In addition to monitoring and managing threats, assessment and management of vulnerabilities is the other major void that is commonly found post-assessment on an IT infrastructure. Conducting risk and software vulnerability assessments and management is a continuous life cycle that requires documented procedures for conducting assessments on the IT infrastructure and the IT assets that are vulnerable. Vulnerability assessments require strategies for handling software vulnerabilities throughout the organization, which accounts for a majority of the server and workstation vulnerabilities given the vulnerabilities found in operating system software for servers and workstations.
The software vulnerability window must always be kept in line with the organization's defined Software Vulnerability Standard for minimizing the vulnerability window caused by software vulnerabilities. An enterprise software vulnerability management strategy coupled with a software patch management solution is required. An automated software patch management system and solution may be required for organizations that have large quantities of production servers and workstations.
Automating Software Patch Management
Automating an organization's software patch management solution requires careful planning and use of a patch management automation tool. Tracking, monitoring, and validating compliancy with the organization's minimum acceptable level of risk for software vulnerabilities is a full-time and ongoing responsibility. Because software vulnerabilities rank high in many organizations that conduct a risk and vulnerability assessment, many organizations must first define a policy for minimization of the vulnerability window and how the organization is going to validate compliancy throughout the enterprise.
The following defines an approach for handling software patches throughout the organization:
The results of a risk and vulnerability assessment typically require the organization to prioritize what vulnerabilities need to be addressed first by the organization. Many organizations are faced with limited budgets and thus must prioritize how they will spend funds on security initiatives and security countermeasures for identified threats and vulnerabilities. This is not an easy task and must be conducted with the security of the entire organization in mind. Then the organization can formulate a vulnerability management strategy that typically requires the elimination, mitigation, monitoring, and tracking of metrics.
Enterprise Vulnerability Management
Enterprise vulnerability management is a recurring process and requires documented procedures and guidelines so that compliance and conformance to the organization's policies and standards can be implemented properly. Vulnerability management typically contains the following processes:
Introduction to Assessing Network Vulnerabilities
Foundations and Principles of Security
Why Risk Assessment
Scoping the Project
Understanding the Attacker
Performing the Assessment
Tools Used for Assessments and Evaluations
Preparing the Final Report
Appendix A. Security Assessment Resources
Appendix B. Security Assessment Forms
Appendix C. Security Assessment Sample Report
Appendix D. Dealing with Consultants and Outside Vendors
Appendix E. SIRT Team Report Format Template