You don’t have to look hard to find organizations utilizing a small fraction of the capabilities of a vulnerability management tool. Often, that’s because the focus is on meeting a compliance obligation. For example, PCI DSS 3.2.1 says, “11.2.1 – Perform quarterly internal vulnerability scans.” It’s difficult to learn the capabilities of a tool running quarterly. At the same time, the importance of an effective vulnerability management program is made clear by the weight placed upon it by the CIS Controls (and virtually every other security framework). CIS Control 3.1 calls out the best practice of running a vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization's systems. (Learn more here about version 7 of the CIS Controls.) Recent disclosures remind us how important it is to have a top-notch vulnerability management strategy in place. For example, (CVE-2018-10933) libssh has an authentication bypass vulnerability in the server code. Effectively, this allows a remote attacker to authenticate without any credentials. The vulnerability was introduced in version 0.6, released in 2014 and survived until October 16, 2018, whereupon it was fixed in versions 0.8.4 and 0.7.6. The bug was discovered by Peter Winter-Smith of NCC Group (@peterwintrsmith). Tripwire IP360 can remotely detect this vulnerability, and Tripwire VERT placed it at the top of the Patch Priority Index in October. Here are three ideas that may help you get more from your vulnerability management tool.
1. Create an incentive plan for system owners based on the vulnerability score of the assets they manage.
Let’s face it, people are often motivated by carrots, and there is nothing like presenting an award to an employee to make them feel good about their work and contribution. Besides, a little competition among peers is a good thing. Make sure you’re using workflow in the tool to assign remediation to system owners and track their progress fixing problems.
2. Let the vulnerability management tool work for you.
Many organizations try to over-manage the vulnerability tools and end up with hundreds of scenarios such as “I only want to scan the Unix servers running Apache on Wednesday Night.” This ends up creating a very complex scanning schedule. Organizations end up having no idea if they are scanning their entire environment, yet they end up managing more scheduled scans than they need. Recommendation – let the scan tool scan by subnet, get everything you need on a frequency that supports your needs and generate reports based on the results. You may need to be more creative by being less “creative.”
3. Keep in mind that patch management is not vulnerability management.
Don’t let your patch management tools lull you into a false sense of security when it says your systems are fully patched. Sometimes, a false positive report turns into a discussion surrounding a vast quantity of vulnerabilities that were missed by the patch management tool. This can often happen when multiple versions of an application are installed, yet the tool only reports the latest installation. Ask yourself how many versions of Java exist on the systems you manage. This is also common when patches require additional configuration steps. Patch management tools will often verify the installation of the patch but won’t verify if the post installation configuration has been performed. In the end, the goal is to make the environment more secure and, sometimes, a little more creativity can help you see beyond common mistakes and take full advantage of your vulnerability management tool. For more on Tripwire IP360, click here.