Technical Vulnerability Management
July 29, 2008
At the core of Information Security is the protection of information assets through the mitigation of vulnerabilities. Vulnerabilities can be found in people (i.e. social engineering), process (e.g. lack of change management) and technology (e.g. buffer overflows). Vulnerability Managements tends to focus on technology.
Security Event Management (SEM) will help to provide visibility of the IT and business environment and should be combined with Vulnerability Management to ensure vulnerabilities are managed effectively (e.g. accepted or mitigated). This post will examine the scope of Vulnerability Management and link to resources.
Definition
In this case it helpful to define several associated terms:
- Risk – The probability (likelihood X impact) that a given threat will exploit a vulnerability
- Threat – The source or cause that may exploit a vulnerability
- e.g. Natural disasters such as fire and floods
- e.g. Insider undertaking fraudulent behaviour
- e.g. Outside motivated individuals or groups
- Exploit – The specific method used by the the threat to take advantage of the vulnerability
- e.g. phishing email or website setup to fraudulently obtain information
- e.g. use of a false identity to submit a transaction for personal gain
- e.g. buffer overflow attack allowing execution of arbitary code
- Vulnerability – The weakness in a system that creates the opportunity for a vulnerability to be exploited by a threat
- e.g. lack of dual control on a sensitive transaction
- e.g. absence of raised flooring in a data centre
- e.g. inadequate data validation in software
Business Case
- Security Efficiency
- Minimise the time and costs to deploy secure builds
- Minimise the effort spent on patching vulnerabilities
- Security Effectiveness
- Reduce the likelihood of downtime caused by vulnerabilities
- Demonstrate control by reducing the number of vulnerabilities
- Business Enablement
- Allow business to continue during malicious code outbreaks
- Provide auditors, clients and partners with confidence
Process
- Hardening
- Prevention is better than cure so reduce your exposed surface error by undertaking the appropriate level of system hardening
- e.g. removing unrequired software, file shares and accounts
- e.g. disable unrequired features of required software
- e.g. rename required accounts and establish strong passwords
- e.g. install endpoint security (intrusion/extrusion prevention)
- e.g. implement appropriate access controls
- e.g. configure auditing and enable remote logging
- Prevention is better than cure so reduce your exposed surface error by undertaking the appropriate level of system hardening
- Patching
- Keep your systems up-to-date from the latest threats through the implementation of a patching plan and systematic process that includes testing, change control, automated deployment and post-implementation review
- Rely on compensatory controls such as network or host-based intrustion/extrusion systems to help mitigate zero day attacks and provide protection until patches can be tested and rolled out on your own schedule
- Testing
- Penetration Testing is just one part of Vulnerability Management and provides assurance by trying to expoit the target like any threat may
- Process Integration
- Asset Management must be able to accurately identify the hardware and software requiring Vulnerability Management
- The status of vulnerable hardware/software and patch implementation should be reported into Security Event Management (SEM)
- Continual Improvement
- Receive Computer Emergency Response Team (CERT) and Vendor (e.g. Microsoft, Cisco, IBM, Sun, HP) Advisories
- Incident Management will be inacted when a vulnerability has been expoited and must provide feedback into Vulnerability Management processes
- Feedback idenitified weaknesses to vendors and when appropriate into your own application development process
Diagram
Vulnerability Management
Vulnerability Databases
Open Source – Open Source Vulnerability Database (OSVDB)
http://osvdb.org/
US National Institute for Standard and Technology (NIST) – National Vulnerability Database (NVD)
http://nvd.nist.gov/
SecurityFocus – Vulnerabilities
http://www.securityfocus.com/vulnerabilities
SecurityFocus – BugTraq
http://www.securityfocus.com/archive/1
Hardening Standards
Centre for Internet Security (CIS) – Benchmark Standards
http://www.cisecurity.org/
US National Security Agency (NSA) – Security Configuration Guidelines (SNAC)
http://www.nsa.gov/SNAC/
US Department of Defence (DoD) – Security Technical Implementation Guides (STIG)
http://iase.disa.mil/stigs/stig/index.html
Microsoft – Security and Compliance Solution Accelerators
https://partner.microsoft.com/40011132
SANS – Cisco Router Hardening
http://www.sans.org/reading_room/whitepapers/firewalls/794.php
Computer Emergency Response Teams
Carnegie Mellon University (CERT)
http://www.cert.org/
United States Emergency Readiness Team (US-CERT)
http://www.us-cert.gov/
United Kingdom Computer Emergency Response Team (UKCERT)
http://www.ukcert.org.uk/
Australian Computer Emergency Response Team (AUSCERT)
http://www.auscert.org.au/
Australian Government Computer Emergency Readiness Team (GOVCERT)
http://www.ag.gov.au/govcert
Chinese Computer network Emergency Response technical Team (CNERT)
http://www.cert.org.cn/english_web/
Indian Computer Emergency Response Team (CERTIN)
http://cert-in.org.in/
Japan Computer Emergency Response Team (JPCERT)
http://www.jpcert.or.jp/english/
Singapore Computer Emergency Response Team (SingCERT)
http://www.singcert.org.sg/
Computer Emergency Response Team Brazil (CERT.br)
http://www.cert.br/index-en.html
European Cooperation of Abuse fighting Teams (E-COAT)
http://www.e-coat.org/
Forum for Incident Response and Security Teams (FIRST)
http://www.first.org
May 20, 2009 at 11:48 pm
[...] Technical Vulnerability Management [...]