Building a strong program based on mitigating known vulnerabilities has been transformed from a security-centric process to an operational necessity for business success.
Product vendors describe vulnerabilities as defects requiring a patch, upgrade or configuration change; attackers target these weaknesses in a security profile. Once a vulnerability is discovered, it is only a matter of time before an attacker develops the worm,
virus or intrusion that can take advantage of the defect. For example, the recent Sasser worm was launched a mere 18 days after the vulnerability was announced in the form of an available patch.
Companies that rely on signature-based defenses against known exploits are helpless against fast-moving exploits and zero-day attacks that propagate globally at Internet speeds. The goal of the security team is to reduce risk by identifying and eliminating weaknesses in an effort to shrink the window of opportunity in which an exploit or attacker could impact the organization.
Best practices for vulnerability management:
1. Classify network assets to effectively prioritize vulnerability mitigation programs, such as patching and system upgrading. The first best practice is to identify and classify network resources. There are far too many assets in an enterprise network to manage individually, and at an average cost of $235 to patch a desktop (based on 2003 Yankee Group enterprise security spending survey), patching all vulnerabilities as rapidly as possible becomes cost-prohibitive. The odds are great that unpatched systems will exist when the exploit designed specifically for the announced vulnerability strikes.
Understanding and classifying assets to a category allows IT to apply policies more efficiently, and if the organization is time or resource constrained, it enables the security team to focus on patching the most critical assets first.
2. Reduce vulnerability exposure quickly to measure the effectiveness of risk mitigation. Vulnerability management systems test network resources for the presence of known vulnerabilities. This produces a record per scan of the number of vulnerabilities discovered, their severity, and the asset classes affected. It is the true measure of a patch and configuration control program.
3. Integrate vulnerability management with discovery, patch management, and configuration management processes to close vulnerabilities before exploits can strike. Vulnerability management bolsters the effectiveness of patch management, configuration control, and early-warning services. Integrate vulnerability management with network integrity systems to assess new systems on the network, with patch management systems to confirm completion of a patch process, and with management reporting portals to raise the awareness among executive management for the accomplishments of the security team.
4. Audit the performance of security policy implementations, security team performance and process improvements to build a culture of refining security operations. Security executives regularly audit the effectiveness of integrated vulnerability processes. Vulnerability management delivers the fundamental metrics that management needs to evaluate the state of the corporate network security program. Best practices use the metrics to assess the success or failure of various efforts to improve performance.
Eric Ogren is a senior analyst with The Yankee Group's Security Solutions & Services advisory service.