Category list

Vulnerability Management

In addition to monitoring and managing threats, assessment and management of vulnerabilities is the other major void that is commonly found post-assessment on an IT infrastructure. Conducting risk and software vulnerability assessments and management is a continuous life cycle that requires documented procedures for conducting assessments on the IT infrastructure and the IT assets that are vulnerable. Vulnerability assessments require strategies for handling software vulnerabilities throughout the organization, which accounts for a majority of the server and workstation vulnerabilities given the vulnerabilities found in operating system software for servers and workstations.

The software vulnerability window must always be kept in line with the organization's defined Software Vulnerability Standard for minimizing the vulnerability window caused by software vulnerabilities. An enterprise software vulnerability management strategy coupled with a software patch management solution is required. An automated software patch management system and solution may be required for organizations that have large quantities of production servers and workstations.

Automating Software Patch Management

Automating an organization's software patch management solution requires careful planning and use of a patch management automation tool. Tracking, monitoring, and validating compliancy with the organization's minimum acceptable level of risk for software vulnerabilities is a full-time and ongoing responsibility. Because software vulnerabilities rank high in many organizations that conduct a risk and vulnerability assessment, many organizations must first define a policy for minimization of the vulnerability window and how the organization is going to validate compliancy throughout the enterprise.

The following defines an approach for handling software patches throughout the organization:

1.	Create a Software Vulnerability Policy to define the organization's vulnerability window and standards, procedures, and guidelines for tracking, monitoring, and reporting on known software vulnerabilities.
2.	Conduct a GAP analysis of known IT assets (servers and workstations) and their known software vulnerabilities: Create a report of any new GAPs on production servers and workstations and prioritize them. Assess whether to deploy the software patch on production servers or workstations, especially if testing and validation is required (this is highly recommended) prior to deployment of the software patch update. Obtain approval from the organization's Change Control Board prior to deployment of the software patch.
3.	Set patch update deployment schedule.
4.	Execute the software patch update deployment on identified workstations and servers.
5.	Confirm that the software patch update was accepted and received by the affected servers and/or workstations.
6.	Verify that the software vulnerability and gap is closed for the affected servers and/or workstations.
7.	Continuously monitor, track, and report on the organization's software vulnerabilities.
8.	Repeat process.

The results of a risk and vulnerability assessment typically require the organization to prioritize what vulnerabilities need to be addressed first by the organization. Many organizations are faced with limited budgets and thus must prioritize how they will spend funds on security initiatives and security countermeasures for identified threats and vulnerabilities. This is not an easy task and must be conducted with the security of the entire organization in mind. Then the organization can formulate a vulnerability management strategy that typically requires the elimination , mitigation, monitoring, and tracking of metrics.

Enterprise Vulnerability Management

Enterprise vulnerability management is a recurring process and requires documented procedures and guidelines so that compliance and conformance to the organization's policies and standards can be implemented properly. Vulnerability management typically contains the following processes:

Discovery— Perform an IT infrastructure and IT asset threat and vulnerability investigation.
Prioritize— Prioritize those vulnerabilities on production IT infrastructure assets based on their criticality to the organization and the Data Classification Standard.
Mitigate— Mitigate vulnerabilities via configuration updates, software patch updates, asset shielding behind firewalls, and/or patch installations.
Maintain— Conduct ongoing configuration management and provisioning.
Monitor— Continuously monitor the IT infrastructure and its IT assets by implementing procedures and guidelines for security management, reporting, and auditing.
Baseline— Conduct periodic baseline definitions for the IT assets, systems, and devices via assessments and continuous monitoring for security and software integrity.