Introduction to Vulnerability Management
Vulnerability management (VM) is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. This is a broad definition that has implications for corporate or government entities. It is not a new discipline, nor is it a new technology. This vital function has been a normal part of hardening defenses and identifying weaknesses to systems, processes, and strategies in the military and in the private sector. With growing complexity in organizations, it has become necessary to draw out this function as a unique practice complete with supporting tools. This has resulted in an important refinement of the definition of VM as a segment of risk management.
The Role of Risk Management
Risk management seeks to identify the conditions or events under which a loss may occur, and then find the means to address that risk. Addressing risk can take the following forms:
Accept the risk; that is, do nothing and let it happen. This is also known as retention.
Mitigate the risk; that is, prevent it from happening. Reduce the risk; that is, reduce the consequences by actions such as ensuring against the event.
In VM, we look at risks resulting from flaws in systems, processes, and strategies. Figure 1.1 shows the relationship of VM with a risk management program. The purpose is to discover and address risks that result from vulnerabilities under the control or influence of the organization. Other aspects of risk management related to event probability analysis and continuity management are not directly concerned with vulnerabilities.
Figure 1.1 Role of vulnerability management in risk management framework.
VM typically focuses attention on technical software and system configuration vulnerabilities. There are also vulnerabilities related to corporate strategy, economics, and the environment whose detection cannot be automated. They require the attention of a risk manager.
These vulnerabilities exist in areas such as business processes, strategies, and supply chains. Every action or plan that a business has could be exploited through design flaws or a lack of adaptability. It is the larger role of the risk manager to recognize and address these challenges. In this book, we discuss primarily technical software and system configuration vulnerabilities; however, some attention is also given to vulnerabilities related to corporate strategy, economics, and the environment.
Origins of Vulnerability Management
Vulnerability Management has been around for a long time yet few have paid attention to it until recently. The military has long understood and perfected VM through ritual and practice. Inspections of defenses from the organization and deployment strategy down to the individual soldier and weapons are the equivalent of audits. The recursive training, equipping, and rearrangement of defenses is a form of remediation or hardening. But these activities have not come without an understanding of the enemy.
A student of military history can easily recognize how one opponent vanquished another by exploiting a vulnerability or strategic error. These victors are often hailed as geniuses, rather than the losers being seen as incompetent. Consider, for example, the battle of Cannae where Hannibal collapsed his center line to envelop the Romans so that he could attack from all sides, thereby defeating them. Hannibal is considered a genius for this now-classic tactic. However, one might also see this as a flawed strategy of Varro, one of the Roman consuls at the battle. Varro believed that the Roman army could drive through the center of Hannibal's front line and drive the entire enemy line to the river at their backs. What he did not consider was the essential discipline for maintaining a uniform front line, which was undeniably a vulnerability.
Yet, in the business world we tend to view the failure to be prepared for risk as an example of incompetence. This is especially true when the corporation is generally perceived as being strong, wealthy, and able to dedicate the resources to addressing risk.
As an IT discipline, VM has been immature and its users naïve about its application: immature because strong, enterprise-ready technology is only now becoming available, and naïve because the need for a complete, integrated solution with well-defined processes has not been fully recognized. Although military discipline may not seem necessary in a corporate environment, the lack of discipline leads to the one key vulnerability that is not discovered or not remediated, and which may eventually lead to catastrophic losses.
Introducing the Security Industry and Its Flaws
Not so surprisingly, corporations and government alike have relied on new products to "bolt on" security to their networks. The security industry has focused on selling products and services that require upgrades and maintenance. If there is a security problem that seems to emerge, a vendor has developed a solution. When users started abusing network ports to reach into other host services in a remote network, the industry gave us firewalls. When viruses became a problem, the industry offered us anti-virus software and services. When worms like Sasser were found, anti-virus vendors put more anti-virus functionality in the network. When in-house applications became more of a target, application firewalls were offered.
Unfortunately, very few of these solutions seem to address the central problem. Most security problems result from a failure to code, patch, configure, or design in a secure manner. This is the military equivalent to a lack of training of the troops, lack of oversight by commanders, and failure to provide adequate equipment. Just as technology vendors continue to provide us with productized solutions, you can hand the troops all the weapons that can be bought but these will not be the targets of your enemy. The product purchase scenario is a strategic failure.
