Nine (and a half) signs your vulnerability management program is failing

What are the common indications that an organization's vulnerability management program is not functioning properly? Gary McCully of SecureState presents methods and suggestions for rooting them out and addressing the problems

. What's this?

By Gary McCully, SecureState

August 16, 2011CSO

Before we can address the question of how you can tell if your vulnerability management program is failing, we must answer a basic question: What is a vulnerability management program?

A vulnerability management program is a program that identifies vulnerabilities in an organization's network; monitors and tracks the remediation of these vulnerabilities; analyzes the root cause(s) of these vulnerabilities; and makes strategic changes to current processes in order to fix the root cause(s) of the vulnerabilities. For example, vulnerabilities are identified by performing some sort of assessment like a vulnerability assessment. The vulnerabilities are reviewed and the system owner of a vulnerable device is contacted in order to notify them that their system has a vulnerability which must be remediated. The system owner remediates the vulnerability and lets someone in the vulnerability management role know the vulnerability has been remediated.

Next the root cause of the vulnerability is reviewed in order to determine why the vulnerability was present in the network (i.e., a missing patch, web admin console with default password, SSLv2, etc.). The organization's current process (patch management process, minimum security baseline documentation, policies and procedures, etc.) is modified in order to prevent the vulnerability from reappearing in the future.

Most vulnerability management programs heavily rely on network and web application scanners, although these technologies should be supplemented by manual assessments such as attack and penetration testing and grey box web application assessments. A mature vulnerability management program is critical for any security program to be successful. If implemented correctly, a vulnerability management program can help to identify weaknesses in an organization's patch management program, firewall and router configurations, minimum security baselines, policies and procedures, web application developer training, etc. On the other hand, a poorly developed vulnerability management program can lead to an overall false sense of security.


[Related: Vulnerability management: The basics]


The top indications an organization's vulnerability management program is failing are as follows:

The Same Vulnerabilities Appear on the Same Host Every Month
As a security consultant, I have performed my share of quarterly vulnerability assessments for many of our clients. Many times I find a critical vulnerability on one of the client's systems, and contact them to inform them that I recommend the vulnerability be addressed as soon as possible. Three months pass, and once again it is time to perform a vulnerability assessment on the client I found the critical vulnerability on three months earlier. To my amazement, I find that the critical vulnerability I had said should be addressed as soon as possible had not been addressed.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER