Vulnerability Management: Processes, Tools and Management Support

The Internet is great! It simplifies our lives and makes us all happy. I mean, who doesn’t love using the Google machine? The Internet has become an integral part of business and arguably the greatest tool mankind has ever invented. Almost every business is connected to it and some sources estimate that over a million dollars of business is done over the Internet every 30 seconds. That is an amazing number! Considering that only a small proportion of people using it for business understand the technology that makes it all work certainly invites the risk for misuse and criminal activity. So much so that it has become commonplace to hear of a company having a breach that cost them x amount of money due to lawsuits or loss of brand assurance, or had their customers personal information stolen, their brand tarnished and customer confidence lost.

Cyber Security is on the Attack

So what does all of this have to do with vulnerability management? Many cyber security breaches, a phrase we have come to understand too well, are in whole or in part due to a hacker exploiting a flaw, or vulnerability, in a piece of software on a company’s website and using that to get access to steal information. Sadly, often the vulnerability is well known or has been around for a long time and could have easily been fixed if the right people in the company knew about it.

A Layered Approach to Success

Vulnerability management is all about using well-defined processes to accurately and effectively test technology systems for vulnerabilities and apply fixes to the systems in a timely manner. It’s easy to say, yet getting the processes to work is a daunting task that requires not only solid tools and technical staff, but also management that understands and supports the processes. OpenMarket is fortunate to have both pieces of the puzzle, as we have implemented a vulnerability management program that is people-centric by allowing visibility to all of the stakeholders, including a clear definition of who should fix the vulnerabilities.

Let’s look at a successful vulnerability management program as a layered model. The first layer includes safe and easy to use tools and processes to update your software across all your systems. The process must provide visibility, authorizations, and accountability for software updates. Once this is in place, you can add the next layer by using the tool to perform routine updates of your software. I can’t stress enough that you should do this repeatedly.

The next layer is to subscribe to all of your software vendors’ security mailing lists and organizations such as US CERT, SANS, or any other companies that send out information on application vulnerabilities. Regularly reviewing these notifications will increase your awareness of new vulnerabilities that exist in your software and enable you to make informed decisions about what to update. Next is a trusted application vulnerability network scanning tool that you use regularly, usually in synch with your patching process. Now you have the foundation of your vulnerability management program in place. Lastly, you’ll need an interface to your scanning tool that provides the application owners with visibility to the vulnerabilities in their applications and allows them to track the efforts to fix, or remediate, these vulnerabilities.

Management Buy-in is Key

The next step is to take this foundation to your management and work with them to define the rules around who owns what vulnerabilities, how to prioritize them, and how soon you have to remediate them once they are found. This is where the real fun begins, as remediating vulnerabilities often requires risks of network downtime, applications not working after you update underlying applications, and employee time. At this stage you must have a management team that understands these risks and is able to make business decisions based on the output from your vulnerability management process, which means it must be understandable by people who are less technical.

At OpenMarket, not only do we treat vulnerability management as a layered process, but our entire information security program is a layered approach that applies security at each level of our network with the idea that no single security control is perfect. The theory is that if we put enough of them in place, it makes us a hard target. And by making OpenMarket a hard target, we discourage the majority of hackers, who will then move along in their search of easier targets.

At the end of the day and no matter how you get there, effective vulnerability management must be an integral part of your information security program if you are doing business on the Internet. Let us know your thoughts.