15.8 VMP COMPONENTS

Previous page
Table of content
Next page

15.8 VMP COMPONENTS

As can be seen from the above list, the VMP methodology is a combination of security best practices, standard assessment methodologies, performance based reporting, and end user education. In this section we will begin to dig deeper into the individual VMP components, and provide a more concrete definition of each.

15.8.1 Documentation of Business Critical Assets

Documenting business critical assets is simple. Classifying them, and identifying where they fit in the overall hierarchy of importance, however, is infinitely more complex. The crux of the problem stems from the fact that there are varying opinions of which systems are truly core to the business. To adequately assess and classify assets, a small organization may be successful in basing decisions solely on which servers are directly responsible for revenue and EPHI. Larger organizations will have a more difficult time due to the number of systems involved, and the occasional blurred lines between revenue, EPHI, and other sensitive data. For those organizations with the latter challenge, a quantitative risk assessment approach can help to classify business critical assets in a more methodical and objective manner. These approaches will not be discussed in detail here, but there are a large number of other available resources that address this subject.

When documenting critical assets, it is imperative that the proper information be recorded. At a minimum, organizations should document the following on a per device basis:

  • Hostname

  • IP Address

  • Device Purpose

  • Device platform

  • Operating system version and patch level

  • Installed Applications including versions and patch levels

  • Listening Ports

  • Group responsible for device ownership

15.8.2 Identification of Acceptable Risk Exposure

The resources available to evaluate policy, controls, and vulnerabilities, often dictate acceptable risk exposure. If few resources are applied to keeping business assets safe, then by default the organization's risk exposure is elevated to unacceptable levels. Acceptable risk exposure can be evaluated qualitatively based on the access policies governing the reachability of critical assets. For example, it may not be necessary to patch a vulnerable service that is not accessible on a particular server.

From a quantitative perspective, organizations should establish metrics surrounding the acceptable number of high, medium, and low risk vulnerabilities within the enterprise. Once agreed upon by management, metrics can assist by forming the foundation of a business case when additional staff is required to address critical network exposures.

15.8.3 Identification of Accountable Parties

One of the most important elements within the VMP is the identification of accountable parties. Without a well-defined understanding of who will approve deviations and exceptions to the program, or which parties will resolve critical vulnerabilities, the overall effectiveness of the VMP is significantly reduced.

As the VMP is intended to be an overarching program that impacts awareness and remediation of vulnerabilities across the enterprise, the individual responsible for approving deviations and exceptions should be at the director level or higher. If this is not feasible , these responsibilities should only be placed with an individual who has the appropriate authority and technical know-how to assess the potential impacts of changes to the program.

Selecting individuals to be responsible for remediation efforts can be a challenging task. Larger organizations will have limited success designating a single point of contact for these efforts. Instead, the implementation of a cascading escalation system typically proves to be most effective. In such a system, reports are provided to an individual based on site or logical server grouping. Responsibility then falls on this individual to assess risk based on his or her knowledge of the site/group; this individual then coordinates with the appropriate stakeholders for patching and upgrades.

15.8.3.1 Procedures for Conducting Assessments

Despite only being a single element of the vulnerability management program, assessments can be one of the most time consuming and resource intensive actions undertaken by the organization's security team. Traditionally, a vulnerability assessment includes the following actions:

  • Pre-assessment- It is within this phase that critical assets are categorized, the scope of the assessment is defined, and the method of assessment is selected.

  • Assessment- This phase may include a variety of practices ranging from simplistic discovery scanning to in-depth penetration testing. The specifics of the organization's acceptable risk guidelines will dictate the type and frequency of assessment.

  • Post-assessment - The final phase includes a comprehensive review of results, prioritization of vulnerabilities, and a remediation plan.

15.8.3.1.1 Pre-Assessment

In the context of a vulnerability management program, most pre-assessment activities are typically addressed through the documentation of critical assets, agreement of acceptable risk levels, and identification of accountable parties. If all three of these components have been properly defined, the organization needs only to decide on the overall scope and method of the assessment.

Determining the scope of the assessment involves identifying what resources will be scanned and how. Typically, non-invasive discovery scans are conducted at higher frequencies than all out vulnerability checks. Discovery scanning can oftentimes provide surprising results, as unknown or unauthorized systems are frequently identified. This type of probing provides the organization an opportunity to reduce unauthorized network access and misuse, while placing the overall uptime of critical assets under minimal risk.

