The more apps companies deploy, the more complicated vulnerability management becomes. In the rush to find every security hole and seal it off from potential hackers, it's easy to let something important slip through. That's especially true if you're an IT administrator juggling several tasks of which security is one.
Security practitioners can't catch everything. But by breaking vulnerability management down to the basic parts, it may be possible to mount a more effective defense. What follows is the first of a three-part series on vulnerability management, based on a training session taught by SANS Institute President Stephen Northcutt called "SANS Security Leadership Essentials for Managers with Knowledge Compression."
Before getting into all the vulnerability management tools and techniques, which we'll cover in the next two articles, we begin by getting to the bottom of what vulnerability management is.
5 vulnerability management axioms
To get anywhere with vulnerability management, Northcutt said there are five things to consider first:
- Vulnerabilities are the gateways through which threats are manifested.
- Vulnerability scans without remediation have little value.
- A little scanning and remediation is better than a lot of scanning and less remediation.
- Vulnerabilities in need of fixing must be prioritised based on which ones post the most immediate risk to the network.
- Security practitioners need a process that will allow them to stay on the trail of vulnerabilities so the fixes can be more frequent and effective.
Emphasising the value of starting small, Northcutt noted, "One reason to scan a little at a time and then remediate is to avoid a situation where you have material knowledge of a significant vulnerability. I you have that knowledge and don't remediate, your organisation is not practicing due diligence."
If a data breach happens and it's traced back to a flaw the company knew about but didn't fix, the consequences can be serious. "This could be factored into the punitive damages phase of a court case," Northcutt said.
Primary threat vectors
Next, Northcutt said it's important to identify the primary threat vectors an organisation must worry about. They are:
- Outsider attack from network
- Insider attack from network (VPN)
- Outsider attack from telephone
- Insider attack from local network
- Insider attack from local system
- Attack from malware
The big worry is in what Northcutt called the "power of a pivot." All the attacker needs is one toehold. "If there is one single vulnerability left unpatched that can be reached from outside the organisation and it is compromised, that system can be used as a springboard or 'pivot' to attack other systems on the same network," he said.