Where are the Real Vulnerabilities?
Many organizations perform regular vulnerability scans but have a hard time eliminating the vulnerabilities. Many have told me it is like they run a scan, and then they take the report to eliminate all the vulnerabilities and by the time they clean everything up and run another scan and find they have new vulnerabilities. A cycle of reaction follows. The scans are done, reports are giving to system and network admins, they perform the necessary remediation just to start the process all over. How can you escape this vicious cycle? How do you get ahead of the ball?
Many systems administrators can relate to this, and many are not sure how to escape the firefighting cycle. The key is to deal with the problem at the root and not the symptoms. The vulnerabilities are a system of a deeper problem. The problem lies early on in the System Development Life Cycle (SDLC). Arguably before we put systems in place, we need to spend more time and effort trying to “get it right” in the early stages to avoid more effort trying to fight fires.
Easier said than done? The best place to start is with a great book that will helps you get the process started. A good book on IT process is The Visible Ops Handbook: Implementing ITIL in 4 Practical and Auditable Steps. This book will help system admins regain the time needed to put the effort in the front end of the life cycle and avoid the pitfalls of constantly fighting fires.
Once you have the necessary time to invest in the earlier stages of system life cycle, you can develop the needed processes to increase system quality and stability. Quality control is a key component as a feedback loop to improve all the process to eliminate or reduce the number of vulnerabilities, misconfigurations, downtime, and security incidents.
Three key processes are Configuration Management, Change Control, Patch Management, and Vulnerability Management. NIST has guidelines on how to implement these process as part of a larger Risk Management Framework (RMF). In theory, if you are finding vulnerabilities there is a more than a vulnerability in your systems there is a vulnerability, “hole,” in your configuration management, change control or patch management processes. Eliminating the system or technical vulnerability does not eliminate the vulnerabilities that led to the existence of the system vulnerability.
Quality control in the form of a feedback loop to the configuration management, change control or patch management processes and determine what can be improved in those process to help decrease future system vulnerabilities. This is basic quality control that will lead to greater stability in systems, fewer vulnerabilities, and a decrease in the risk to the organization’s mission. Think of the vulnerability management process as a test of how well your other process perform.
NIST has a number of guidelines that can help. You can find them here:
NIST SP 800-53 Rev. 4 Security and Privacy Controls for Federal Information Systems and Organizations
NIST SP 800-128 Guide for Security-Focused Configuration Management of Information Systems
NIST SP 800-40 Rev. 3 Guide to Enterprise Patch Management Technologies