Implementing an advanced Vulnerability Management solution, organization can create a system that helps to reduce the time and money invested in dealing with vulnerabilities and reduces the risk of vulnerability exposure. This article deals with different critical aspects of VM solution and discusses benefits, an organization can achieve from this.

Is there any IT network where vulnerability doesn’t exist? In today’s most hacking prone digital network, it is very difficult to keep hackers away to take advantages of flaws exist in the network. So, rather than chasing hackers, it is always wise to cover up those vulnerabilities with the help of effective and intelligent vulnerability management solution, which either automatically patch up those vulnerabilities, once discovered or alerts users, if it is beyond its patching strength. New vulnerabilities appear every day due to flaws in software, faulty configuration of applications and infrastructure, and human error. Whatever their source, vulnerabilities do not go away by themselves. Their detection, removal and control require vulnerability management (VM)—the calibrated, continuous use of software tools and workflow that proactively purges exploitable risks.

Why Vulnerability Management?

Network security is the most expensive element of business operations today. Security exposures often referred to as vulnerabilities, can wreak havoc on business operations if they are allowed to be exploited. These exposures can come from external or internal threats and are amplified by many current business factors including the need for ‘always-on’ business services, borderless networks and regulatory compliance. Some of the most serious impacts include proprietary information loss, loss of system availability, loss or corruption of data or applications, loss of productivity, regulatory non-compliance, damaged customer relations/brand image etc.

Reported business losses by organizations that have suffered network attacks and fines incurred by companies found to be out of compliance with such regulations as HIPAA, Gramm-Leach-Bliley and Sarbanes Oxley clearly support the need to protect digital information assets from both intentional or accidental vulnerabilities to mitigate risk and minimize potential damage and cost to the business. A comprehensive, well-defined security management strategy is essential in achieving the required level of protection, however many organizations do not have the resources to effectively implement such a strategy in isolation and need to rely on IT operations resources. This approach brings its own challenges. Deciphering the mountain of information from different IT incidents and prioritizing where resources should be deployed can cripple response times. A single operational environment that captures all relevant incidents and helps manage their resolution is essential.

Vulnerabilities in software are basically formed due to mistakes taken place at the time of programming. If the size of data buffers is not checked properly, then their overflow can corrupt the stack or heap areas of memory, which may allow the execution of an attacker’s code on that machine via a virus, worm or other exploit vector. The standard assumption by computer scientists is 5 to 20 bugs in every thousand lines of software code, so it is no surprise to see regular announcements of new vulnerabilities with related patches and workarounds. The risk of unanticipated vulnerabilities grows with use of General Public License software, particularly as implementers plug in untested modules of object-oriented programming code. These modules may include non-robust implementations of Internet protocol standards, making them susceptible to attack when placed into production environments.

Organizations need to create asset lists that define their critical business systems to help prioritize their efforts; they need to have the support of different internal groups to create these lists that will help them mitigate their most critical problems. For instance, if you can classify your data and know what area of your network certain data is supposed to be on, then you can tune your scanners to monitor your network appropriately. But admittedly, trying to get business people to come up with this type of classification is often the tough part.

Identifying Vulnerabilities

Effective asset discovery makes a significant impact on downstream processes. Referring back to the fable, if the six blind men had been able to gather a complete asset inventory of the elephant, their discussion of the object would have been much better informed. The same holds true for vulnerability management. If most enterprises are unaware of 20-40 percent of the network, how can they know about all vulnerabilities?

The vulnerability management process should be directed by an independent asset discovery process. Too often, enterprises point vulnerability scanners against only the known and documented networks and believe the results are a complete view of security risk. Just as the blind man who felt the elephant’s trunk thought the elephant was very much like a snake, IT managers remain in the dark when it comes to a comprehensive view of security vulnerabilities across the enterprise. Known risk may pale in comparison with the security flaws on assets in a rogue domain or on a rogue network, which fall outside of patch management and anti-virus updates. Without independent discovery, unknown assets may never be checked for vulnerabilities, leaving enterprise IT risk significantly understated.

