Vulnerability Management: Identification of Vulnerabilities is Not Just a List of Problems
A corporate security program is a complicated thing. It is a combination of policy, training, procedures, and technical controls all designed with one basic goal – reducing risk to the organization. In times of tight budgets and dynamic business requirements requiring rapid adaptation to changing environments, security programs are only getting more difficult to manage. As such, any measure that reduces risk has potential value to that security program. One key element of reducing risks related to cybersecurity is managing the vulnerabilities existing in your environment.
Network and application penetration assessments can go a long way to help an organization manage the risk to which they are exposed on a regular basis – if implemented correctly. Unfortunately, many organizations do not take full advantage of test results to complement the rest of their security programs and maximize risk mitigation. Even organizations which conduct tests regularly often fail to follow key steps that would help engage in active management of their vulnerabilities. A report that details vulnerability findings, but does not provide enough information to fix the problems has failed its purpose.
One important purpose of penetration testing is to identify vulnerabilities in your environment. These are often the same vulnerabilities cybercriminals leverage to attack your organization. If you can identify the vulnerabilities, you can mitigate those vulnerabilities, and remove, or at least reduce, potential risk to your environment. Analysis shows tests often uncover vulnerabilities that are 10 or even 20 years old. On top of that, new vulnerabilities are being discovered at a record pace, making it even more important organizations accelerate identification of remediation activities to keep up with efforts of attackers.
The output of many penetration tests is a list of CVEs, descriptions, and affected systems.
While a list of identified CVEs and prepared descriptions may be a decent starting place, it does not complete the process of identifying the potential damage to which those vulnerabilities expose your organization – so does not really support your risk management requirements. An effective security program would include the following critical steps in the assessment of identified vulnerabilities:
1. How serious is the vulnerability? This is often represented as the Common Vulnerability Scoring System (CVSS) score. It is realistically a combination of how much access it provides an attacker, along with how easy it is to exploit. An exploit automated into a hacking tool, for instance, would be more serious.
2. What systems are at risk? Identification of the affected systems is critical to help in future steps, especially prioritizing mitigation. It is important to differentiate, for instance, if the vulnerability is present in a rarely used and easily decommissioned system, or does it appear in multiple systems critical to organizational operations.
3. Is a patch available for the specific system? And, can the patch be applied in a manner that will remediate the vulnerability. Identification of the vulnerability should include availability of remedial actions - exactly what is that patch – what version, where is it, and exactly how the patch is applied. Is it just a matter of running a system update, or do you have to recompile and rebuild code? Identification of the vulnerability must include actionable recommendation on how to address it. It is critical to remember there is a difference between an information system professional and a security professional. It is incumbent on an organization to effectively communicate security relevant information to information system professionals in a clear and concise manner.
4. Are there additional mitigating controls or actions? If there is no patch, are there other actions your organization can take to mitigate the vulnerability? Can you add a firewall rule, make a configuration change, or move, or even remove a system? Mitigating controls are often independent of any patch, in that they often work best in addition to applying a patch or include implementing additional controls or actions only if there is not a patch. In some cases, the optimal mitigation may be removing the affected system or software.
An effective penetration test is not just a list of vulnerabilities, but information to help you prioritize, remediate, manage, and report on the associated vulnerabilities. It should lead directly to a list of prioritized actions, and not require separate analysis by organizational staff who are not necessarily security professionals. A high-quality penetration test makes your life easier, and leads directly to reduced risk to the organization.