by Shon Harris, CISSP, MCSE

Information security is a new business process that needs to be understood and implemented from the top of an organization on down. Vulnerability management is one important component of information security. Proper vulnerability management is an integration of people, processes, and technology that establishes and maintains a protection baseline for a company. The process of vulnerability management includes vulnerability discovery, threat analysis, mitigation steps, and an infrastrcuture that allows for proper and continual monitoring and improvement.

Vulnerability management should be a systematic approach that identifies and prioritizes enterprise-wide threats to ensure that a company can focus and spend the available funds on the issues that can cause the largest potential damage to a company.

Vulnerability management should encompass these things, so let’s look at the steps that are necessary to ensure that your organization is properly covering these items.

Vulnerability Management Lifecycle

The following 12 steps address the necessary components of any vulnerability management operational lifecycle. Although every environment is slightly different and the actual approach and business process may vary from one company to the next, each of these pieces should be addressed in one fashion or another. There are several new automated tools available on the market to accomplish many of these tasks, but it is important to realize that vulnerability management is not a product or a project. It is a methodology that should be implemented and maintained as a business process on an ongoing basis. Even if you have a product that carries out some or many of these items, you and your team should understand the necessary steps to make sure you are properly using the purchased tool instead of assuming that it is doing everything you need.

 

---

The Shon Harris CISSP Solution not only prepares you for CISSP certification but also provides you with practical, detailed understanding and knowledge of security topics that will be of valued use to you and your company. The newly updated Shon Harris CISSP Solution focuses not only on the areas necessary for the CISSP examination, but also on the more detailed and pratical perspective that will give you competitive skills in the real world as well.

---

Step 1 - Define Roles and Responsibilities

All of the best practices, checklists, and procedures do not add up to a pile of beans if individuals are not tasked with the necessary responsibilities. As you go through the 12 steps outlined here you should be assigning specific departments and individuals with the necessary tasks that you identify that need to take place in your environment. Roles, responsibility, and enforcement go a lot farther than any new expensive gadget promising you everlasting security bliss.

Step 2 - Inventory

The next thing that needs to take place is an inventory of your company’s assets. It is important to know what needs to be protected and then drill down into how to protect it. This may sound like a simplistic task that is easily achievable, but on the contrary, this can be a large undertaking for many organizations. Important data is usually held at different locations throughout a company’s network, and the network itself continues to grow without being properly documented.

In terms of vulnerability management, it is extremely important to know what platforms and software are deployed on your environment. This is the only way to know if a new vulnerability that is identified applies to your network and if you should be concerned about it..

Complete a full inventory on the operating systems, applications, hardware, and firmware in your network. This should include versions and any patches or upgrades that have been applied. If a new vulnerability is identified tomorrow in Apache HTTP Server Version 1.3, you will know if you need to jump into action or not. The following outlines the necessary steps of asset management:

• Identify all assets, configurations, versions, software, and patches
• Update and maintain this information on all assets through their lifecycles - from procurement to disposal
• Identify an individual who is responsible for asset management

Step 3 - Asset Roles

Identify the roles of different assets to your organization. This will help you understand the business impact if one or more of these assets are negatively affected. For example, if a file server goes down that may not cause as much of a business impact as if your e-commerce system went down. This will help you in the decision to allocate the necessary funds to protect the company’s critical assets when you get to that stage. The asset roles should be mapped to classification standards and implemented as part of your asset management procedures. Classifications that you could use can be mapped to maximum tolerable downtime (MTD) calculations:

• Non-essential = MTD 30 days
• Normal = MTD 7 days
• Important = MTD 72 hours
• Urgent = MTD 24 hours
• Critical = MTD minutes to hours

These MTD values are usually derived for carrying out a risk analysis. For example, let’s say in our risk analysis we determined that if our mainframe was down for two hours it would cost the company $450,000. This asset would be classified as Critical. If our file server is down for three days and it will only cost us $250, then we can put this asset in the Important bucket.