If a full vulnerability check is to be conducted, the proper notifications must be provided to stake holders such that they are aware of potential system availability issues. Full exploit checks should be conducted against critical assets at regular intervals. The frequency of these intervals should be driven by your established guidelines for acceptable risk exposure and change management practices. Most organizations settle on biweekly or monthly intervals for truly business critical assets.

Determining the method of assessment varies based on your organization's security expertise, allotted resources, and available security budget. Choosing a method involves deciding upon who will perform the scan, what tools will be used, and from where the scan will be conducted. Typically there are four recognized methods for conducting an assessment:

  • First party internal assessment- Conducted by the internal security team within your organization. Scans are executed from the trusted side of the network perimeter, such that assets are assessed without the hindrance of a locked down perimeter security policy. This provides a view of the asset's stand-alone risk exposure.

  • Third party internal assessment- Functionally the same as the above, but conducted by an independent auditor or consultant under NDA. Contracting with a third party provides more objective results and allows the organization to leverage security expertise beyond that of its internal staff.

  • First party external assessment- Leverages internal resources to conduct assessments of the network's external facing security posture . Such a scan can be useful in evaluating the effectiveness of access control policies, and provides a 'hacker's view' of the network.

  • Third party external assessment- Combines the hacker's view with the objectiveness of an outside party.

If budgetary constraints allow, the most effective strategy can be the application of a hybrid approach. Allowing internal and third party resources to collaborate in a controlled environment ensures that the proper systems are scanned, and allows the knowledge capital of both parties to be wholly invested into the assessment effort.

15.8.3.1.2 Assessment

The assessment phase involves the act of scanning and assessing the network for vulnerabilities and exposures as defined in the pre-assessment phases. Prior to beginning any scanning, the assessment team must validate the ranges of IP addresses to be scanned. The team must all ensure that permission has been obtained from all appropriate parties prior to launching any large-scale reconnaissance or exploit attempts. A full-scale vulnerability assessment typically includes the following actions:

  • Research- Identification of IP ownership, publicly accessible servers, and intelligence gathering. This information provides the details required to begin scanning efforts, and gather any identifiable patterns in the social constructs of the organization's network administration team.

  • Reconnaissance- The enumeration of available network assets, operating systems, available ports, and applications served . The results of the reconnaissance step provide the backdrop for selecting and launching exploits.

  • Exploitation- Actively compromising or simulating the compromise of vulnerable hosts . Simulated exploitation through automated assessment tools is frequently the preferred method for this step. Simulation reduces the overall resource investment and minimizes potentially adverse system impacts.

  • Documentation- Capturing and recording of all system intrusions and intrusion attempts. If the penetration test is conducted manually, screen captures should be taken of all system intrusions and intrusion attempts. In addition, keyboard logging may be used to provide an additional record of actions taken. If the assessment is conducted using automated tools, the maximum logging and reporting features should be enabled on any initial assessment. This ensures adequate data is available for remediation efforts.

Detailed assessments such as those listed above may take several days to several weeks to conduct, depending on the organization's overall size . However, once the initial assessment is completed, supplementary scanning of varying scopes at regular intervals will ensure the organizations exposure level remains within established parameters. Following the documentation of the assessment, the team will then proceed to the final post-assessment phase.

15.8.3.1.3 Post Assessment

At first glance, the post assessment process appears to overlap some of the components in the overall scope of the VMP. However, actual overlaps are minimal, as VMP reporting requirements augment reports generated during the post-assessment phase. Reports generated during post-assessment should focus directly on systems scanned, intrusions attempted, and vulnerabilities discovered .

The assessment team should provide details regarding the risk level of discoveries, potential impacts, and available remediations on a per vulnerability basis. A customized assessment report should then be provided to identified accountable parties, and a comprehensive report should be delivered to the IT director or established delegate.

15.8.3.1.4 Procedures for Response and Remediation

One of the core reasons for instituting a vulnerability management program is to reduce the time span between assessment and remediation. This is accomplished by providing actionable information to the proper parties. As indicated above, the assessment team should divide the post-assessment results based on the logical separations in the accountable party list. These segmented results should then disseminate to the proper individuals so that they can be classified in the context of each environment. The goal of this step is to ensure that proper priorities are given to which exposures should be eliminated first.

