Transcription
E-GuideRemediating IT vulnerabilities:Expert tipsVulnerabilities are a fact of life, and having to patch or remediate themis an ongoing process at most IT organizations. Reasons such as toofew administrative resources and the impacted system cannot be outof service during remediation may be why an organization cannotalways patch or remediate all IT vulnerabilities as soon as they’rediscovered. This expert E-Guide uncovers 3 quick ways you canremediate IT vulnerabilities and discusses best practices for improvedvulnerability management.Sponsored By:
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsE-GuideRemediating IT vulnerabilities:Expert tipsTable of ContentsRemediating IT vulnerabilities: Quick hits for risk prioritizationFramework for building a vulnerability management lifecycle programResources from Perimeter eSecuritySponsored By:Page 2 of 14
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsRemediating IT vulnerabilities: Quick hits for riskprioritizationBy Diana KelleyVulnerabilities are a fact of life, and having to patch or remediate them is an ongoingprocess at most IT organizations.But, an organization can’t always patch or remediate all IT vulnerabilities as soon as they’rediscovered. Reasons for this vary: There may not be enough administrative resources;compliance may mandate no changes or patches to the system; or the impacted systemcannot be out of service during remediation. And all of that is if a patch is available, whichoften isn’t the case.How can organizations identify and prioritize exposures and vulnerabilities to isolate thosethat will have the greatest impact, and deploy their limited resources in the most effectivemanner possible?Know your environmentKnowing what services, systems and applications are in the environment is the first andmost important step to prioritizing vulnerabilities effectively. A highly critical exploit isn’t aconcern if it affects applications or systems that aren’t in use. Knowing your environmentalso means knowing the IT architecture and controls that are in place. For example, adatabase vulnerability may not be a top concern if there are firewalls, database accessmonitoring and intrusion prevention systems protecting that database from attack.Similarly, if there is a firewall protecting a Web application from a specific exploit, patchingthat application may be less critical than patching an application for exploits that can’t bestopped with other mechanisms.Finally, consider the criticality of the data and services on the system and the businessimpact that would result from loss of data or disruption to those services. Fixing avulnerability on a server that stores publicly available information might be lower prioritythan fixing one that stores highly sensitive customer data. However, if a disruption to aSponsored By:Page 3 of 14
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsserver with publicly available information prevents customers from doing business with you,it’s critical, even though the data might not be. As Seth Shestack, associate director ofinformation security for Temple University told me, the most important thing is to “Knowyour environment; what the press says is highest priority may not be what’s highest priorityfor your own environment.”Use multiple information sourcesTo stay on top of vulnerabilities as they are discovered, use information from multiplesources rather than relying on just one. Most software vendors keep a list of known exploitson their sites and communicate this data to licensed users. Vulnerability scanning vendorsupdate their databases with new exploits and provide this information in scan reports, alongwith severity ratings for exploits that many vendors allow to be customized or tuned to theuser’s environment. As J. Wolfgang Goerlich, network operations and security manager for amid-sized money management firm told me, he looks for reports that provide “solidinformation regarding what the threats are and at what frequency they’re occurring.”Public vulnerability repositories, such as the National Vulnerability Database, a “U.S.government repository of standards-based vulnerability management data representedusing the Security Content Automation Protocol (SCAP)” and the Common VulnerabilityScoring System (CVSS) calculator can help organizations determine the severity scoresassociated with a specific vulnerability.And don’t forget compliance mandates that can affect severity and raise the priority of aparticular fix. For example, a vulnerability on a system within a cardholder dataenvironment may be higher priority due to PCI DSS.Create a remediation planUse the environment and metric information to create a normalized remediation plan. At theVisiting Nurse Service of New York (VNSNY), CISO Larry Whiteside and his team stay on apatch-and-fix schedule by placing a metric around new vulnerabilities that takes intoaccount the unique VNSNY environment and other inputs, like the CVSS score. “If it fits in acertain range,” Whiteside told me, “it is critical and will be patched or remediated in 30Sponsored By:Page 4 of 14
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsdays. Less critical scores will be addressed in 60 days – and so on up to six months for verylow-priority fixes.”The time allotted to fix IT vulnerabilities may vary from organization to organization: Someentities require fast cycles of seven days or fewer for highest priority vulnerabilities, whileothers need longer cycles to accommodate patch and change freezes during audit periods.The key lesson here is to match a priority metric to a specific time-to-fix to provide adocumented, repeatable process.After implementing a fix, use re-scans and tests to validate that the vulnerabilities havebeen remediated, while also checking for new vulnerabilities in the environment. As theprogram matures, revisit and revise as needed. Changes in business impact analysis andrisk will occur over time: For example, changes to the topology of the environment, newregulations put into effect, and shifting data classification standards. Revisit the riskassessment and risk prioritization frameworks when these changes occur. Although thebasic framework and time-to-fix cycles may not change, new information may placesystems in a higher or lower priority ranking.To keep the fix process focused and effective, know your environment and business impact,create meaningful metrics that take into account public and private ratings, and stay onplan with preset time-to-fix periods.Sponsored By:Page 5 of 14
Perimeter E-Security Chosen Againas Top Player in Analyst Reportto be rated the premier provider of messaging and security services.See for yourself why Perimeter E-Security has been repeatedlyselected as Top Player. Visit www.perimeterusa.com to download acopy of the report!
