Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

1/13/2010
02:22 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

When Vulnerability Management Meets Compliance

New Dark Reading report offers advice on building a vulnerability management process that even your auditors will love

[Excerpted from "Compliance 101: Creating A Strong Vulnerability Management Strategy," a new report published today in Dark Reading's Vulnerability Management Tech Center.]

Finding and fixing security vulnerabilities in an enterprise is tough enough without someone looking over your shoulder. But when regulatory compliance requirements are involved -- and the auditors who come with them -- the process of vulnerability management brings on a new set of challenges.

So how can IT create a comprehensive vulnerability management plan? To crack this nut, we recommend a three-pronged approach that combines strong policies, well-disciplined operational procedures, and effective software validation tools.

The traditional approach to vulnerability scanning is to drop a system on the network, grab a network range, tweak a few configuration settings, and then start scanning away. Once the software is done, a report is generated to provide the next step: a to-do list. Simple enough.

The problem, however, always seems to come when the report is actually scrutinized, and voluminous action items are being generated. There are just too many false positives. And if incremental delta scans are not being performed, it can be difficult to determine what has changed in the environment, so time is wasted reanalyzing items that have already been reviewed.

With a good vulnerability management process and proper selection of tools, you can minimize the false positives and reduce duplicate efforts.

The main weapon in IT's unending struggle to stay ahead of the bad guys isn't the hottest new security system. It's a process in which we identify vulnerabilities, rank them in a meaningful way based on business and compliance realities, and then decide whether to accept the risk, mitigate problems with appropriate fixes, or offload the risk to a third party. Not sexy, but vital.

As a first step, let's define the environment in which we'll be working. Security controls can be grouped loosely into three broad areas: management, operational, and technical.

Management controls include topics such as policies and the security posture. Operational controls involve how things are done in production, and technical controls address the more tangible software and/or hardware protections that implement the requirements specified by our policies. In practice, all three of these areas are required for a complete vulnerability management strategy.

To achieve compliance, IT must have a comprehensive, risk-based approach to managing security. This approach, regardless of the actual vulnerability management structure selected, must include strong supporting policies, some form of regular scanning for validation, and ongoing control enhancements to fix identified weaknesses.

We recommend a standardized approach for network scanning that includes:

Preparation: Before conducting any type of potentially invasive scan, proper preparations must be made. For consultants working at a client site, a rules of engagement (ROE) document must be drawn up that outlines the types of testing to be conducted and the proposed targets.

Initial tool configuration: This is where parameters for the test are established. Although specifics will vary according to each product, common options include the depth of testing to be conducted, TCP/UDP ports to scan, username/passwords for authenticated scans, and other performance settings. These settings help determine exactly what the tool is going to be doing in the testing.

Discovery: Once testing parameters are decided and traffic is ready to begin traversing the network, targets must be identified and selected. Scanning tools allow for IT to input specific network ranges, host names, or IP addresses when there is prior knowledge about the desired targets. Devices can also be discovered.

Port discovery: Now that we have our target list, we seek to profile the hosts and see what ports they might be listening on. This process will give us some insight into the services and daemons that are running and set the stage for even deeper testing.

More invasive testing: So our initial checks have been performed, and we now have targets and available ports. The next step is to probe more deeply to understand what's running on the various open ports, try to discover possible version information, and gather even more data to profile our targets.

To complete the vulnerability management process, enterprises must also perform even deeper tests, including full-scale penetration testing. To learn more about these tests, and how to document and report the results, download the full report for free.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Rick is co-founder and president of WaveGard. With nearly 20 years of experience in the cybersecurity and related enterprise technology fields, Rick enjoys solving complex business IT problems. He has an EE/BME degree from Duke University and a Masters of Computer Engineering ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.