Vulnerability management (VM) can seem unmanageable at times. But the key to successful VM is working smarter rather than harder. If you approach VM intelligently and prioritize appropriately, you can keep the number of resulting tasks from spiraling out of control.
As with any on-going security practice, there are countless ways you can botch VM. Often the devil is in the details as well as the larger processes. That’s why it’s a good practice to step back and evaluate your vulnerability management program from end to end.
Below we list a few common pitfalls organizations need to avoid when it comes to vulnerability management.
Vulnerability Scanning Slipups
- Limited Scanning
Are you limiting your scanning to server-only or external-only scans? If so, you are missing the big picture. External scans look for vulnerabilities in your firewalls which attackers could exploit to access your network. These can include weak security configurations or unpatched protection software. Internal scans look for weaknesses within your network, such as poor configurations or even malware that has been downloaded. Both internal and external assets are vital to examine. You cannot make sound remediation decisions based on incomplete information, so don’t limit your scans to one or the other.
- Incomplete Scanning
Are you using an up-to-date Configuration Management Database (CMDB) to inform your scanning? If not, your scans could be inadvertently skipping vital assets. Be sure your CMDB is a complete and accurate representation of your assets and their interdependencies. This will help prevent the creation of scanning blind spots.
- Wasted Scanning
Are you running scans and ignoring the results? If so, you are wasting time and resources, not to mention squandering an opportunity. We all know it can be tempting to just run required scans to “check a box”. However, if you do not have a plan for reviewing results and developing remediation actions, you are missing a chance to make your systems more secure. That’s not a sound business practice.
Perhaps you are hesitant to address scan results because your team is small, with limited bandwidth. In these instances, you must heavily prioritize your scan results. You can make a long list more manageable with several layers of prioritization. These can help you highlight just what vulnerabilities are the most critical and what actions are absolutely necessary. By addressing critical vulnerabilities immediately, you can avoid the resource-heavy cleanup process that would result from an exploited vulnerability.
- Improper Scanning Cadence
Are you running scans too infrequently? Or are you running them so often that they are more of a monitoring tool? If you are doing either, you are undermining your own VM efforts. It’s crucial to identify the scanning frequency that works for your organization. If you misuse scanning, you could potentially be placing unnecessary strain on bandwidth and target assets. If you run scans too infrequently, you could miss vulnerabilities and increase the likelihood that a flaw will be exploited against your system. The longer a flaw exists undiscovered, the more exposed to a breach your network becomes. To ensure you keep VM effective and manageable, assess your team’s capabilities and strike the right balance with your scanning cadence.
- Restricted Scanning Results
Are you refusing to whitelist your vulnerability scanner? If so, you are not getting an accurate read on the potential vulnerabilities that exist behind your firewall. Firewall security is set up to deny malicious traffic. However, scanning results can come across as malicious because of their subject matter. Therefore, if you don’t whitelist your scanner, your firewall will deny the scanner traffic. This will result in artificially positive scanning results which can lead to a false sense of security.
Careless Vulnerability Resolution
- Mismanaged Scanning Results
Have you been tossing giant lists of unprioritized, unvetted vulnerabilities to your team? If so, you are most likely “helping” them become less effective and less efficient. That’s not exactly the goal of most businesses. Don’t overwhelm your team with a horde of vulnerabilities that haven’t been ranked and then ask them to create order out of chaos. Use agreed upon criteria in conjunction with vulnerability management tools to sort, filter, and prioritize lists before they are handed over. The right vulnerability management solution will offer features that enable effective ranking, as well as the ability to monitor progress.
- Mitigation without Remediation
When you address vulnerabilities, are you just performing fixes or stop-gap measures without any cause analysis? If so, your team will likely run up against similar issues again and again. You must identify how vulnerabilities occur or you won’t be able to avoid recurrence in the future. Fixes alone address the “symptoms”, but not the “disease” that is causing them. Be sure your team is prepared to uncover and address the root of vulnerabilities as well as provide a remedy.
- Endless Exceptions
Do you have a list of exceptions that don’t have an expiration date? If so, you could be permanently ignoring some vulnerabilities that still require remediation. In VM, exceptions are made for a variety of reasons. Some are false positives that represent vulnerabilities that have already been addressed, but that some automated scans cannot distinguish as patched. Others are delayed actions, which are usually vulnerabilities that cannot be addressed within the Service Level Agreement’s (SLA’s) specified time period. This type of exception must be given an expiration date to ensure it gets addressed in the future. If you do not assign expiration dates, you run the risk of creating an ever-growing list of vulnerability exceptions with endless shelf lives. And the longer they persist, the more vulnerable your organization becomes.
- Needless VM Complications
Are you using a complex Vulnerability Management (VM) solution because you think complexity = effectiveness? If so, you are not operating as efficiently and as effectively as you could be. Once upon a time, complicated vulnerability management was the only way to go. Large, unreadable, unactionable lists of vulnerabilities were just an accepted part of IT. But no more. There are much better options available today.
You need a VM solution designed to empower IT teams with powerful technology that is easy to use. Additionally, you should look for a SaaS-based vulnerability management tool that provides an easily deployed, flexible solution that can grow and change with your business. The right VM solution will provide filtering, sorting, and ranking features that can prioritize your vulnerabilities and help you maximize your IT team’s productivity.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.