Quantcast
Channel: Nusecure
Viewing all articles
Browse latest Browse all 89

Vulnerability Management

0
0

Vulnerability management has and is an important aspect of a company's security posture.  The managing of vulnerabilities was instituted by IT professionals that were involved by what they affectionately call patch Tuesday.  This day was anticipated every month with trepidation by most System administrators.  One of the reasons for the concern was the number of patches that were typically delivered by Microsoft.  It always seemed that the majority of the patches were labeled critical which meant the system admins would be expected to install them within 24-48 hours. 

This created a two-fold problem, one being the sheer workload of installing the patches on all the systems on the network and the second was since there wasn't a lot of testing of the patches installation sometimes caused problems.  The second being, while the patches have gotten better, if you don't know what systems are resident on your network, you could install patches on a system that doesn't have the vulnerable process or service running.

These requirements lead the industry to provide services that can scan a network, look for systems then check them for vulnerabilities that need to be patched.  This is the method that most security standards want used on a network that could have data to be protected.  The scanning will identify the vulnerabilities that provide an avenue for an attacker to gain access to systems then use that access to obtain protected data.

The advantage of scanning a network is the identification of the systems that reside on a particular segment.  This can determine if an attack being malware or internal intrusion attempt is looking for a vulnerable service that isn't running on any system, on the network so the attack level can be downgraded. 

The security standards that require vulnerability scanning do so because the large majority of exploits can be attributed to systems that if they were patched correctly, would not have been compromised.  These standards know that the percentage of vulnerable systems can be surprising and thus the security regulators are attempting to minimize the risk.

One report that is very interesting is the Dimension data barometer report that monitors the number of security vulnerabilities for network devices and reports them in many different ways.  For instance, for the 2010 the report states that percentage of network devices with security vulnerabilities overall is 73% (Overall for any region in the world, organizational size, or vertical).  While some regions, organizations, or verticals are worse than others the overall number was the same.

The report shows that for 2008 the overall percentage was virtually the same as 2010 with a significant drop in percentage in 2009.  The drop in 2009 was attributed to a new tool that was more accurate and gave a more relevant discovery of vulnerabilities. 

The old assessment tool reported a vulnerability if the IOS was affected along with the affected software module.  In 2009 the tool only reported the vulnerability only if the affected software was actually enabled.  This leads to a more statistically credible jump in the number of vulnerabilities in 2010.  After further study, the reports states that one specific vulnerability was found in more than 66% of the devices analyzed in 2010, which caused the increase in overall vulnerabilities.

While this study was primarily looking at network devices, the study shows that the number of vulnerable devices in a network scan can be misleading.  It goes back to what was stated earlier, that systems may have a vulnerable service or software but if it isn't enabled the system is not vulnerable. 

The report also states the position I have always taken when it comes to patching systems on a company's network.  The first step is having an up- to- date asset inventory of the systems on the network.  These devices should be scanned on a regular basis to determine the state of patches compared against list of known vulnerabilities.  The scans should also ensure that the systems either don't have vulnerable features enabled when not needed or the patches are up- to- date and tested. 

A good approach to patching is discovering the devices on the network, then prioritize these assets by the importance to the business.  Once the discovery and prioritization is accomplished, performing a vulnerability scan and risk assessment should be done to determine which systems ought to be patched first. 

Most companies perform scans of their systems on a regular basis, but what exactly does this mean, is it annually, quarterly, or monthly.  Many would state that the period of regular scanning should be often enough to maintain patched systems.  This could be quite often for a network comprised of systems that need their OS and applications to be patched regularly.  If your network is comprised of these type systems then you need to have someone that dedicates a large portion of their time scanning, testing, and patching. 

If your company doesn't have the resources to maintain the patch levels for their systems on a regular basis, then outsourcing the task could be the best option.  The outsourcing company could also monitor your systems along with traffic on the network to ensure exploits that might appear would find no open doors.

The ultimate result for scanning, patching, and monitoring is to have the most stable, secure network possible.  This should entail a comprehensive vulnerability management program, patch as often as required, and to monitor the network for attempted exploits even if the network isn't vulnerable.


Viewing all articles
Browse latest Browse all 89

Latest Images

Trending Articles





Latest Images