Prioritizing exposures involves evaluating the risks associated with a given vulnerability, in the context of where the affected server fits into the organization's hierarchy of assets. As such, a critical asset with medium priority vulnerabilities may require more attention than a less critical asset with high-priority vulnerabilities. While this situation may in-fact be true, one should not discount the impacts a compromise of the lower ranked asset may have on assets higher up the hierarchy. Prioritizing remediation efforts is thus a careful balance between risk exposure and business impact.

Once exposures have been prioritized, they must be addressed in a time frame commensurate with the risk level. If high-risk vulnerabilities are identified on critical servers, administrators should consider the impacts of declaring emergency maintenance windows to apply the proper security fixes. Medium and low priority vulnerabilities can typically be addressed through regularly scheduled maintenance periods.

If a given device cannot be patched due to stringent availability requirements, responsible parties must look toward other measures that can reduce risk. Evaluation of security policies, restricting access to trusted servers and hosts only, and the implementation of host based intrusion protection can sometimes function as effective interim measures.

As patches and remediation measures are implemented, regular progress reports should be delivered to the program owner. This will ensure that all parties responsible for remediation efforts are meeting their commitments to protecting the overall enterprise.

15.8.3.1.5 Review of Security Policies and Procedures

Procedural deficiencies are likely to be discovered as risk exposures are identified across the organization. While patching and other remediation techniques effectively reduce the immediate exposures, further steps must be taken to prevent reoccurrence. Regular reviews of the organization's security policy provide a good first step. This ensures that the policy addresses all the required areas, and that those responsible for enforcing the policy are aware of its limitations.

Further, high numbers of identified vulnerabilities may point to deficiencies in general maintenance and system administration techniques. Thus, regular assessments can provide the compelling event that results in revamping internal controls related to the care of critical assets.

15.8.3.1.6 Quantitative and Qualitative Vulnerability Reporting

Reporting of VMP results is one of the most important steps in the overall process. It is these reports that articulate the return on investment of program initiatives, and that help to support the program's business case. Because of this, it is important that all program activities are captured and reported on both a qualitative and quantitative basis. Reports can be created in any format desired, although the following suggested format will help to ensure that the report meets the needs of all stakeholders at various levels.

Reports should begin with an executive summary that outlines overall program findings for the reporting period. This should be followed by a short, written overview that outlines the programs scope, covered areas, and agreed upon acceptable risk exposure parameters. Following the overview, the program administrator may wish to include a graphical summary of program results in comparison to agreed upon risk exposures, results from the previous reporting period, and a cumulative year to date comparison. These graphics will provide the succinct overview that upper management will likely require. Next, one may wish to include a detailed list of all critical assets, and the logical segmentation of these assets based on accountable party assignments. Inclusive to each separate grouping should be a list of the vulnerabilities identified, their prioritization within the grouping, and vulnerabilities successfully closed. Finally, a full listing of the actual assessment results should be provided for reference.

Reports should be archived and stored for a minimum of one year. As with any data that identifies the exposures of the organization, reports should be encrypted and accessible only by the program administrator. Hard copies of reports should be destroyed via burn-bin or shredder, or stored under lock and key.

15.8.3.1.7 Employee Education

Employee education represents the final component within the vulnerability management program. This piece is incorporated to address the enforcement of policy across the organization. With the dramatic increase in hybrid threats over the course of recent years , an organization's own employees have in some cases become the most significant risk to the overall availability and integrity of the network. By educating end-users on the importance of patching, and their obligations as users of the network, an organization stands a better chance of minimizing the introduction of threats into the environment.

Organizations tend to have limited success socializing such messages through e-mail or written communications. Instead, mandatory face-to-face meetings delivered at the management level prove most successful. Such educational sessions should be delivered to all new employees during the orientation process, and refreshers should be delivered to all employees on an annual basis. The key to ensuring end-users live up to their obligations is to keep constant awareness surrounding management's expectations.



Previous page
Table of content
Next page
HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181
BUY ON AMAZON
Beginners Guide to DarkBASIC Game Programming (Premier Press Game Development)
MySQL Stored Procedure Programming
Certified Ethical Hacker Exam Prep
WebLogic: The Definitive Guide
The Oracle Hackers Handbook: Hacking and Defending Oracle
FileMaker 8 Functions and Scripts Desk Reference
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy