Effective Vulnerability Management Programme

Effective Vulnerability Management Programme

 According to Rapid7 a security vulnerability is a weakness, flaw, or error found within a security system that has the potential to be leveraged by a threat agent in order to compromise a secure network. According to Harvard Business Review, there was a 20% increase in data breaches from 2022 to 2023. With the proliferation of security breaches, it is obvious that vulnerabilities are being exploited leading to several breaches in organisations across the globe. The increase in ransomware groups also bears evidence to this fact as it was also stated that ransomware gang activities increased by 77% in that same timeframe.

As a result of these, having a measure to effectively manage vulnerabilities is something every organisation who has adopted one technology or the other should prioritize. An effective vulnerability management programme is a system that ensures an organisation is able to identify, assess and remediate or mitigate all vulnerabilities in the organisations IT assets within a reasonable time frame. In order to achieve this, the components discussed below are critical and should be put into consideration:

1. Asset Inventory 

I once worked in an organisation where one of our servers was hacked and we were not even aware. Why? Because the server was not part of our asset inventory and also not a critical server, but it was an external facing system with a connection to our Active Directory. Due to an emergency regulation, the organisation had to deploy a solution within a week such that everything was done in haste from the server deployment, to application development, and then the roll-out with the promise that all things would be regularised afterwards. Unfortunately for us, within 3 months of go-live of the system, all the critical stake-holders left the organisation without proper handover( I know more than one system or process failed in this instance). The key point here is that, if you are not aware of a system, how do you protect it? Having a complete and up to date asset inventory is very critical and has numerous advantages. Your asset inventory should also have a classification, as all assets have different level of criticality, depending on the data they contain.

 2. Policy

 Your organisation should ensure they have a document that outlines how vulnerabilities will be detected, a grid for classifying identified vulnerabilities (i.e. Critical, High, Medium, Low), and time frames for remediating identified vulnerabilities e.g. Critical vulnerabilities will be resolved within 1 month. You can also combine the classification of the vulnerability to the classification of the assets e.g. critical vulnerabilities on critical assets should be resolved within 2 weeks.

You should make sure this policy has caveats for exceptions, as you may not be able to resolve all vulnerabilities within your stipulated time frame e.g. you could say that for all vulnerabilities that could not be resolved within stipulated time frame should require a senior management sign-off/approval,   stating the expected time of resolution and the mitigating controls put in place temporarily.

 Over time, I have seen that it is good to review these remediation timelines in alignment with the organisations risk tolerance, current reality and regulatory requirements. A change request approval should also be included in the policy to ensure that desired changes are properly tested before changes are made to production systems.

 3. Necessary/Relevant Tools

 There are many tools used for vulnerability assessments with varying features. In my opinion one should always ensure that the tool selected meets your organisational demands. For instance, if your company needs to do an ASV (Approved Scanning Vendor) scan every quarter, you need to ensure your tool has an ASV module. Other factors such as available budget, asset composition and regulatory requirements can also determine the tool that an organisation decides to adopt. Whatever the case, it is important to ensure that the user/team to work on the tool is properly trained on the assessments and reporting capability of the tools, as I have seen that some tools even suggest an effective way of mitigating the most critical vulnerabilities from an organisational view. E.g. top 25 vulnerabilities, Top 20 vulnerable assets.

 4. Remediation Capability and Collaboration.

 Most vulnerability assessment tools include a remediation to the vulnerability. Some vulnerabilities are resolved just by deploying operating system patches, database patches, firmware updates and OEM security patches. In some cases, you have to do extensive research to be able to remediate a vulnerability without causing further issues in the environment. I could recall an incident, where we were trying to remediate the TLS 1.0 vulnerability, which we did successfully but unfortunately it affected all connections to Active Directory including VPN, Internet access and NAC access. We practically brought the organisation to a stand still just because we wanted to fix an issue and there was no way we could have predicted this impact. Even after we followed due process all through, tested for about a month, did a change request before deploying to production, I still ended up having to respond to some hostile mails.

 Collaboration is very important because there are times when the team responsible for vulnerability identification is different from the team responsible for remediation and if both teams are at loggerheads, there will be little progress achieved in remediation. Depending on where a vulnerability is found (network device, a database, an application or an operating system), remediation of these vulnerabilities will require different skills set which in turn requires different people to work on each area to achieve your aim, hence the need for collaboration amongst all stakeholders. The information security personnel will need a level of soft skill to be able to get all stakeholders interested in remediating the vulnerability.

This can be either by discussing with the technical team, or in some instances go as far as actually exploiting the vulnerability to show the team the severity of the issue and the ease of exploit by a malicious insider or third party.

 5. Patch Cadence, Penetration Tests

 A patch management procedure also helps your vulnerability management system because a high number of vulnerabilities will be fixed by patching firmwares, operating systems, applications, databases etc. If your systems are patched regularly, then you would have resolved most issues as soon as the OEM has a remediation available. Penetration testing assessments helps to assess the effectiveness of your vulnerability program because it enables you to identify the vulnerability that was exploited by the penetration tester to gain access into your environment. It also helps to check the effectiveness of other controls in place e.g network segmentation, network access control etc.