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsFramework for building a vulnerabilitymanagement lifecycle, programBy Diana KelleyVulnerability management is about more than patching. To build a truly robust program anorganization needs to incorporate inventory management, configuration management andchange management into the patching lifecycle. And for even more effective control andgovernance, penetration testing and patch and control validation should be added to themix as well. That’s a lot of moving parts, and depending on your organization, these partscould span multiple business units and geographic locations. Getting it right and keeping itrunning smoothly can be a challenge.We will present a framework for building a vulnerability management lifecycle. Usingexamples from practitioners, you will get a from–the-trenches view of what works and whatdoesn’t when trying to win the ongoing vulnerability management war.Vulnerability Management Lifecycle: Defining Vulnerability ManagementComputing environments are complex systems comprised of hardware, software operatingsystems and platforms, applications, services, and the people who interact with all of theabove to get their jobs done. Vulnerabilities can exist anywhere in environment, andmanaging vulnerabilities is a non-trivial task.At its simplest, vulnerability management (VM) is a matter of applying security patches asthey become available. But robust VM is about more than patching – it is about defining therisk posture and policies for an organization, creating a complete asset list of systems,applications, and services, scanning and assessing the environment for vulnerabilities andexposures, and then taking action to mitigate or accept those vulnerabilities. One way tomitigate a vulnerability is to patch it, but there aren’t always patches available -- and evenwhen there are, it isn’t always possible to apply them. Another issue is that most networksare continually evolving; introducing new services and applications can impact thevulnerability profile of the system as a whole.Sponsored By:Page 7 of 14
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsAll of these are reasons why an effective vulnerability management program needs to bepart of a larger lifecycle, one that takes into account the existing network, new additions,ongoing testing, change management, ticketing, validation, and multiple mitigation types -including patches and compensating controls. Because aspects of that lifecycle interact withmultiple departments and constituencies within an organization, it must be part of the fabricof the business operations, not the exclusive domain of security. Larry Whiteside, CISO forthe Visiting Nurse Service of New York, says that to have a truly successful vulnerabilitymanagement program, it needs to be approached as “an organizational problem thatincludes operations, IT architecture, security, and the business.”Core Vulnerability Management Processes Apply Across All NetworksOne of the most common pitfalls in VM can be trying to do too much too soon and gettingoverwhelmed by the magnitude of the problem. J. Wolfgang Goerlich, network andoperations manager for a midsize money management firm, recommends starting small.Rather than “trying to do everything at once and having too much for the team toaccomplish, build success on a select number of critical systems and processes” and growthe program from there, he says.To do that, first think about the process steps in the vulnerability management lifecycle.Each organization is unique and may wish to implement these steps in different ways, butthe core milestones in the lifecycle share applicability across most networks.Policies and postures inform the entire lifecycle because risk acceptance is ultimately up toeach organization. For example, most entities don’t wish to take on penalty costs for failingto adhere to a compliance mandate, so these organizations will write compliance toregulations into their policy requirements. Business drivers play in to this as well: Forexample, an organization that relies on keeping its intellectual property highly protected willwrite a data classification policy that puts a high priority on data confidentiality. Include riskassessment and business impact analysis as part of defining acceptable security posture.Policy definition work may feel abstracted from application patching, but it’s essential forthe impact assessment and prioritization phase later in the lifecycle.Sponsored By:Page 8 of 14
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsAccurate Asset Inventory Vital to VM SuccessOnce policies and postures are defined, the next step is determining what currently exists inthe network. Create an inventory listing all operating systems and applications, includingoff-the-shelf and custom applications, databases, and application servers. Accuracy ofthese lists is critical to the health of the VM lifecycle, so ensure that updating the list(s) ispart of the process. Goerlich says he uses “a product lifecycle model that includes avulnerability assessment during the project evaluation, during implementation, and againpost-implementation.”Once it has been implemented, a new service or application should be placed into theinventory list. But not every organization is able to put new devices or services through anassessment prior to having it on the network. Consider an environment such as highereducation where an influx of new students and their devices enter the network everysemester. Seth Shestack, associate director of information security for Temple University,handles asset inventory for student devices by cordoning unregistered devices into aquarantined network and having students register the devices and install endpointprotection before allowing them on to other parts of the network. In this model, registereddevices become part of the asset inventory list as they go through the registration process.Vulnerability Scanning Options AboundAsset scanning (and discovery) can be included as part of vulnerability scanning, but truevulnerability scanning goes deeper into the actual exploits and risks. Vulnerability scanningcan also be done externally or internally. Internal scanning can target more devices since anexternal scan may not be able to get past security mechanisms to get to the internalnetwork -- such as IPS devices in active prevention mode -- but does provide a morerealistic view of what an outside attacker sees. And it can also validate that securitymechanisms, such as IPSes and firewalls, are doing their intended jobs and preventingoutsiders from being able to see deeper into the network.Vulnerability scans can be done non-intrusively in passive OS fingerprinting mode thatreturns the patch level and other basic information about the host, such as which ports areopen. Credentialed scanning goes a step further to gather more detailed information aboutSponsored By:Page 9 of 14
