Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:22 PM
Connect Directly

When Vulnerability Management Meets Compliance

New Dark Reading report offers advice on building a vulnerability management process that even your auditors will love

[Excerpted from "Compliance 101: Creating A Strong Vulnerability Management Strategy," a new report published today in Dark Reading's Vulnerability Management Tech Center.]

Finding and fixing security vulnerabilities in an enterprise is tough enough without someone looking over your shoulder. But when regulatory compliance requirements are involved -- and the auditors who come with them -- the process of vulnerability management brings on a new set of challenges.

So how can IT create a comprehensive vulnerability management plan? To crack this nut, we recommend a three-pronged approach that combines strong policies, well-disciplined operational procedures, and effective software validation tools.

The traditional approach to vulnerability scanning is to drop a system on the network, grab a network range, tweak a few configuration settings, and then start scanning away. Once the software is done, a report is generated to provide the next step: a to-do list. Simple enough.

The problem, however, always seems to come when the report is actually scrutinized, and voluminous action items are being generated. There are just too many false positives. And if incremental delta scans are not being performed, it can be difficult to determine what has changed in the environment, so time is wasted reanalyzing items that have already been reviewed.

With a good vulnerability management process and proper selection of tools, you can minimize the false positives and reduce duplicate efforts.

The main weapon in IT's unending struggle to stay ahead of the bad guys isn't the hottest new security system. It's a process in which we identify vulnerabilities, rank them in a meaningful way based on business and compliance realities, and then decide whether to accept the risk, mitigate problems with appropriate fixes, or offload the risk to a third party. Not sexy, but vital.

As a first step, let's define the environment in which we'll be working. Security controls can be grouped loosely into three broad areas: management, operational, and technical.

Management controls include topics such as policies and the security posture. Operational controls involve how things are done in production, and technical controls address the more tangible software and/or hardware protections that implement the requirements specified by our policies. In practice, all three of these areas are required for a complete vulnerability management strategy.

To achieve compliance, IT must have a comprehensive, risk-based approach to managing security. This approach, regardless of the actual vulnerability management structure selected, must include strong supporting policies, some form of regular scanning for validation, and ongoing control enhancements to fix identified weaknesses.

We recommend a standardized approach for network scanning that includes:

Preparation: Before conducting any type of potentially invasive scan, proper preparations must be made. For consultants working at a client site, a rules of engagement (ROE) document must be drawn up that outlines the types of testing to be conducted and the proposed targets.

Initial tool configuration: This is where parameters for the test are established. Although specifics will vary according to each product, common options include the depth of testing to be conducted, TCP/UDP ports to scan, username/passwords for authenticated scans, and other performance settings. These settings help determine exactly what the tool is going to be doing in the testing.

Discovery: Once testing parameters are decided and traffic is ready to begin traversing the network, targets must be identified and selected. Scanning tools allow for IT to input specific network ranges, host names, or IP addresses when there is prior knowledge about the desired targets. Devices can also be discovered.

Port discovery: Now that we have our target list, we seek to profile the hosts and see what ports they might be listening on. This process will give us some insight into the services and daemons that are running and set the stage for even deeper testing.

More invasive testing: So our initial checks have been performed, and we now have targets and available ports. The next step is to probe more deeply to understand what's running on the various open ports, try to discover possible version information, and gather even more data to profile our targets.

To complete the vulnerability management process, enterprises must also perform even deeper tests, including full-scale penetration testing. To learn more about these tests, and how to document and report the results, download the full report for free.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Rick is co-founder and president of WaveGard. With nearly 20 years of experience in the cybersecurity and related enterprise technology fields, Rick enjoys solving complex business IT problems. He has an EE/BME degree from Duke University and a Masters of Computer Engineering ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-21
neos/forms is an open source framework to build web forms. By crafting a special `GET` request containing a valid form state, a form can be submitted without invoking any validators. Form state is secured with an HMAC that is still verified. That means that this issue can only be exploited if Form F...
PUBLISHED: 2021-06-21
Textpattern 4.7.3 contains an aribtrary file load via the file_insert function in include/txp_file.php.
PUBLISHED: 2021-06-21
Cross Site Scriptiong vulnerability in Typesetter 5.1 via the !1) className and !2) Description fields in index.php/Admin/Classes,
PUBLISHED: 2021-06-21
mongo-express is a web-based MongoDB admin interface, written with Node.js and express. 1: As mentioned in this issue: https://github.com/mongo-express/mongo-express/issues/577, when the content of a cell grows larger than supported size, clicking on a row will show full document unescaped, however ...
PUBLISHED: 2021-06-21
In memory management driver, there is a possible memory corruption due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-185196177