enterprisesecuritymag

Vulnerability Management - Don't Guess

By Angelo Murano, CISSP, CRISC, CISM, Head of Information Security-ING Americas

Angelo Murano, CISSP, CRISC, CISM, Head of Information Security-ING Americas

Managing vulnerabilities across all your assets and platforms can at times feel like walking in quicksand. The key to an efficient vulnerability management program is to follow this simple approach - Plan, Scan, Prioritize, Disposition, Report and repeat. By following this process, engineers spend just the right amount of time securing the work environment.

Here is an overview of each phase:

Plan:

The planning phase includes laying the foundation for how:

i. Asset scope will be identified (preferably via automated network discovery capabilities with results feeding into a CMDB);

ii. Scanning will work (when, using which tools, and by which teams). Ensure procedures are reviewed and approved (regularly) by the CIO.

During this stage, we often spot check asset inventories for completeness and ensure no connectivity issues exists between the scanners and target assets which sets the actual scan step up for success.

"By having an approved vulnerability prioritization model in place, an engineer’s workday is simplified"

Scan: 

Scan and patch frequencies will vary based on organization type and resource allocations. 

Industry PCI DSS guideless recommend scanning at least quarterly with patching done within 30 days of vulnerability release/identification. 

I personally sleep better scanning more frequently (weekly) with placeholders to bulk patch monthly. We are also flexible so when other key vulnerabilities are identified, they can be patched at the drop of a dime in line with emergency change management procedures.

 Prioritize:

This is the most important step in the process.

Industry guidelines suggest focusing on Critical or High vulnerabilities as categorized by the Common Vulnerability Scoring System (CVSS). However, based on volume, following solely CVSS rating and remediation guidelines can become overwhelming. I prefer to:

i. Use CVSS scores as a starting point to define the overall Weakness level (Wx) a vulnerability introduces to the asset

ii. Define the assets Severity rating (Sx) driven by attributes (such as: risk rating) that collectively defines the assets important to the firm. 

iii. Combining the Weakness level with the Severity level creates a “WxSx” model.

For example, if we put this into practice,

• A critical vulnerability according to CVSS would have a Weakness score of 1.

• An asset that has a risk rating of Critical, is external facing, and is always expected to be available would have a Severity score of 1.

• Together the vulnerability score would be: W1S1

Disposition:

There are two ways a vulnerability can be dispositioned:

i. Fixed: mitigate the risk by patching, making an asset configuration update, or by enhancing the code base.

ii. Accepted: The likelihood of exploitation is low, and impact is nominal.

I prefer not to guess which option to pursue. Rather, I prefer to have the WxSx prioritization model drive the decision:  

i. Hands down fix your W1S1 vulnerabilities first and treat with urgency! 

ii. Continue fixing vulnerabilities with high model ratings (e.g., W1S2, W2S2) until you reach your firms risk tolerance level.

iii. Risk Accept vulnerabilities below your firm’s risk tolerance level (e.g., W3S4) 

By having an approved vulnerability prioritization model in place, an engineer’s workday is simplified. They simply open the vulnerability report, review the assets scanned, results, how to action, and by when. 

Report:

At least monthly, using clear and concise Cybersecurity dashboards, report on at least:

i. Number of outstanding, key, vulnerabilities (don’t hesitate to call-out who needs to take the action)

ii. Number of vulnerabilities mitigated within acceptable timelines

iii. Number of vulnerabilities Risk Accepted with rationale (e.g. Low WxSx rating)

A solid reporting cadence gives key stakeholders a view into how the vulnerability management program is operating against established risk tolerance levels.

By following this vulnerability management methodology, efficiencies are gained and risk is mitigated!  

Weekly Brief

Read Also

Vulnerabilities in the Cloud

Vulnerabilities in the Cloud

Steve Lodin, Sr. Director, Sallie Mae Bank
Preempting Future Risks with Advanced Security Technologies

Preempting Future Risks with Advanced Security Technologies

TzerYeu Pang, Head of Information Security Office, Mediacorp
Maturity of Vulnerability Management in Securing an Organization's IT Assets

Maturity of Vulnerability Management in Securing an Organization's...

Nichole Bray, Director of Vulnerability Management, Global Tech Information Security, Walmart
A Perspective on Vulnerability Management

A Perspective on Vulnerability Management

Gary Sprague , Director, Information Security, Compliance & Privacy Officer, Rent-A-Center
A Cloud Services Security Playbook

A Cloud Services Security Playbook

Arun DeSouza, CISO & CPO, Nexteer Automotive
Managing Access-Point-Risk without Interfering Too Much With Business Processes Efficiency.

Managing Access-Point-Risk without Interfering Too Much With...

Luther Uthayakumaran, Head Strategy and Innovation, Sydney Water