Practice Manager, Research
John Ventura is the practice manager of Optiv’s research team. In this role he specializes in assisting the security design and assessment of real world products and services. He has worked across multiple computer security fields, including forensics, network penetration testing and web application security for a diverse set of clients.
Is an Effective Vulnerability Management Program in Your Future?
The sad truth about penetration tests is that they are almost always successful in demonstrating dramatic security events. Even junior assessors can go from minimal access, below the level of most employees, and gain administrative domain credentials for an internal corporate network. Typically, they accomplish this goal within a few days of having arrived in office environments where they have never even been before. It is even sadder that they can do all this with a limited set of attack techniques.
However, some organizations are more resistant to conventional attack methodologies than others. Some companies gather vulnerability data on a regular basis, make informed decisions based on that data and assign remediation responsibility. Functional vulnerability management programs can mean the difference between long periods of pleasantly uneventful productivity and a catastrophic compromise from an attacker with limited to moderate skills.
Optiv has created a white paper that outlines a general structure to guide organizations wishing to create their own vulnerability management programs. Based on analysis of successful programs from leading companies, this document spells out the components at a high-level and lays out some of the lessons learned from the evaluation and implementation of these programs.
Anyone wishing to make informed decisions about their company’s security can benefit from the kind of program that this white paper outlines. Although not all companies have these programs in place, the ones that do tend to have far fewer surprises after penetration tests and compliance audits. They also, presumably, face fewer realized threats from actual attackers. The intent of this white paper is to guide security administrators in the beginning phases of the process of creating a fully realized vulnerability management program.
For clarity, this document breaks down vulnerability management into three parts. First, data acquisition includes components, like conventional vulnerability scanners and web application scanners that collect vulnerability and compliance data from across the enterprise. The white paper also discusses information storage and analysis technologies such as security information and event management (SIEM) solutions, and vulnerability classification and weighing. Finally, the discussion includes details about accountability engines, which organize and promote remediation efforts.
Administrators wishing to enhance their own security programs can use this framework as a model to aid in future efforts. In addition to detection and remediation of critical vulnerabilities, these programs offer added benefits, including the facilitation of compliance efforts for internal policies and externally mandated standards such as the Payment Card Industry Data Security Standard (PCI DSS). Although it is not necessarily anyone’s intention to gather mundane information such as the presence of or support for weak or outdated communications protocols (i.e. Telnet), the same technology used in these programs also offers related policy or compliance benefits. Not only can a working vulnerability management program save organizations from security incidents, it can promote compliance by allowing administrators to know where non-compliance exists.