by Shon Harris, CISSP, MCSE

Step 10 - Standardize Procedures

Develop standardized procedures and checklists to follow when a new vulnerability is identified. This formalized approach reduces wasted time and operational costs. These procedures should outline the necessary steps that should be taken when a vulneraiblity is identified and the roles responsible for completing these steps. The following flow chart addresses many of the steps that should take place.

 The actual steps you develop for your environment may be slightly different than the previous flow chart, but your procedures should cover the common components of vulnerability management action steps: vulnerability identification, threat analysis, and remediation procedures.

Vulnerability Idenfitication

• Goal:
  • Identify weaknesses before it can be exploited

• Process:
  • Continually scan for new vulnerabilities
  • Continually scan for rogue technology devices
  • Keep up to date on vulnerability alerts
  • Carry out compliance testing
  • Carry out operational availability analysis
• Technologies
  • Scanners
  • Vulnerability assessment tools
  • Penetration testing tools
  • New vulnerability alert subscription

Threat Analysis

• Goal:
  • Identify threat agents that can exploit identified vulnerabilities
  • Measure the eficiency of current controls and countermeasures
  • Minimize downtime due to threat activitiy and other negative ramifications
• Process:
  • Classify new vulnerabilities based on probability of success of exploitation and potential damage
  • Classify vulnerable asset by role in company and business impact of disruption
  • Align threats with business impact and develop proper mediation steps
  • Use results of incidents to improve preventive measures
• Technologies:
  • Vulnerability management automated tools
  • Intrusion detection and prevention systems
  • Event correlation
  • Content filtering
  • Antivirus

Remediation

• Goal:
  • Reduce business downtime and business impact
  • Contain and mitigate damages
  • Respond effectively and efficiently to incident
• Process:
  • Roll out temporary fix
  • Test and implement permanent fix
  • Carry out proper configuration management
  • Report activities to affected business units and personnel
  • Document change to environment
• Technologies:
  • Patch management
  • Configuration and software deployment tools
  • Vulnerability management automated tools

Step 11 - Improve Preventive Controls

 In your vulnerability management procedures, improvement of current countermeasures is an important step. In most situations, when a compromise takes place it is an indication that the current preventive safeguards are lacking or have been penetrated. When an intrusion is endured, not only should the incident response team contain the damage and restore the production environment, the security staff should treat this as an opportunity to reinforce necessary security barriers. Too many times companies just "plug the hole" without investigating the layers of controls that had to be penetrated for this threat to be successful.

Step 12 - Continual Monitoring

Vulnerability management is a process, not a product or a project. This means that you need to continue to monitor for al of the possible threats your company can be faced with. Many companies spend most of their attention and money on monitoring incoming ports (ingress filtering), but it is important to also review these possible threats and more:

• Remote access servers - Is this traffic monitored via firewalls and IDS?
• Outgoing ports (egress filtering) - Are your employees carrying out hacking activities or are any of your systems infected with zombie software?
• Hanging modems - Have new ones popped up on your environment that you are unaware of?
• Personnel security knowledge assessment - The most commonly overlooked item that can cause the most damage
• Data validation and buffer overflows in software - Have you properly tested for these types of attacks?
• Compliance with policy, laws, and regulation - A very costly venture if you are not in compliance
• Proper configuration of security devices - IDS, firewalls, and access control misconfigurations count for most of the serious vulnerabilities in many environments today
• Authorization creep - Employees and contractors gaining more and more access rights without their access needs being validated
• Internal fraud - Authorized users are the most difficult to audit and monitor because they have been granted privileged access
• Confidential data - Are your employees sending this type of information out through e-mail or saving it to disks to take out of the environment?
• PBX fraud - Are you monitoring long distance use to ensure that phreakers are not selling access to your telephone service?
• Wireless - Checking for rogue access points, possibility of sniffing, and access to your wired environment
• Keeping track of the top 20 vulnerabilities
  • Top vulnerabilities to Windows systems:
    • Internet Information Services (IIS)
    • Microsoft SQL Server (MSSQL)
    • Windows Authentication
    • Internet Explorer (IE)
    • Windows Remote Access Services
    • Microsoft Data Access Components (MDAC)
    • Windows Scripting Host (WSH)
    • Microsoft Outlook and Outlook Express
    • Windows Peer to Peer File Sharing (P2P)
    • Simple Network Management Protocol (SNMP)
  • Top vulnerabilities to Unix systems:
    • BIND Domain Name System
    • Remote Procedure CAlls (RPC)
    • Apache Web Server
    • General Unix authentication accounts with no passwords or weak passwords
    • Cleartext services
    • Sendmail
    • Simple Network Management Protocol (SNMP)
    • Secure Shell (SSH)
    • Misconfiguration of Enterprise Services NIS/NFS
    • Open Secure Sockets Layer (SSL)

These vulnerabilities and remediation steps can be found at http://www.sans.org/top20.

Let’s Regroup

Even if your environment is complex and the sophistication of the threats increase over time, you can still get a handle on identifying and controlling the vulnerabilities and threats in your organization. It is all about laying out achievable steps and keeping up the day-in-day-out discipline that is required to ensure that your company’s acceptable risk level is not compromised.

Let’s make sure we understand the goals we are trying to accomplish and the necessary processes to achieve these goals.

Vulnerability Management Goals

• Goal:
  • Prioritize threats and address them in accordance to their criticality classification
  • Methodical and standardized approach of incident response
  • Mitigate risk and business impact resulting from incidents
  • Correlate events and improve preventive controls based on past vulnerability, threat, and mediation results
  • Ensure and manage compliance with organizational standards and policies
  • Reduce legal liability issues
  • Produce operational and executive reports to aid in applying security metrics and calculating ROI

Vulnerability Management Process

• Process:
  • Capture baseline of security posture
  • Develop desired baseline of security posture (Acceptable risk level)
  • Inventory and classify assets based on value to company
  • Develop a Computer Security Incident Response Team (CSIRT)
  • Control vulnerability information flow
  • Develop standardized procedures and checklists to follow when a new vulnerability is identified
  • Integrate activities with asset management, event and patch management processes
  • Review and improve upon preventive countermeasures currently in place
  • Continually monitor environment’s security baseline

Do not fall into the common misconception that vulnerability management can be solved with just a product. Although many of the products on the market today can greatly reduce the manual steps of this piece of your security program, it is still very important that you and your team understand how to use the product as a tool in your vulnerability management process - not as the solution. Proper education on the issues and integration of vulnerability management as a business process is more important than any tool. With these two pieces in place, you and your team can choose the right tool for the right purpose.

In addition, do not think that security issues can be solved by throwing money and staff at the problem. You have to develop a strategic and ongoing process that is integrated into everyday activities. A large corporation of over 200,000 employees created an 80-person staff dedicated just to vulnerability management. They could not keep up and be successful because of lack of organization, vision, strategy, and process integration - not from a lack of money.