It is not my intent to disparage the use of these and other security technologies. They are an important part of an overall security strategy. However, while all of these bad things were happening, few people were focused on identifying and fixing what was exploited, and none of these technologies can fully make up for a failure to use strong passwords or keep shrink-wrapped software patched.
The value of most security products in a network comes from their ability to temporarily mitigate risks for which you do not have a more permanent or reliable solution. The anti-virus product is a good idea so long as you get updates quickly and those updates are accurate. When the latest virus comes out, the product should quickly be prepared to stop it until the vendor of the target software supplies a patch. Eventually, the virus will find its way into the organization and around some defenses. The important thing is to get a permanent fix in place before that happens.
Challenges from Government and Industry
The IT department faces many other challenges from the governments of the world. Varying degrees of legislation from one jurisdiction to another create a minefield of legal and operational challenges.
Multinational companies are particularly challenged. In some countries, regulators and labor unions treat intrusion detection with suspicion, on the grounds that it may be an invasion of privacy. In other countries, the collection of Internet surfing activity for a particular user is compulsory and must be supplied to the authorities upon request. Vague yet onerous regulations such as Sarbanes-Oxley
(SOX) in the United States have resulted in a multitude of security controls that offer little value but considerable expense. This makes active defense of a network in a globally managed package an even bigger challenge because security managers must now differentiate compliance activities from those that bring real security.
Add to all of this the industry standards for security controls and the associated certifications and audits. The alphabet grows constantly: SAS 70, SOX § 404, ISO 17799, ISO 27001, PCI, FIPS, HIPAA, GLB, IEEE P1074, EAL. Standards and certification are important, but they often distract us from our most central problems: vulnerable software, architecture, and strategy. There is no long-term substitute for well-written, tested, and properly configured software deployed thoughtfully with solid practices.
Sources of Vulnerabilities
Software companies are also a real challenge to software buyers everywhere. Their coding practices can stand a lot of improvement, as can their basic designs. Some want to sell more products, so they continue to introduce more functionality without securing what was built before. A new electronic communications protocol or new application using that protocol is developed. But they never secure the protocol from the beginning. The vendors also do a fairly poor job of notifying users and issuing patches. The problem is motivational because they see patching as a cost greater than the benefit since no one is paying for the additional development work. In some cases, a vendor is entrenched in the market and customers have few alternatives. The cost of changing software makers can be expensive for a company with thousands of units deployed and hundreds of trained support staff.
Example of Flawed Vulnerability Management
When we do perform the VM function, it is usually halfheartedly. One company attempted to deploy VM agents throughout the enterprise as an act of payment card industry (PCI) compliance. The auditors told them they should do it, and so they did it without regard to the benefit or the effect. As a result, the only tangible requirement was that the technology be deployed. No one considered what would happen after that. Obvious questions such as "on which hosts do we install the agents?" and "what vulnerabilities do we have to fix first?" were ignored. I refer to this as the check box security strategy. Someone to whom a company has delegated authority provides a checklist of what to fix, and then the company complies.
Another obvious problem with this security approach is that a tool that can help address the root cause of so many vulnerabilities would have no official owner. Instead, in my example, the agents and server were installed without anyone to maintain them. No matter how hard you try, maintenance does not happen by itself. Someone has to read the reports, repair or reinstall components or agents, and make sure the reporting server stays healthy. Someone also has to monitor the overall system to make sure that it achieves its objectives. This is the equivalent of deploying a division of troops without a leader. They would be badly coordinated and ineffective.
Why Vulnerability Management Is Important
For a corporation, resources are quite limited. It can only spend so much on a risk, so an early analysis of risks is certainly important. However, I would argue that there is little excuse for not performing the VM function. It seems difficult to justify spending limited funds on intrusion detection or security event management when VM has not been implemented. Although VM involves more complex processes and systems, the risk profile of a company can look quite different when there are fewer critical vulnerabilities to defend.
In this book, you will find far more than a description of the technology and a few tips on how to get it going. You will gain an in-depth understanding of how VM works from both a technology perspective and a process perspective. Neither one is very useful without the other. Technology tools are facilitators of the process. Much time will be spent understanding this. Experience in the uniqueness of your company's environment will bring you to the realization that only those who are very serious about having a strong, secure infrastructure are needed. Anything else is a waste of money and time.
You will also gain an understanding of the strategic significance of vulnerabilities and their control. Beyond the concern for a single host or network device, vulnerabilities can exist at other levels that can only be addressed by adjustment to the technology strategy. It is risk management at an organization and industry level, and transcends any technology.
About the Author