Organizations need a continuous, agent-less vulnerability management solution that automatically identifies vulnerabilities by asset class, business unit, classification, category or regulatory requirement. The solution should also be able to report average remediation time for high, medium and low-risk vulnerabilities. Since many enterprises are concerned with vulnerability scanning’s impact on sensitive hosts and networks, vulnerability management solutions should have a targeted blacklisting capability as well.

As vulnerabilities are automatically prioritized and reported by business unit, platform, network, asset class and vulnerability type, the results should be stored centrally and integrated with patch management and trouble ticketing systems. This helps maximize existing technology investments and increases IT staff efficiency in identifying and fixing problems and then reporting results. Scans can be scheduled automatically, or specific assets—such as those related to the PCI Standard—can be scanned on different intervals in accordance with compliance requirements.

With all vulnerability management data stored centrally, enterprises can prioritize remediation efforts and enjoy a more holistic view of risk across the IT landscape. Enterprises can then focus security expertise on analyzing and mitigating risks instead of merely identifying them.

Before buying tools, organizations should develop a vulnerability management blueprint. It's about what is in place to support your program; you need to define business requirements, get the business units involved and see what's important to them; you need to segment the network, map the data flows and define what the product requirements are for any reporting tools. You need to know who is going to run and maintain the programs, what is the scheduling process, what the overhead costs are, and who has the responsibility to fix what you find.

You have to point to the ability of vulnerability management to help solve problems that some people might not expect, how it can complement your patch management system, how it can help with configuration management. It's also important to look at different standards and tailor your approach to them to address your unique organization. You have to look at your actual needs and tailor how you approach standards to your situation. That makes any work that you're doing to address standards easier to maintain as well.

Reverse engineering the network or application involves breaking the target down into known areas of vulnerability using information from the reconnaissance phase. Penetration testers mimic the same approaches that an attacker would use but with the ethical boundaries of a responsible consultant. The most fertile areas for a hacker or penetration tester include unpatched servers, non-essential ports and unauthenticated access. For Web applications vulnerable areas include cross site scripting, SQL injection, buffer overflows, over privileged processes and weak or custom encryption.

Once the hacker or penetration tester has identified your known areas of vulnerability the next step is to identify individual threats in the exposed areas. This step is often conducted using open source and commercial tools designed to reveal these flaws. Vulnerability scanners are effective in giving a broad sweep of network assets as well as determining points of entry susceptible to publicly known exploits. These tools generally work well against off-the-shelf software but not custom products. Penetration testers must have the ability to write custom code that will analyze these scenarios using common building blocks that lead to hacker entry vectors or adapt open source tools to the task. Web application scanners are used to map out entry points in traditionally written code. Newer code, e.g. Web 2.0 applications, can be a little more difficult to analyze using an off-the-shelf tool. Custom code and manual analysis are often far more effective at finding vulnerabilities in these newer applications.

Proactive Vulnerability Management

Any computer that is exposed to the internet, unsanctioned applications, or unprotected storage devices can be infected with viruses, Trojans, worms, keyloggers, spyware, rootkits, and other
malware. By preying upon vulnerabilities in operating systems and applications—from ubiquitous internet browsers to email and office productivity suites—these infections can quickly lead to stolen data, disrupted operations, and threats to the privacy of customers and employees. In 2007 alone, well over 6,000 new vulnerabilities were reported, an average of 124 per week. Nearly 90% of those vulnerabilities could be exploited remotely1. In addition, poorly installed or misconfigured devices can create vulnerabilities that allow data corruption, eavesdropping, and theft.

Because vulnerabilities can be found literally everywhere—from gateways and routers to DNS servers, web servers, desktops, and laptops—many IT departments run a “catch as catch can” defense. But using swarms of IT personnel to constantly hunt down vulnerabilities, figure out and then apply the appropriate patches, and hope for the best is a waste of resources. Automating the vulnerability management lifecycle—discovery, assessment, prioritization, remediation, and reporting—lets you keep your information resources safe from external threats around the clock, freeing IT personnel to work on business-focused projects.

Automating vulnerability management dramatically improves your defense against malware even as it increases the operating efficiency of computing resources. It patches known risks, of course,
but it also addresses endpoint misconfigurations, compliance with regulatory or corporate policies, outdated or inaccurate security mechanisms, and unauthorized services and applications.

