In today’s age of IT cyber security threats, there are always new risks that need to be monitored and accounted for, but all of the old threats still need to be top of mind as well. Information security is a function where new responsibilities continue to grow and where old responsibilities never die. Like the Kardashians, Vulnerability Management just won’t go away.
Vulnerability management should be a standard practice today similar to backups, patch management and other operationalized cyber security functions. Unfortunately, this is not the case. There are still reports of companies being exploited through simple means because they are not closing open vulnerabilities in a timely manner.
In reality, detecting and remediating vulnerabilities should be a commodity service because the practice itself is defined and tools are readily available to make detection much easier than in the past. So why do so many organizations still struggle with vulnerability management when it is clear that a sound process can dramatically reduce risk?
While the tasks are straightforward, it simply is not an easy process to manage and it isn’t very glorious work either. Also, with so many IT resources focused on specific technologies these days, most organizations do not have a seasoned security resource who possesses the equivalent of a "Dennis Miller vocabulary" across every faction of IT.
While the process of managing vulnerabilities is fairly straightforward when broken down into specific system/resource types, trying to manage a full vulnerability management program across every system type is a daunting task.
Detect the Vulnerabilities: Running the vulnerability scanning tools to detect vulnerabilities is the easy part. In larger organizations, the bigger challenge is obtaining the appropriate IP addresses, breaking them into manageable scans, gaining approval to even perform the scans (especially on sensitive systems) and finding a time that aligns with everyone’s schedule. It is critical that the first vulnerability remediation projects go smoothly or the items above become increasingly more difficult.
Review the Vulnerabilities: After the scans are complete, the difficult work begins. If a scan has not been performed in several months, the volume of vulnerabilities can be very high. Even though vulnerability scanning tools have come a long way, it is still necessary to review the vulnerabilities to determine if they truly are a risk in the target environment. Therefore, owners must be determined and assigned to every vulnerability and someone must work with these owners to make sure they review the vulnerabilities to ensure they are not false positives. Getting support from network, Windows server teams, UNIX, desktop support and other teams to complete the effort is often a nightmare. Make sure these departments have vulnerability management included in their goals so they know it is a core responsibility of their job.
Remediate: Ideally, every "Medium, High and Critical" vulnerability should be reviewed and remediated. If the organization is in very bad shape, the focus may have to be whittled down to only "High and/or Critical" items. The teams identified above will often have different priorities and scheduling challenges when it comes to actually applying fixes to the vulnerabilities. Managing these teams, the scheduling process and validating the work is actually completed is very time-consuming. To be successful, vulnerability management should be treated with a project-mentality with regular meetings and status checkpoints with each owner.
If an organization truly has the resources and skills in-house to manage this process, they are most likely already managing the vulnerability process successfully. For all other organizations that still have challenges, it makes sense to outsource this type of commodity service rather than continue to strain internal resources with an effort that probably has a low likelihood of success. Regardless of the approach, failing to address open vulnerabilities as part of a security program is the same as leaving the doors unlocked. Don’t make it easier than it should be for the hackers out there.
Watch the video to see how senior security analysts at Gwinnett Medical Center discuss their active directory password reset success:
Get the Top 10 Identity Manager Migration Best Practices Workbook
Start your migration from legacy software with the Top 10 Identity Manager Migration Best Practices Workbook. Use this workbook to think through your information security risk before you transition to next generation identity manager software.