrink from quarterly to monthly, and then from monthly to weekly. Most professionals would agree that an attack window of seven days is much more palatable than an attack window of 90 days.
Step #10 – Make It Automatic
The inevitable challenge that comes with more frequent vulnerability assessments is having the time and resources to perform the scans. Fortunately, most of the leading scanning tools and vulnerability management solutions have automation mechanisms to help solve this problem. A good tool/solution should allow an administrator to schedule scans as needed and to route the results of those scans to an email box or file share automatically. A good tool/solution should also generate alerts based on critical findings or system conflicts associated with the scanning process. This level of automation should free up administrators and allow for more frequent and burden free scans, which in turn provides valuable insight and smaller vulnerability windows.
Step #11 – Learn to Follow the Trends
Aside from the immediate goal of identifying and eliminating network and device vulnerabilities, a strong vulnerability management methodology also provides invaluable insight into the function and effectiveness of an organization’s IT security practice. By tracking the vulnerabilities and threats identified in the scanning process in relation to the remediation process designed to eliminate those threats, an IT security practice can demonstrate its effectiveness and the organization’s overall security posture over time.
Many of the more robust vulnerability management solutions on the market today can track remediation successes over time and provide reports and graphs demonstrating the effectiveness of the vulnerability management methodology. This is a valuable tool for most IT security practices because it validates all of the efforts exerted to keep an organization safe and it also provides a financial justification for resources acquired and monies spent.
Step #12 – Make Continuous Progress
This final step makes the assumption that scanning and remediation are moving along smoothly and vulnerability windows have been shrunk to as small as possible. Many vulnerability management solutions and threat intelligence platforms now support Layer 7 continuous monitoring of networks for potential vulnerabilities and threats. This is accomplished through passive packet inspection and traffic pattern recognition. Such a solution is the logical next step in vulnerability management; knowing the problem as it occurs.
That being said, perhaps assumptions should not be made. Maybe an IT shop’s vulnerability management methodology does not need to be perfect. Continuous monitoring has value regardless of the state of your vulnerability management strategy. Knowing you have a problem is truly half the battle. But remember that knowing you have a problem is not the same thing as solving it. That takes a plan and that takes proper execution.
Good Luck! Go fight the good fight against bugs and vulnerabilities!