How to organize a comprehensive process of vulnerability management
To avoid serious security incidents, data leakage, business disruption, money loss and damage to your reputation, you should eliminate or remediate technical vulnerabilities as soon as possible. The sooner you address vulnerabilities, the lesser probability of their exploitation, which could result in security incidents. Therefore, you should establish a continuous process for finding and remediation of the vulnerabilities in your applications, systems, equipment and devices. If your IT infrastructure is big, and you do not know what is the best way to start, we will help you to set up vulnerability management operations in the following three steps. These recommendations are based on the best enterprise security practices and international standards such as ISO, PCI DSS, ITIL and ISF SoGP.
Step 1. Plan the Vulnerability Management Process
Initiate a Vulnerability Management Process
Create a Vulnerability Management Policy or Regulation, which describes the process for managing technical vulnerabilities in your applications, systems, equipment and devices. Namely, describe how you will:
- Identify known technical vulnerabilities (e.g., subscribe to and get notifications from the vendors and communities).
- Scan for known technical vulnerabilities. Consider H-X Security Scanner and Monitor for you public websites.
- Make penetration tests to discover unknown or zero-day vulnerabilities. Consider H-X penetration testing services for any kind of your assets and target objects.
- Remediate technical vulnerabilities (e.g., using a patch management process).
Get an Appropriate Support for your Vulnerability Management Process
- Request your senior technical manager to approve the process sufficiently.
- Assign a person or team with defined roles and responsibilities to support vulnerability management.
- Assign an owner of the vulnerability management process.
- Assign or engage appropriate resources (e.g., scanning hardware and software, or scanning services).
- Define plans and schedules of the operations (e.g., at least daily).
Ensure you covered all your systems, for example:
- applications, operating system software and firmware;
- computer equipment (including servers, desktop computers and laptops);
- mobile devices (including tablets and smart phones);
- office equipment (including multifunction devices (MFDs), scanners, facsimile machines, photocopiers, and network printers);
- virtual and cloud systems (including virtual servers and hypervisors, virtual desktops and virtual applications);
- network equipment (including switches, routers, wireless access points, modems, gateways, firewalls, etc.);
- VoIP telephony software and conferencing equipment;
- network storage systems (including Storage Area Network (SAN) and Network-Attached Storage (NAS));
- specialist systems (e.g., cyber-physical systems such as Internet of Things or systems that support industrial control systems (including SCADA systems, Distributed Control Systems (DCS) and Programmable Logic Controllers (PLC)).
Assign Values of Criticality to your Assets
Define the value of your assets (applications, systems, equipment and devices) before you begin any operations on vulnerability assessment. This will help evaluate the criticality of any found vulnerabilities and understand priorities and timescales of their remediation.
Step 2. Monitor your Infrastructure for Security Vulnerabilities
Investigate any Emerging Vulnerabilities at Early Stages
- Monitor publications about the vulnerabilities. Track CERT advisories, monitor the reports of security researchers or subscribe to vulnerability notification services.
- If a software code (e.g. ‘proof of concept’ or a malware) can exploit a new vulnerability (often referred to as a zero day exploit), consider this vulnerability more dangerous.
Scan and Analyze Vulnerabilities
- Identify well-known technical vulnerabilities, e.g., using the H-X Security Scanner online.
- Scan your assets for vulnerabilities using a commercial vulnerability scanning service, automated vulnerability scanning software on a regular basis, e.g., daily.
- Define risks related to the vulnerabilities. Use asset values, importance or criticality. Use the Common Vulnerability Scoring System (CVSS v. 3.0) Common Configuration Enumeration (CCE) or equivalent. Determine the extent to which the vulnerabilities are exposed to threats and whether several vulnerabilities or weaknesses can be combined to increase risk. E.g., check whether privileges have been disabled, excessive access rights are assigned, or weak passwords are being used.
- Plan and prioritize the remediation of vulnerabilities. Use patch release schedules from the vendors and your patch / configuration management plans (see Manage Patches below).
- Conduct a high-level analysis of vulnerabilities across the organization's technical infrastructure, processes and any time spans, e.g., to identify trends, make comparisons or have statistics.
Ensure the Vulnerability Scanning Itself is Secure
- Restrict the scanning to a limited number of authorized persons or subjects. Use a dedicated account only for vulnerability scanning.
- Perform scanning by approved and dedicated systems. Use predetermined static IP addresses.
- Monitor scanning operations. Identify misuse by authorized individuals or help detect unauthorized scanning.
Step 3. Manage Patches
Remediate technical vulnerabilities by patch management process
- Identify and obtain patches from authorized sources, as soon as they are available. Download manually or automatically patches, patch bundles, critical updates and service packs.
- Decide when and how to deploy patches. Assess potential post-deployment impact to the organization. Analyze the results of testing patches. Use change management process, to reduce probability of negative impact of patches.
- Test patches. Some of them can introduce new security vulnerabilities or impact negatively performance of functionality.
- Deploy patches timely. Group multiple patches and use software distribution tools. Use test groups of non-critical assets to check patches add no new incidents.
- Record patches that have been applied. Use a specialized patch management tool or a Configuration Management Database (CMDB).
- Report on the status of patch deployment for the whole IT infrastructure.
Manage Possible Patching Issues
- Think how to deploy patches to standalone computers or devices, or the ones connecting to the network infrequently (e.g., travelling staff), or other offline systems.
- Deal with failed patch deployment. Redeploy patches.
- Some technical vulnerabilities cannot be remediated by one or more patches. A patch may not be yet available for a newly discovered technical vulnerability (often referred to as a zero day vulnerability). On the other hand, any patches may be absent due to customized or legacy systems.
- Create and implement workarounds or compensatory measures, if a technical vulnerability cannot be remediated with patches. Disable service, add more access controls, backups or performing extended security event monitoring, or take other temporary or persistent measures. Reassess risk related to the vulnerability regularly, until it is higher than an acceptable level.