If there is a massive compromise that affects several systems at one time you can view the different assets’ classifications to know which systems need to be brought back up online before the others. (This also helps in identifying how much of the security budget can be used to protect these different assets.)

Step 4 - Develop Metrics

Many companies already use some type of metrics for tracking and reporting the number and type of incidents per month, cost of recovery from incidents in man-hours, and the time it takes to resolve experienced incidents. True vulnerability management is much broader than these issues. Your company should have metrics for the following:

• Security awareness (people)
• Policy compliance (process)
• Technical security posture (technology)
• Security incidents (risk)

It is critical to formalize these metrics so that your company can quantify business impact of threats and calculate return on investment values to justify a specific security budget.

To date there are no industry standard security metrics, so individual companies have had to come up with their own metrics or deploy a product and use the metrics integrated in the specific tools. There are currently several movements in place to develop standard metrics. SecMet is one entity working on this (http://www.secmet.org). For directions on how to set up metrics in your environment, you can review the NIST sp800-55 publication at http://csrc.nist.gov/publications/nistpubs/800-55/sp800-55.pdf.

 

Step 5 - Assess and Baseline

Carry out initial vulnerability assessments to recognize your current level of vulnerability and threat level. The types and depth of assessments you choose to carry out depends on the scope of vulnerabilities you are going to address. Vulnerabilities lie in operating systems, applications, network traffic flow, personnel, and processes.

A NIST publication that outlines the best practices for security self-assessments can be found at http://csrc.nist.gov/asset.

Step 6 - Create Desired Baseline

In step 5, you determine where you are and in step 6 you determine where you want to be. Baselines are derived from measurements and metrics. Once you establish the metrics your company will use, you need to determine the range of deviations your company can accept. The goal of step 6 is to establish an acceptable risk level that your company is willing to live with. Different types of organizations will establish different acceptable risk levels depending upon their threats. For example, a financial institution will have more motivated attackers than a retail store, and therefore must establish and maintain a different acceptable risk level. This acceptable risk level is a balance between user functionality, security requirements, and available funding. Once this baseline is established, it is the job of the risk and vulnerability management team to ensure that this baseline is always maintained.

Step 7 - Develop a CSIRT

Many companies try to prevent bad things from taking place, but do not properly plan for what to do when bad things take place. An important component of any corporation’s vulnerability management is a Computer Security Incident Response Team (CSIRT). The team should be made up of technical staff, management, legal, and human resources. There needs to be a proper communication channel established to alert the right individuals about a compromise when it takes place. It is important that these team members and individuals are properly trained in their expected tasks.

The team needs to have access to network and infrastructure information, outside consultants, and legal authorities.

A NIST publication that outlines the best practices for setting up a CSIRT can be found at http://www.csrc.nist.gov/publications/nistpubs/800-3/800-3.pdf.

Step 8 - Control Vulnerability Information Flow

The amount of new vulnerability alerts is overwhelming for most network and security staffs today. This is because there are many types of vulnerabilities in many types of products reported each and every week. It is important that your team is alerted about vulnerabilities that affect your environment and not be overwhelmed with an excessive amount of alerts that do not affect you. Members of the CSIRT team should receive these alerts, and specific individuals should be identified to investigate each applicable threat. There are several vulnerability alert subscription services available today, which can provide you with only the alerts you need to be concerned about, including (but not limited to) the following:

• META Security Group
• TruSecure IntelliShield Early Warning System (EWS)
• SecureNet Solutions
• Computer Associate’s eTrust Managed Vulnerability Service

Step 9 - Develop Threat Classifications

 Create a classification scheme that indicates attacks by their level of threat, probably degree of success, and level of potential damage. The classification scheme should also include the targeted assets and the business impact of them being compromised. This provides a simplistic and powerful way to convey warnings about new vulnerabilities. It combines technical and business issues to properly communicate the necessary areas of focus for your staff.

• Classify vulnerabilities based on their level of threat and degree of success
• Classify assets according to their level of vulnerability, role in company, and value
• Decisions on remediation activities are based on a combination of technical and business data

Review of various attacks, malware, and insider threats organizations are facing today