Since new malware threats and configuration vulnerabilities continue to appear every day, it’s critical that you automate the never-ending process of discovering assets, monitoring risks, and remediating as needed. In addition, your computing environment is constantly changing as you continuously add, replace, and modify computers, devices, servers, and software. You need a way to monitor both the ever-changing assets attached to your network and the mobile devices that interact with it—devices made even more vulnerable by their ability to operate outside the firewall. With a combination of network- and agent-based scanning, you can track both networked and mobile assets.

An integrated solution that incorporates both network and agent-based scans and assessments offers the best of both worlds. Network scanning takes snapshots of the state of all connected assets, while agents monitor individual assets for vulnerabilities and configuration issues as well as manage installation of patches for both online and mobile devices. Such a unified system helps organizations avoid the costs of integrating and correlating databases and schemas from multiple security vendors, while making it possible to create a global report of assets and vulnerabilities. Finally, it eliminates the need for multiple security and operational IT teams, making the solution easier to deploy with a shorter learning curve for IT.

Understanding Processes to Remove Vulnerabilities

Vulnerability management has evolved from simply running a scanner on an application, computer or network. Scanning is an essential element of vulnerability management, but VM includes other technologies and workflow that contribute to a bigger picture required for controlling and removing vulnerabilities. The primary objectives of VM are:

• Fix faults in the software affecting security, performance or functionality.

• Alter functionality or address a new security threat, such as updating an antivirus signature.

• Change a software configuration to make it less susceptible to attack,run faster or improve functionality.

• Use most effective means to thwart automated attacks (worms, bots, etc.)

• Document the state of security for audit and compliance with laws, regulations and business policy.

Consistent, ongoing execution of vulnerability management is difficult, if not impossible to do on a manual basis. There are simply too many “moving parts” to juggle and act on in a timely and cost-effective manner. For this reason, organizations should look to automate as much as they can for each element of VM. The rest of this section describes how the function of VM technologies and workflow help to control and remove network vulnerabilities.

Track Inventory and Categorize Assets: You need to find vulnerabilities before you can fix them. This step sets an evaluation baseline by creating and maintaining a current database of all IP devices attached to the network. Organizations should categorize assets by business value to prioritize vulnerability remediation. Elements in the database include all hardware, software, applications, services and configurations. Tracking this level of detail provides two benefits. The data enable your organization to identify which vulnerabilities affect particular subsets of the IT infrastructure. An accurate inventory ensures that you select and apply the correct patches and fixes during remediation. The tracking inventory also helps speed the scanning process because it limits scans to devices affected by particular vulnerabilities.

Scan Systems for Vulnerabilities: A vulnerability scan tests the effectiveness of security policy and controls by examining network infrastructure for vulnerabilities. The scan systematically tests and analyzes IP devices, services and applications against known security holes. A post-scan report reveals actual vulnerabilities and states what needs fixing. There are many options for scanning. Some require software applications you install and maintain, such as the Nessus public domain scanner. These require lots of time and carry typical operational overhead. Another option is using a third party scanning service over the Internet, which automates all operations and lowers related costs.

Compare Vulnerabilities Against Inventory: The next step in vulnerability management workflow is a comparison process to minimize false positives. Some vulnerability scanning and intrusion detection systems generate many false positives, which drown the accuracy of alarms if they do not match what’s in your inventory. To eliminate the time-wasting process of chasing down false positives, compare your organization’s IP inventory against industry standard vulnerability databases such as the Common Vulnerabilities and Exposures (www.cve.mitre.org) list and the NIST National Vulnerability Database (http://nvd.nist.gov). The NIST database takes CVE to the next level with detailed information for each of its vulnerabilities. Other databases include the SANS Top 20 and CERT Vulnerability Notes (www.sans.org/top20 and www.kb.cert.org/vuls/).

Classify and Rank Risks: It is practically impossible to fix everything at once. This workflow process ranks vulnerabilities to determine what to fix first. Organizations can devise their own category scheme or adopt rating scales from other sources.

