Vulnerability management (VM) is an essential part of information security and necessary for any organization serious about protecting its data and systems and is especially important for those who need to gain compliance certification.
However a real danger of VM is that it is implemented more to tick a box than to actually manage vulnerabilities in an organization’s information resources. Having a vulnerability management policy isn’t the same as actually implementing it and proactively working to mitigate future problems.
Assuming your organization has a vulnerability management policy and assuming that resources (including personnel and time) have been allocated, what can an organization do to remain ahead?
1) Make sure that the computers and systems are checked for vulnerabilities regularly. This must include frequent network scanning, firewall log analysis, penetration testing and/or the use automated tools. Having discovered possible vulnerabilities during the initial baseline definition isn’t enough, this process must be performed often. This is especially true in organizations where software and hardware are being upgraded and changed frequently.
2) Prioritize the risks correctly. If a critical vulnerability is discovered make sure that the overall threat to your organization is assessed before assigning the final priority level. A low level vulnerability on your external web site is a greater risk than a critical vulnerability on a laptop used to give presentations in the conference room!
3) Preemptively check system configurations. Having a good update and patch management is an essential part of VM, but a misconfigured server can be vulnerable even if it has the latest patches and fixes. Design processes to ensure that system configurations aren’t changed, that services aren’t reconfigured and check these against your security baseline on a regular basis.
4) Test your procedures. For instance, If an organization gets hit by a zero-day exploit, there is little that could have been done to prevent it. By its very definition a zero-day exploit is unknown and therefore impossible to prevent. In other words, the vulnerability has not been reported to the vendor or the vendor has no fix patch for it. However, how an organization reacts to an incident is essential. Make sure that the personel in the incident response team are trained and are ready to handle every type of breach. Keep records by documenting the security breaches and incidents.