Know the problem
Many people have wrong perceptions on the issues. Examples of these perceptions includes
- Vulnerability Management = Apply Software Patch
- Vulnerability only occurs in Microsoft operating system products
- Vulnerability Management is only needed by large enterprise
The fundamental of software cycle is that software always contains programmatic errors, referred as bugs. Traditionally, these bugs may be just programmed not according to the initial software specifications. However, nowadays, the issues of bugs may become more complicated. The problems may involve insecure coding methods that lead to memory leakage or privilege escalation.
No software is perfect without any issues. Software vendors pay efforts to fix the discovered problems.
Understand the current situation – Scanning, Assessment and Trending
Does it mean I just apply all the software patches and the problem is solved? Not exactly. The author suggests a vulnerability assessment with an experienced security consultant. This assessment process involved vulnerability initial scans and trend analysis. The security consultant should provide a trend report and suggestion on how to develop a vulnerability management strategy. Vulnerability situation of a specific part of the enterprise can be better that that of the others. For example, the server farm contains less vulnerability. This is quite typical as the server farm may be administrated from different group of people, and the hardening procedures of production server may be different from other machines in the enterprise.
Develop vulnerability management strategy
Vulnerability management strategy is important for enterprise of all sizes. If a specific part of the infrastructure components do not contain any customized software (for example, an email server running Microsoft Exchange 2007 and Microsoft Windows Server 2003), the vulnerability strategy will be quite different from the infrastructure components running an in-house developed CRM application. It is essential to have security professionals to review and assess the vulnerability management strategy. This makes sure the strategy is practical and met the industrial baseline requirements.
Implement the vulnerability management strategy
Once the vulnerability management strategy is defined and confirmed, it comes to the implementation. Tools helping implementation of the strategy is equally important as the strategy itself. Tools may include vulnerability scanner, patch management software, patch testing software, etc. These tools can automate the vulnerability management strategy and hence improve the overall security situation of the enterprise.
Regular reassessment of the strategy is crucial. The review should include strategy execution review, enterprise-wide vulnerability trend analysis and the strategy itself. The author recommends the strategy should be reviewed every year by an information security professional.