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsthe target, such as which applications are installed using customer-supplied passwordsand/or community strings for SNMP scans. Scanning can also check against recommendedconfiguration levels as defined by policy.Another option is to perform automated or manual penetration tests as part of the scanprocess. Penetration testing actively attempts to exploit a system. A simple example is toattempt to login to a database or wireless router using a vendor-supplied default password.A more complex example is to use blind SQL injection on a Web application to extractpasswords or other information from a backend database. A penetration test can alsoexpose attack paths through a network that may not be visible using a standardvulnerability scan. Applications pose another level of complexity. Custom applications, lesscommonly used and niche applications, and highly customized popular applications, shouldbe scanned and pen tested using custom rules or manually. Most large vendor scanningtools can’t ship with scan and test plans that include all the possible vulnerabilities for allapplications; this is not a shortcoming of the tools themselves, it is more about the sheernumbers of applications running on networks.After running vulnerability scans, including credentialed scans, host-based scans, andpenetration testing where applicable, an organization should have a list of vulnerabilities orissues. Goerlich has integrated scan results with a ticketing solution. “When somethingneeds to be investigated, the results of the scan are exported and attached to a new ticket,”he says. At Temple, the link between scanning and ticketing has been done manually, butShestack says the university is currently in the process of integration. While automaticintegration can speed up the process, the important step is to ensure there is a connectionbetween the scan results and systems or processes used in the next phase for impactanalysis, prioritization, and remediation.Vulnerability Impact Analysis and PrioritizationWith a list of issues either in a spreadsheet, a scan result report, or integrated into thetrouble ticketing system, the next step is to understand what kind of impact thevulnerability can have on the organization and to prioritize the response activities. While itwould be nice to be able to fix all vulnerabilities as soon as they’re discovered, the reality isa bit more challenging, which is where the policy and posture work done in the first stepSponsored By:Page 10 of 14
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsreally comes in. If an asset or data on the asset is deemed to be highly critical or have ahigh business impact, priority for the fix will be greater.Other information that can be useful in the prioritization process is information from publiclyavailable sources, such as the National Vulnerability Database and the CommonVulnerability Scoring System calculator. Vulnerability scanning tools use standard scoring toprovide scoring metrics, and vendor advisories many times provide their own scoring onvulnerabilities as well. Whiteside at the Visiting Nurse Service of New York uses acombination of resources, including Symantec DeepSite and ISAC feeds when creating ascoring metric for his vulnerability program. But he does caution that while “vendors createtheir own risk calculation based on vulnerability information, it doesn’t tell the whole storyfor my enterprise.” Whiteside’s team places a metric around the vulnerability that includeslocation, type of system and other factors unique to the environment to come up with ascore that is adapted to his enterprise. Higher ranked vulnerabilities must be patched ormitigated within 30 days, while others can be placed on a 60- or 90-day fix cycle.Another point to consider in the impact and prioritization phase is whether or not a systemis truly vulnerable. In some instances, a compensating control such as a firewall mayalready be in place that prevents the vulnerability from being exploitable. In cases likethese, it may be possible to tune the scanner to stop scanning for that particularvulnerability on the protected host or to create an exception report that “scores down” theimpact due to the presence of the compensating control.Vulnerability Management Lifecycle: Remediation and MitigationWith a list of vulnerabilities tuned to the real risk and impact of the organization, it is timeto remediate or mitigate. Patching is the most commonly discussed remediation technique:If there is a patch available, now is the time to apply the patch to golden images and testingservers to ensure it can be applied without unintended consequences, such as disruption ofservice. Some organizations deploy patches directly through their vulnerability managementsolution consoles, while others deploy through an operations management console used forother kinds of software delivery like maintenance updates and new software deployments.Sponsored By:Page 11 of 14
SearchSecurity.com E-GuideRemediating IT vulnerabilities: Expert tipsBut there’s not always a patch for known vulnerabilities in commercial software, forexample when a vulnerability is known and the vendor doesn’t have a patch ready yet.Custom software, including outsourced and in-house applications, can lag in the patchdepartment or the development team may not have the time and resources to create apatch or rewrite the code. And some systems may not be available for patching for otherreasons: For example, if an audit cycle is in progress and all system changes, includingpatching have been frozen, or in the case of some certified special-purpose devices, likethose used in health care, the federal sector, or payment systems.When patching isn’t a possibility, organizations can address vulnerabilities in other ways,like compensating controls; for example, Web application firewalls with custom rules toprevent exploits. Other options include stronger access controls
Vulnerability Management Lifecycle: Defining Vulnerability Management Computing environments are complex systems comprised of hardware, software operating systems and platforms, applications, services, and the people who interact with all of the above to get their jobs don
