Managing vulnerabilities of information systems and information processing in enterprises – CISO practical point of view
2014/01/10 Dodaj komentarz
The Vulnerability Management (VM) is a complex process with many relationships to other processes within company Integrated Information Security Management System (ISMS). Generally, however, two milestones are the key factors of this process success: (1) detection of vulnerabilities in systems and/or processes and (2) applying the proper corrective or compensative measures that are adequate to the risks associated with specific vulnerability or a set of vulnerabilities.
The main goal of the VM process is to (1) early identify and – following that – (2) making the proper correction or compensation of any discovered vulnerabilities in systems and processes, before they come to the risk materialization of emerging security breaches associated with the malicious usage of system vulnerabilities (eg. system exploitation).
The final correction can be made (1) directly on the vulnerable system or (2) indirectly by undertaking proper compensative action to be applied on the external security systems. Together, these two categories of actions (corrective and compensative) constitute part of Patch and Remediation actions widely understood.
Patch implementation as a direct corrective action in response to vulnerability discovery is not always an effective or even possible way of the risks mitigation in some particular circumstances, for example, if application of the patch is simply not possible, or at least significantly delayed due to many potential reasons, for instance:
- difficulty of patching the embedded system in some kind of specialized equipment, including such devices, where the system is residing on a write-protected media;
- problem resulting from the contractually limited support offered by the suppliers of critical business applications, limited to often only quite archaic versions of operating systems, platforms, application servers, runtimes and other kind software;
- delay in patch installation problem due to the need for performing some kind of time-consuming tasks associated with the patch tests, or the necessity to wait for the next service window in which the system can be patched.
The (1) direct vulnerability patching is not the only way of vulnerability remediation and associated risk mitigation, but some other remedial should be carefully taken into consideration and planned accordingly: (2) carry out some particular corrective actions maybe on the vulnerable system, on external security systems or (3) taking some procedural action or chances on the level of, not systems themselves, but also processes.
The vulnerabilities detection is usually made based on (1) security tests (especially vulnerability tests but also penetration tests), (2) systems monitoring in terms of potential vulnerability occurrence (as a result of reference of particular IT asset to authoritative reports and dedicated knowledge base about vulnerabilities), (3) data collected in security event management and information security incident handling processes (including information security incidents reports from users and administrators of the vulnerable systems). Some, especially non-technical and non-technological vulnerabilities can be also discovered in (4) risk management process, in particular at the level of threat modeling of the business processes and data flows in information systems.
Vulnerability and penetration tests of production IT systems should be performed periodically. Their goal is to investigate correctness of systems’ configuration and whether all implemented security mechanism and policies, function according to assumptions and on a defined effectiveness level.
The effectiveness of vulnerability and penetration tests is determined by following factors: regularity of tests, their organization, their course and used tools, as well as employees’ qualifications. The effectiveness means discovering the existing vulnerabilities as early as possible, before they are used for performing effective attack.
In this context, the tests are a kind of preventive measure, protecting against security incidents. Tests vitality for the reduction of possible costs of repair proceeding after security incidents, is undisputable.
While preparing tests schedule, a system criticality should be taken into consideration. The best practice rule says that the tests of critical systems should be always performed first and most time should be spent on them. This rule should be considered always when an organization has limited resources for this purpose.
Due to the fact, that many tests simulate a real attack each test should be precisely planned, its potential impact should be assessed and the tested system should be protected against permanent loss of stability, accessibility and integrity. Employees engaged in such tests should fulfill all, the previously mentioned, conditions. That’s why the employees should have great technical knowledge about a tested system and required tools, and effects of using them.
Security tests should be an integral part of risk management process. Reports written after the tests are always an important source of knowledge about vulnerabilities and effectiveness of used security precautions, mitigating or terminating risks. Remediation program should be developed and deployed for all identified vulnerabilities after the performed tests. The part of this program is the installation of patches and hotfixes, configuration changes and also policies, standards and operational procedure changes.
One should be highlighted here: there is no kind of security tests that is able to identify all vulnerabilities and gaps. The tests’ reliability is never absolute and largely depends on qualification of employees performing tests, the quality of used tools and engaged resources. The tests reliability limitations should be taken into consideration whilst planning security measures for the systems.
Additionally, due to the fact of high dynamics of increase in knowledge about daily discovered IT system vulnerabilities, the tests should be performed periodically, taking into account newly discovered and reported vulnerabilities and the dynamics of changes in tested IT system.
The VM has direct relationships to other IT and Information Security Management processes:
- IS Risk Management;
- Security Event Management;
- Information Asset Management;
- IT Systems Contingency & BCM;
- Compliance Management
The relationship of VM to Risk Management is particularly visible:
- when assessing the risk level of discovered vulnerabilities, and thus the priority assigning to remediation task, planning and implementation of remediation (corrective and compensatory actions);
- when performing of systems risk analysis;
- when assessing the level of significance of the event (in particular if the event belongs to the category of IS incidents) registered in the Security Event Management systems (and possibly handled as IS Incident in the process of IS Incident Management).
Security Event Management is related to VM through two-way relationship:
- VM supporting systems can be the source of data for security event management system. They feed the events database, where then the data can be used to conduct some advanced correlation. These correlations in turn can be used to detect any kind of security violations, especially those with a complicated way of occurrence and complex in their nature.
- Security Event Management systems may in turn provide the necessary data to the VM process to carry out remediation (corrective or compensative) action prioritization.
- It is important to have a broader look at the perceiving of VM relationship to Information Security Incident Management. The proper way is to look rather at the whole area of events relevant to information systems security and not limit the view only to information security incidents themselves. The mentioned events, when they are registered in Information Security Event Management Process are not known yet for sure, whether they are true security incident, until they are correlated with other events that appear to be part of a multi-stage and – complex in its nature – information security incident (usually indicated by the correlation results on systems supporting the Security Event Management process).
Security Event Management also allows the measurement of risk associated with the vulnerability discovered in the particular system (especially the measurement of risk in the Patch and Remediation lifecycle) and measuring the effectiveness remediation actions as well.
The VM process is directly interconnected and depends on IT Asset Management. To effectively manage Vulnerability, there is a necessity to possess a database of all systems under coverage of VM process. In addition, these systems need to be classified in terms of importance for the corporate business processes. At this point, a relation of VM to BCM processes and BIA in particular is particularly visible.
The VM is related to the IS Compliance Management. The results of VM may be a reference to determine compliance level with internal security baselines, industry standards and the general law regulations.
The VM is cyclical and continuous process correlated with dynamic character of vulnerabilities discovering and reporting, the vulnerabilities ‚life span’ and frequent changes made in the systems, which may create new vulnerabilities.
Figure above illustrates the vulnerability exposure time-frame to attack. The most critical at this time-frame are: (1) the time interval since the discovering (and publicly announcing) the vulnerability until an effective patch is released and (2) the time immediately after the release of the patch.
The following factors have the influence on the efficiency of VM:
- Rapid identification of vulnerability and its assessment in terms of risk;
- Efficient planning of patch & remediation actions and acquisition or development of measures and resources for this purpose;
- Minimizing the exposure time of vulnerability to attack, while the vulnerability is a zero-day, by the immediate application of appropriate compensation measures until you get to the dedicated patch;
- Efficient testing of patches and other remediation measures;
- The immediate installation of patches and/or implementation of other corrective and compensation measures;
- Reliable verification of Patch & Remediation measures effectiveness;
- Measuring and tracking the efficiency and risks in VM process.
The implementation of robust and good designed VM process and supporting tools will provide reasonable level of information assets protection and effective risk management in every organization. The main goal is to achieve this objective by applying a risk-based approach, involving the selection of efficient and economically justified security measures, adequate to the level of risk and value of protected assets.