Vulnerability Management Programs
Vulnerabilities exist in all systems, and these vulnerabilities are what attackers take advantage of to steal credentials, perform Denial of Service attacks, exfiltrate sensitive data, and more. A major component of a successful Security Program is a Vulnerability Management Program that can respond rapidly to known vulnerabilities, closing these gaps as quickly and as thoroughly as possible.
For the record, this article discusses technical vulnerabilities in Commercial-off-the-Shelf (COTS) products, and custom applications. This article does not discuss procedural or non-technical risks that would be managed by Plans of Action & Milestones as part of a Risk Management Strategy.
Systems are comprised of components like network equipment, virtual environment hosts, operating systems, software, etc… Vulnerabilities associated with these components are discovered and announced constantly. These vulnerabilities are so prevalent and affect our technologies so greatly that the Federal Government keeps a list of them – https://nvd.nist.gov/. This list documents each vulnerability (differentiated by a Common Vulnerabilities & Exposures [CVE] nomenclature) with software/firmware versioning, characteristics of the vulnerability, and scoring systems that allow us to focus on the CVE’s that are most critical.
Luckily for us, there are tools that exist that can help us discover and track the vulnerabilities that exist within our IT environments. Vulnerability scanners keep track of the huge lists of vulnerabilities and can map CVE’s to software and firmware version numbers. This lets us know that “Server 1” in the “Human Resources” system is running a version of database management software that contains a vulnerability with a severity score of 9.5 (out of 10).
These scanners can report back to management platforms that can intake, correlate, and track vulnerabilities feeding back historical/trending information allowing administrators and security professionals to see what gaps exist and how effective their remediation efforts have been.
Software (and hardware/firmware) vendors issue patches that fix vulnerabilities in their products. In smaller IT environments, managing the installation of these patches can be as simple as allowing each host to automatically pull patches from the vendor. In larger environments, allowing each host to pull patches and automatically install can wreak havoc. So, testing and deploying patches through a patch management solution is imperative. The vulnerability scanner and the patch management platforms work together to allow administrators to remediate known vulnerabilities, then validate the success of the patching efforts through remedial scans.
Years ago, best practice was to deploy patches after “sufficient testing” had been accomplished by the entities downloading and installing the patches. Many administrators can recount horror stories where a single security patch brought down entire systems due to a lack of “sufficient testing.”
Now, as we’ve begun the third decade of the millennium, most software vendors put resources into the patch development that allows this “sufficient testing” to be performed by the vendor before patches are made available to the public. Vendors test almost every scenario within which their products are deployed – heavily reducing the risk that a single patch will bring down an operational system (that’s deployed according to best practices).
If your organization uses technologies in ways they were never intended, or well beyond their shelf life, then extended remediation schedules or large testing efforts may still be necessary to ensure operations are not impacted. However, if your organization maintains up to date technologies deployed according to best practice, your “sufficient testing” efforts could be as minimal as deploying patches to a test group of PC’s & Servers or the development environment for your system. Some larger agencies have time frames as short as 7 day requirements to have high and critical patches installed in production. So, the shorter, the better.
Custom applications that are built in-house obviously don’t have COTS support. They also don’t have the majority of the malicious actor community focused on exploiting super-specific vulnerabilities – so they won’t be as widely targeted as a massive COTS operating system vendor. That doesn’t mean vulnerabilities don’t exist, and it doesn’t mean that they can be ignored. Custom applications need the same attention to vulnerabilities as COTS, even though the tools and remediation timelines may be different.
Custom applications (which have heavily shifted towards web-enabled or hosted applications) typically have two viewpoints from which to search for vulnerabilities. The user front end or user interface, and the application’s underlying source code.
Dynamic application scanners can enumerate a website, look for every page and input available in the site, and test for vulnerabilities associated with functions like input fields or user sessions, as well as vulnerabilities in the web service – including how the web service interacts with its server’s local file system.
Static Code analysis can intake the source code that defines the user interface and background logic of the application and look for security flaws as well as logic/syntax errors and best practice coding basics. In addition to automated Static Code scanning tools, Manual Code analysis is very resource intensive, but is necessary if the resources can be made available.
As vulnerabilities are discovered within custom applications, remediation efforts should be managed through the organization’s configuration or change management processes. The schedules associated with such activities typically extend further than COTS patching schedules do. However, security vulnerabilities in custom applications should be managed according to the risk tolerance of the organization (a concept discussed in a previous post – https://www.officeoftheciso.com/2020/04/21/what-is-a-chief-information-security-officer/).
Scanning tools & patch management solutions are very helpful in a vulnerability management program. There can be more to the remediation picture than just patches.
Sometimes patches are not available or development efforts may take longer than is acceptable. In those instances, technologies like virtual patching (provided by some Intrusion Prevention or Endpoint Protection providers) and Web Application Firewalls (that recognize standard attack techniques and block or minimize their impact) can be deployed as a temporary stop-gap until the true mitigation is realized.
Staying on top of new vulnerabilities is very difficult. Thankfully entities exist that can alert organizations to new vulnerabilities as they are announced. US-CERT is one such entity that announces new vulnerabilities (among other things). Sign up for these notifications here: https://public.govdelivery.com/accounts/USDHSUSCERT/subscriber/qualify
Read more about this US-CERT initiative here: https://www.us-cert.gov/mailing-lists-and-feeds
Staying on top of vulnerabilities with short-as-possible remediation schedules and sufficiently-resourced patching/remediation efforts is paramount to proper cyber-hygiene. A solid vulnerability management platform is one huge part of protecting the information resources that are so important to your organization.