Pre-Test Patches, Fixes and Workarounds: Patching vulnerabilities is not like bandaging a wound or spackling a small hole. It’s more like surgery. After software vendors rewrite pieces of an application, the resulting “healed” software compilation is still vulnerable to other bugs. Software always has and always will have bugs, so organizations should pre-test patches before applying them to live systems. Some faulty patches have crashed business processes. Testing should occur in your organization’s environment. Most problems with patches are due to third-party applications or modifications to default configuration settings. Organizations should verify cryptographic checksums, Pretty Good Privacy signatures and digital certificates to confirm authenticity. Verify that the patch corrects the vulnerability without affecting applications and operations of the business process.

Apply Patches, Fixes and Workarounds: Fixing security problems is the result of vulnerability management. Traditional manual processes for applying patches and other remediation are slow and expensive. Sometimes the high cost of patching coupled with the high volume of patches released by vendors encourages organizations to delay remediation. Organizations may delay updates—even for critical patches—until availability of multiple patches, service packs, or a regular monthly, quarterly or annual update process. Unfortunately, delay can be a fatal strategy so it’s important to remediate vulnerabilities as quickly as possible. Automated patch management and software distribution solutions can help speed this process and keep costs to a minimum. Rollback capability allows organizations to efficiently ensure use of appropriate software versions. Integrating patch management with other automated vulnerability management processes is beneficial.

Re-scan to Confirm Fixes and Verify Security: After application of a patch or remediation process, organizations should rescan IP-connected assets to ensure that the fix worked and that it does not cause other network devices, services or applications to malfunction.

Box Item

Implementation and Benefits

It is important to realize when developing on a vulnerability management program that it involves a lifecycle process. The first step is to fully discover the devices present on the network. This should be done on a regularly scheduled basis so devices entering and leaving the network are identified.
Next, identify those devices which are candidates for vulnerability scanning. The best method is to schedule specific devices and ranges of IP addresses for regular vulnerability scanning. Production windows and device availability should be considered when deciding what to scan and when. Again, scheduled scanning is preferred over manual methods so that devices are regularly and consistently scanned for vulnerabilities.

Next, begin the notification and remediation processes. Remediation can be performed via patches (manually or through patch managers), configuration changes, as well as network configuration changes such as updating firewall policies and access control lists. Most important is to maintain a record of all activities from discovery through remediation. This information is critical for reporting results and progress to managers, auditors and outside regulatory agencies. A manageable approach to any vulnerability management process will require automated tools that can perform these steps without requiring additional technical resources that perform manual processes.

An enterprise class vulnerability management system can facilitate the needed adoption of vulnerability management processes by tying into systems and processes that already exist. It is much easier to achieve results if organizations don’t have to adopt new systems or processes that overlap or replace the current work methods already in use. Integrating your vulnerability management system with an asset management, trouble ticketing, and/or patch management system can significantly ease the adoption of these new processes.

Implementation of a vulnerability management program can ease the pain of complying with regulations such as FISMA, Sarbanes Oxley, and HIPPA. Regulatory compliance has helped gain funding for security projects but it has also increased the visibility and accountability of the security organization. Auditors and management now expect regular reports about vulnerability management, where the greatest risks to the business exist, and how the organization is addressing these issues. The regulations don’t always spell out exactly what an IT organization is supposed to do; that’s frequently left up to the organization and the auditors. Fundamentally what is required are systematic processes for vulnerability management that are implemented, followed, monitored and acted upon, demonstrating that the organization and its decision makers are safeguarding the security risks within the business.

Vulnerability management is a proactive measure that ensures the highest risks are addressed, such as, where someone could compromise a system or network element. It then provides the necessary tools, tracking and reporting mechanisms to mitigate the risks. In addition to making this a systematic, automated process, vulnerability management systems stop the scramble to scan, synthesize data, and craft reports at the end of each month.

Conclusion

Despite advances in security technology, managing system and application, vulnerabilities continues to challenge IT professionals. Identifying potential exposures and remediating them prior to exploitation requires tight coordination between IT security and IT operations. But integrating accurate, real-time vulnerability assessment with automated remediation and compliance reporting, advanced vulnerability management solution allows IT staff to stay way ahead of threats—bridging the gap between IT security and IT operations

—By: ‘InfoSecurity’ Bureau.