Lowering information risk by enhancing process quality
Two years ago, we replaced our previous supplier of vulnerability scans with a new tool and in the same step documented the vulnerability-scanning process in our quality management system as a process. The main challenge with the old system was that vulnerabilities were not prioritised based on risk and that we had to pay for each IP-address to be scanned and for each scan. The vulnerability reports were generic and offered no help mitigating the vulnerabilities. We also could not trigger a scan by ourselves. Last but not least, the process was not well documented and there was no feedback loop from accepted vulnerabilities to the scanning system, leading to rediscovered vulnerabilities that have been accepted or mitigated through other means.
In essence, the old tool did not allow us to continuously improve.
Our new system allows us to scan as often as we like (also on demand), allows exceptions to be defined and documented and also does authenticated scans. This means the tool has appropriate permissions on the target systems to properly identify software, versions, services, etc. This greatly improves the quality of scan data and reduces the risk of aggressive scans crashing services and systems. Our new system also offers a top remediation report – basically guidance what effort would yield the highest reduction of risk, which helps us to prioritize remediation activities (see figure 1).
Furthermore, access to our scanning system is restricted as the data collected is considered confidential and scan result interpretation requires appropriate training and experience. I'll offer a glimpse into how the console of the tool looks like (see figure 1).
Addressing critical vulnerabilities
The goal of vulnerability management is to manage the risks that vulnerabilities create. Of course, the ideal would be to fix all vulnerabilities. However, this is often neither possible for functionality reasons nor economic (the cost to secure against very low risk rises exponentially).
So in a nutshell:
- We scan regularly for vulnerabilities.
- For vulnerabilities above a certain threshold (CVSS score) we automatically create a ticket for affected each asset.
- The process for vulnerability remediation is triggered based on these tickets and is designed to mitigate the risk by one of these four means.
- Patch the system (preferred method).
- Mitigate the vulnerability by other means (i. e. block a port, implement web application firewall rules).
- Accept the risk – for this, follow the exception process.
- Decommission the system
- The result of the mitigation is visible in the vulnerability scanning tool (either the vulnerability does not appear again or has an exception). Our goal is to address all vulnerabilities above a certain CVSS scores and subsequently work towards managing all critical vulnerabilities.