Final - A Vulnerability Management Journey

| Dec 15, 2023 min read

Vulnerability Scanning Overview

Lay out what vulnerability scanning is and how it is a part of your organization’s defense strategy. Do not get specific about tools or types of scans. Examples:

  • Location
    • Internal
    • External
  • Vulnerabilities found will be added to a tracking system
  • Scanning is not about just discovery, but also validating remediation

Define accepted systems for performing vulnerability scanning

This is important so there is an understanding of what tools are used for specific purposes. This is especially true if you are scanning systems, web applications, cloud instances, as examples. You dont want the wrong tool be used for the wrong job. This program is not designed around a tool, but a tool that fits the process is used. This could be any number of tools from traditional scanners to cloud based MDM’s that provide built in patching and vulnerability management. They do not have to a best of breed stand alone tool.

Lay out the vulnerability scanning lifecycle

This should be fairly short such as the following items:

  • Scan Preparation
    • Define scope for scans
    • Obtain authorization and agreement on scope
    • Configure different scan profiles
  • Associated Risks
    • State there are risks to scanning as it may impact applications
  • Scanning Operations
    • Discovery Scanning
    • Scan frequency
      • Ad-hoc
      • Weekly
      • Monthly
      • Quarterly
    • External Scanning
      • Scope
      • What profiles will be used
    • Internal Scanning
      • Scope
      • What profiles will be used
  • Remediation Actions
    • Who owns remediation, hint it should be asset owners in conjunction with custodians
  • Validation Phase
    • Continuous validation

Pentests

Penetration tests should be defined as part of your vulnerability management program. The purpose of a penetration test is to find gaps in a program or help identify risk that is not easily automated. Unless it is for business justification of security budget, a penetration test should never be your first item in a vulnerability management program. It should be used to augment the gaps in automated tools where critical thinking and vulnerability chaining is required to achieve attacker goals.

There is a common battle in the community regarding what defines a pentest versus a red-team engagement. I would advise to pick a framework to define this for your organization. A great framework from community leaders that I prefer is the Penetration Testing Execution Standard, or PTES. It can be found at http://www.pentest-standard.org/ .

Lay out expectations from the framework and the different types of penetration testing so readers know what each are referring to.

This will be important as you work with penetration testers to establish scope and expectations of engagements.

Security Testing and Examination

ST&E are an important part of this as well. Defining your methodology and where this occurs is important. NIST 800-115, http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-115.pdf , lays out this in great detail. State what parts of the framework you will use at what points. For example:

NIST 800-115 – _Technical Guide to Information Security Testing and Assessment is the definitive guide to performing security testing and technical assessments. This guide should be used as a recommended practice for:

  • Pre-production testing
  • Post-change testing for significant changes

Pre-production and post change testing for significant changes checks are used to validate it was implemented correctly, operating as intended, and producing the desired outcome.

Security Control Assessment

Risk management requires finding balance between vulnerabilities and acceptable security controls. This balance can be thought of as acceptable risk – it changes as vulnerabilities and controls change. For this I prefer to reference and utilize NIST 800-37, http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf

Categorize

The [ORGANIZATION] will assign a potential security impact value for all information systems, which includes the information being processed, stored, and transmitted by the system, based on the potential impact to the [ORGANIZATION].

Select

An appropriate set of security controls is selected for the information system after categorizing and determining the minimum-security requirements.

The [ORGANIZATION] will meet the minimum-security requirements by selecting an appropriately tailored set of baseline security controls based on an assessment of risk and local conditions, including the [ORGANIZATION]’s specific security requirements, threat information, cost-benefit analyses, or unique circumstances.

Implement

Security controls must be properly installed and configured in the information system. Industry standard benchmarks are a good template to use and then tailor to the [ORGANIZATION]’s use cases.

Assess

Security Testing & Examination is used to determine the extent to which controls are implemented correctly, operating as intended, and producing the desired outcome.

Authorize

Information systems are authorized based on a determination of the risk to operations, assets, or to individuals resulting from the operation of the information system and the determination that this risk is acceptable.

Monitor

Continuous verification and validation, such as metrics reporting, annual control testing, etc. are necessary.

Ownership and roles

Defining ownership and who plays what role can seem daunting but is important to establish expectations of everyone’s part from strategy to turning wrenches. In small organizations some individuals will wear multiple “hats”. You can try and combine responsibilities or establish if someone plays multiple roles. Such as a small company there may only be a CEO who contracts out all security work including a CISO role. That is fine, you should still try and define it. This must be tailored to your organization.

Executive and Senior Management

The effectiveness of risk management in an organization is linked to management competence, commitment, and integrity, all of which forms the basis of sound corporate governance. Corporate governance provides a systematic framework where the executive management group can discharge their duties in managing the [ORGANIZATION].

Executive and Senior Management responsibilities include, but are not limited to:

  • Considering and documenting new and existing risks and their impact on proposed plans for the annual planning cycle
  • Ensuring up-to-date risk records
  • Providing direction and guidance to maximize use of the [ORGANIZATION]’s resources
  • Championing the development of a risk management culture throughout the [ORGANIZATION]
  • Guiding the inclusion of risk management in all strategic and operational decision making
  • Understanding major risks within their area of control
  • Maintaining a framework to manage, monitor and report risk
  • Managing risks to ensure the [ORGANIZATION] objectives, goals, and vision are executed
  • Improving corporate governance

Business Unit Management

Business Unit managers at all levels are responsible for the adoption of risk management practices and are directly responsible for the results of risk management activities, relevant to their area of responsibility.

All Employees

All employees are responsible for:

  • Acting the part of the good “citizen” to ensure the safety of their fellow employees and the company’s data
  • Actively working towards better risk management and communicating findings with management
  • Ensuring any liability to the [ORGANIZATION] is minimized

Asset Owner

The asset owner “owns” the process, application, service or asset in question. This can be anyone in the business unit but tends to be an individual in management.

Risk/asset owner responsibilities include, but are not limited to:

  • Assigning risks and making sure they are managed appropriately
  • Monitoring progress
  • Oversight of the risk review process and validation
  • Keeping the risk register up-to-date and responding to any risk register actions that have been assigned to them

Internal Audit

The internal audit function supports the [ORGANIZATION]’s risk management by providing advice and support on risk management, usually through an annual review of risk management practices. This is to validate the risk management process is working as intended and being followed.

Vulnerability Management Personnel

The internal vulnerability management function supports [ORGANIZATION] vulnerability management by implementing and executing the controls associated with a Vulnerability & Patch Management Program.

Vulnerability management responsibilities include, but are not limited to:

  • Conducting vulnerability assessment scans
  • Faciltating or conducting penetration tests
  • Maintaining vulnerability management tools
  • Generating metrics and reports on the status of vulnerability management and remediation operations
  • Consulting with asset owners and custodians on remediation activities

Asset Custodians

Asset custodians maintain assets for asset owners.

Asset custodian responsibilities include, but are not limited to:

  • Implementing assets according to secure configuration standards
  • Performing proactive, recurring maintenance activities
  • Maintaining situational awareness on evolving threats
  • Collaborating with asset owners and vulnerability management personnel for remediation actions

Thank You

Thank you for taking the time to read through this blog series! I hope it helped you gain some insight on your vulnerability management and patch management journey!