If you have never participated in a vulnerability assessment you might be wondering what that term
actually means. What is a vulnerability assessment and how does it impact my system? Vulnerability Assessments are report driven analysis of the current security posture of a defined system. In other words, it’s a list of all the findings wrong with the system pertaining to security configuration, patches, and in
some cases, policies that need to be fixed or mitigated. Most companies will only do this for external facing systems, but with insider threats, it is more commonplace to do internal scans as well. Depending
on the severity of the findings this is often associated with a time constraint, which is the impact on the system. These addressable findings come in 4 flavors; Critical, High, Medium, and Low, and of course the
more risk means it’s a higher priority to fix. Given a large system, this could lead to a mitigation loop where systems get new scan reports without fixing the older findings, so they just carry over from report
to report. Administrators should have enough resources to mitigate all findings quickly so any new scans
will only show new findings, but it is not such an easy task when your IT group is only a few employees deep and they already have plenty of tasks on their plates. There are a few things you can do to help keep
your vulnerability assessments under control:
1) Perform continuous scans quarterly. Typically management is reluctant to dig into unknown territory, especially if scans haven’t been done or been done recently, you have to start somewhere. Don’t let fear
drive the need.
2) Generate a report as a spreadsheet for tracking. All the tools have ways to generate various file formats, so pick one that is easily translated to excel or a tracking tool of your choice. One tool I use Namicsoft, which will consolidate several tool outputs into one report.
3) Mitigate the most common findings. Usually, there are a few findings that affect 90% of the systems, so by closing out 2-3 findings the report is reduced exponentially.
4) Automate mitigation when possible. I like to create a company account and use that email to sign up
for vendor patches, product release information, and security bulletins. This way many employees can monitor the comms. in case someone is out of the office. It’s the collective effort to maintain the security that
allows for a successful program.
5) Use the CVE references for examples of how to fix a finding. The reference information is almost
always an option in most tool reports on the market. This is also the best way to determine false positives as well.
Vulnerability Assessments are common to network and system administrators, but it’s only recently that
the industry is starting to look at the full lifecycle for vulnerabilites at each defined stage. I call it the swiss
cheese model. Imagine each layer as a slice of cheese, Embeded code review, Static code analysis,
infrastructure, compiled code. When the holes are random there is still a level of layered security, but
what happens when the holes line up?
by closing out 2-3 findings the report is reduced exponentially.