Sunday, April 19, 2009

5-phase approach in successful vulnerability management

Know the problem

Many people have wrong perceptions on the issues. Examples of these perceptions includes

  • Vulnerability Management = Apply Software Patch
  • Vulnerability only occurs in Microsoft operating system products
  • Vulnerability Management is only needed by large enterprise

The fundamental of software cycle is that software always contains programmatic errors, referred as bugs. Traditionally, these bugs may be just programmed not according to the initial software specifications. However, nowadays, the issues of bugs may become more complicated. The problems may involve insecure coding methods that lead to memory leakage or privilege escalation.

No software is perfect without any issues. Software vendors pay efforts to fix the discovered problems.

Understand the current situation – Scanning, Assessment and Trending

Does it mean I just apply all the software patches and the problem is solved? Not exactly. The author suggests a vulnerability assessment with an experienced security consultant. This assessment process involved vulnerability initial scans and trend analysis. The security consultant should provide a trend report and suggestion on how to develop a vulnerability management strategy. Vulnerability situation of a specific part of the enterprise can be better that that of the others. For example, the server farm contains less vulnerability. This is quite typical as the server farm may be administrated from different group of people, and the hardening procedures of production server may be different from other machines in the enterprise.

Develop vulnerability management strategy

Vulnerability management strategy is important for enterprise of all sizes. If a specific part of the infrastructure components do not contain any customized software (for example, an email server running Microsoft Exchange 2007 and Microsoft Windows Server 2003), the vulnerability strategy will be quite different from the infrastructure components running an in-house developed CRM application. It is essential to have security professionals to review and assess the vulnerability management strategy. This makes sure the strategy is practical and met the industrial baseline requirements.

Implement the vulnerability management strategy

Once the vulnerability management strategy is defined and confirmed, it comes to the implementation. Tools helping implementation of the strategy is equally important as the strategy itself. Tools may include vulnerability scanner, patch management software, patch testing software, etc. These tools can automate the vulnerability management strategy and hence improve the overall security situation of the enterprise.

Continued reassessment

Regular reassessment of the strategy is crucial. The review should include strategy execution review, enterprise-wide vulnerability trend analysis and the strategy itself. The author recommends the strategy should be reviewed every year by an information security professional.

1 comment:

Steve2434798 said...

Finding a robust patch management solution is becoming more and more difficult as machines are less and less accessible to the management console. I have found success using patch management software from Kaseya. Because of the agent based framework, I have connectivity to every machine that is connected to the Internet, independent of location. - URL: