Penetration tests are a fundamental part of a security program. They are not “best practice,” they are “standard practice.” But, too often, organizations do not manage these tests effectively. It is common practice to create a list of vulnerabilities to be patched, and hand it to the information technology organization with guidance to “fix it.” With a little planning and active oversight, an organization’s vulnerability management processes can be much more efficient.
That starts with recognizing managing vulnerabilities is a continuous process. You might perform a penetration test, and successfully remediate all identified vulnerabilities in a single day – within 24 hours of completing the initial test, everything has been fixed, and you have completed remediation testing.
Unfortunately, in those 24 hours, another 60-70 vulnerabilities have been made public and assigned Common Vulnerabilities and Exposures (CVE) numbers (based on volumes so far in 2022). Even more unfortunate, cybercriminals have become efficient at weaponizing exploits for new vulnerabilities, and publishing those exploits in dark web forums and exploit kits. The result is, by the time you finish fixing everything in your earlier report, you are probably already behind again.
The way to address this is to abandon traditional periodic testing, and migrate to more frequent, on-demand, or even continuous testing. Shortly after validation testing is complete, you test again, looking for anything new that has changed in your environment. You check for newly identified vulnerabilities in systems, applications, or services having the potential to increase risk for the organization.
This doesn’t mean you can just “do testing;” you need to actively manage those tests. Testing becomes a project unto itself involving the following steps:
1. Define, schedule and run the test.
a. Operational business constraints matter. You want to ensure you are testing your entire operational and exposed environment.
b. The test will have a set of rules of engagement. To make sure the appropriate people have the required insight, these rules are all best managed as a project, and coordinated effectively, rather than as a task on a spreadsheet.
c. You want to test your environment in as much of a “standard operations” mode as possible, but you may also have operational requirements you want to make sure you do not interfere with.
2. Check results and prioritize.
a. The simple part of Check results and prioritize is that you start with new findings, and integrate them into your existing remediation plans. You follow the same types of prioritization rules that you used in your initial analysis.
i. If nothing has changed, this iteration of the process is complete.
ii. If you identify new vulnerabilities, you need to prioritize where they fit in comparison to your previously established project list. If you identify vulnerabilities with higher priority than current tasking, you need to evaluate the level of efforts of each and decide if the new finding supersedes the current priorities or follows it.
b. To maximize effectiveness, prioritization should be based on organizational impact, not just cybersecurity requirements.
3. Remediate. Perform appropriate testing of patches, configuration changes, and additional mitigations. Apply updates as appropriate. Document what you did and mark all affected vulnerabilities as “fixed but not closed” in project tracking.
4. Remediation testing. Test to ensure applied mitigation actions successfully addressed the vulnerabilities, and you did not accidentally expose new vulnerabilities during the “fix” process. Verify documentation is complete. Mark all “fixed but not closed” items as “closed” in project tracking.
5. Go to #1
Level of effort matters – remediation activities having a low level of effort essentially become part of business as usual. More complex remediation activities should be tracked as project tasks, and will be actively managed to help ensure they are completed in a timely manner. These project tasks are included in organizational project plans for all cybersecurity, operational, and business-line projects. The overall goal of managing remediation efforts as project work is to ensure all projects are managed with common priorities. This helps provide insight into existing priorities across all levels of the organization, and maximize the chance critical projects are allocated the required resources.
Effective vulnerability management is rarely as simple as managing a list of vulnerabilities to fix. It is about addressing those vulnerabilities in a timely and efficient manner, while supporting organizational priorities, and ensuring responsible staff have the support for what is often considered highly demanding work.