Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:22 PM
Connect Directly

When Vulnerability Management Meets Compliance

New Dark Reading report offers advice on building a vulnerability management process that even your auditors will love

[Excerpted from "Compliance 101: Creating A Strong Vulnerability Management Strategy," a new report published today in Dark Reading's Vulnerability Management Tech Center.]

Finding and fixing security vulnerabilities in an enterprise is tough enough without someone looking over your shoulder. But when regulatory compliance requirements are involved -- and the auditors who come with them -- the process of vulnerability management brings on a new set of challenges.

So how can IT create a comprehensive vulnerability management plan? To crack this nut, we recommend a three-pronged approach that combines strong policies, well-disciplined operational procedures, and effective software validation tools.

The traditional approach to vulnerability scanning is to drop a system on the network, grab a network range, tweak a few configuration settings, and then start scanning away. Once the software is done, a report is generated to provide the next step: a to-do list. Simple enough.

The problem, however, always seems to come when the report is actually scrutinized, and voluminous action items are being generated. There are just too many false positives. And if incremental delta scans are not being performed, it can be difficult to determine what has changed in the environment, so time is wasted reanalyzing items that have already been reviewed.

With a good vulnerability management process and proper selection of tools, you can minimize the false positives and reduce duplicate efforts.

The main weapon in IT's unending struggle to stay ahead of the bad guys isn't the hottest new security system. It's a process in which we identify vulnerabilities, rank them in a meaningful way based on business and compliance realities, and then decide whether to accept the risk, mitigate problems with appropriate fixes, or offload the risk to a third party. Not sexy, but vital.

As a first step, let's define the environment in which we'll be working. Security controls can be grouped loosely into three broad areas: management, operational, and technical.

Management controls include topics such as policies and the security posture. Operational controls involve how things are done in production, and technical controls address the more tangible software and/or hardware protections that implement the requirements specified by our policies. In practice, all three of these areas are required for a complete vulnerability management strategy.

To achieve compliance, IT must have a comprehensive, risk-based approach to managing security. This approach, regardless of the actual vulnerability management structure selected, must include strong supporting policies, some form of regular scanning for validation, and ongoing control enhancements to fix identified weaknesses.

We recommend a standardized approach for network scanning that includes:

Preparation: Before conducting any type of potentially invasive scan, proper preparations must be made. For consultants working at a client site, a rules of engagement (ROE) document must be drawn up that outlines the types of testing to be conducted and the proposed targets.

Initial tool configuration: This is where parameters for the test are established. Although specifics will vary according to each product, common options include the depth of testing to be conducted, TCP/UDP ports to scan, username/passwords for authenticated scans, and other performance settings. These settings help determine exactly what the tool is going to be doing in the testing.

Discovery: Once testing parameters are decided and traffic is ready to begin traversing the network, targets must be identified and selected. Scanning tools allow for IT to input specific network ranges, host names, or IP addresses when there is prior knowledge about the desired targets. Devices can also be discovered.

Port discovery: Now that we have our target list, we seek to profile the hosts and see what ports they might be listening on. This process will give us some insight into the services and daemons that are running and set the stage for even deeper testing.

More invasive testing: So our initial checks have been performed, and we now have targets and available ports. The next step is to probe more deeply to understand what's running on the various open ports, try to discover possible version information, and gather even more data to profile our targets.

To complete the vulnerability management process, enterprises must also perform even deeper tests, including full-scale penetration testing. To learn more about these tests, and how to document and report the results, download the full report for free.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Rick is co-founder and president of WaveGard. With nearly 20 years of experience in the cybersecurity and related enterprise technology fields, Rick enjoys solving complex business IT problems. He has an EE/BME degree from Duke University and a Masters of Computer Engineering ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Reports-Devices.php page st[] parameter.
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise advisory API documentation is susceptible to clickjacking, which could allow an attacker to embed the contents of untrusted web pages in a frame."
PUBLISHED: 2020-07-07
"HCL AppScan Enterprise is susceptible to Cross-Site Scripting while importing a specially crafted test policy."
PUBLISHED: 2020-07-07
NeDi 1.9C is vulnerable to cross-site scripting (XSS) attack. The application allows an attacker to execute arbitrary JavaScript code via the Topology-Linked.php dv parameter.
PUBLISHED: 2020-07-07
An issue was discovered on Samsung mobile devices with P(9.0) and Q(10.0) software. Cameralyzer allows attackers to write files to the SD card. The Samsung ID is SVE-2020-16830 (July 2020).