Building a Foundation
Taking a look at a holistic information security perspective
- By Madeline Domma
- May 01, 2015
Now more than ever,
major network vulnerabilities
are making
national and international
news headlines.
Heartbleed, Shellshock
and POODLE are considered by many
to be among the worst bugs present on
the Internet and, in recent months, have
all formed their own unique paths of destruction
across networks everywhere.
These vulnerabilities, as well as countless
others, are extremely harmful when
used to attack companies and can be
detrimental to a company’s future success
if not addressed properly.
Although understanding the global impact
of these vulnerabilities can be both
interesting and useful, the primary concern
for network security professionals must be
the impact of these vulnerabilities on the
specific IT environments that they oversee.
At some point, all companies—regardless
of size or industry—must develop information
security programs to protect both
themselves and their customers from these
vulnerabilities and other IT-related threats.
From creating policies and vendor contracts
to performing risk assessments and
audits, organizations are recurrently faced
with the challenge of securing their data
from internal and external exploitation.
Additionally, most company security
practices may need to comply with the
standards of different governing bodies,
authorities, or regulations, depending
upon the industry. This requirement for
the synchronization of a company’s security
efforts has made way for the emergence
of the information security model
known as IT GRC (Governance, Risk and
Compliance).
One of the best strategies by which
companies can develop a secure and comprehensive
IT GRC program begins with a
thorough and vigilant vulnerability management
process. Network vulnerability
scans and the results that they yield offer a
plethora of information about network devices
and can be employed in many different
ways. Leveraging vulnerability data when
creating IT GRC practices is crucial to developing
a comprehensive, consistent, and
sustainable information security program.
Problems Emerge Without
Proper Vulnerability
Management
Attempting to mature an information security
program without integrating vulnerability
data can cause several different problems
over time. Without an understanding
of the vulnerabilities of a network’s devices,
network oversight becomes limited.
If network oversight does not include
vulnerability management, those making
security-related decisions cannot cultivate
best practices to combat the specific vulnerabilities
that pose the greatest threats to the
organization’s unique environment.
Without incorporating well-managed
vulnerability data to improve upon a company’s
security program, inconsistencies
in security posturing will inevitably occur.
For instance, an IT audit of company
systems may verify that the configuration
settings of workstations or servers do not
reflect those defined in the security policy.
While this inconsistency may result in a
citation or fine in the context of an audit,
it may be discovered and mitigated beforehand
if the company is utilizing a vulnerability
management tool or software.
Contrastingly, vulnerability management
can validate claims made in company
policies, during risk assessments and audits, or when verifying compliance with
a given authority. If the vulnerability data
is consistent with the claims made in other
areas of the company’s IT GRC program,
vulnerability data serves as context to the
other areas of the information security
program. Problems that result from the
absence of vulnerability management in
an organization’s IT GRC program prove
that vulnerability management is not only
beneficial but also critical to a holistic and
viable information security program.
Vulnerability Management
is the Cornerstone for a
Consistent IT GRC Practice
Proper vulnerability management generates
a database of information about the
hardware and software of devices that
comprise a network. The types of information
gathered from a vulnerability scan
vary greatly from hardware manufacturer
information to software versioning data
and even serious exploitable settings of
devices on a network.
Vulnerability management efforts not
only verify areas of the network that are
secure but, more importantly, highlight
potential threats to network security before
the threats escalate to major company-wide
incidents or issues. Making use of vulnerability
data when executing security-related
tasks, such as completing a risk assessment
or compliance assessment, creating vendor
or third party contracts, or performing an
audit or training course allows for consistent,
company-wide security posturing.
Once network devices are scanned, vulnerability
data as well as software and hardware
versioning are populated into a centralized
location. This data can then be applied in
several different aspects of both network
and operations management:
- Patch management: Vulnerability management
will identify the weak aspects
of network devices and provides information
on which devices need to be
patched. Patch management practices
can then be established based on the
frequency with which different types of
systems require patches as reported by
vulnerability data.
- Asset management: Vulnerability data
will provide details as to which types
and versions of hardware and software
are active on the network. Vulnerability
data managers are then able to identify
the devices that are outdated and
can eliminate potential problems with
these devices before they cause serious
issues if otherwise unnoticed or unaddressed.
For example, vulnerability
data can deliver password configuration
information, minimum password
requirements, and versioning information
of device operating systems, applications,
and programs before weaknesses
to the devices are exploited and
cause harm to a network.
- Vendor management: Vulnerability scans
may be run on network equipment that
is either owned or maintained by a third
party. Vulnerability management provides
insight to network administrators
as to whether or not a vendor is maintaining
their systems on your network
and will alert administrators if vendor
systems are forming weaknesses in the
company’s network.
- Policy management: Vulnerability scan
data and management offers context to
claims made within company policies
and can prove that requirements defined
in a company’s policies are being
implemented properly. For instance, if
an organization’s configuration management
policy states that certain configuration
standards must be adhered
to on all company equipment but vulnerability
scan results indicate that the
devices do not meet the described standards,
these inconsistencies can be addressed
(either by adjusting the policy
to accurately outline the configurations
of company systems or by updating
the devices to meet the standards prescribed
in the policy). This consistency
creates a well-defined configuration
management policy that can be more
easily adhered to and maintained.
- Risk assessment: Vulnerability management
proves most valuable when conducting
IT risk assessments because
the data provided may then be utilized
to identify, prioritize, and implement
security controls to minimize the overall
risk of an organization.
- Verifying compliance: Data provided
through fastidious vulnerability management
may also provide useful information
when an organization must
adhere to different compliance regulations
for their industry. For example,
outdated JBoss versions on network
systems will cause a company to be
out of compliance with today’s PCI
standards. Most regulating bodies
clearly define the versions of software
that networked systems must maintain
and, if outdated versions are found on
company systems, the company cannot
be considered in compliance with
the authority. While companies who
do not fully integrate vulnerability
management information into other
aspects of their information security
program will be either fined or reprimanded
by regulators, network administrators
and security professionals
who manage vulnerability data on
a regular basis will recognize the need
to update their systems and will initiate
a process to accomplish the task
and remain in compliance when reviewed
by regulators.
- Audit: Finally, vulnerability management
data can be utilized during an
audit to verify security controls, policies,
and practices of an organization.
Maintaining a structured and welldefined
IT GRC program based on
vulnerability management will result in
shorter audits that require fewer company
resources to perform and yield
positive findings and results.
Sustainable Information
Security Programs for
Continued Company
Success
Vulnerability management is a core practice
of a well-maintained IT GRC space.
Identification, prioritization, and mitigation
of vulnerabilities dictate how information
security processes flow throughout
a company and create viable processes for
secure and efficient IT environments.
The results of a vulnerability scan reveal
potential flaws in the network as well
as a plethora of other information about
the different devices connected to an organization’s
network. This information
should be applied to other key areas of
an information security program to standardize
the data that is used throughout
the company and establish a holistic, wellmanaged,
and sustainable IT GRC and
security program.
This article originally appeared in the May 2015 issue of Security Today.