A look at the basics of vulnerability management and how to do it more effectively The more apps companies deploy, the more complicated vulnerability management becomes. In the rush to find every security hole and seal it off from potential hackers, it’s easy to let something important slip through. That’s especially true if you’re an IT administrator juggling several tasks of which security is one.Security practitioners can’t catch everything. But by breaking vulnerability management down to the basic parts, it may be possible to mount a more effective defense. CSO attended SANS Boston 2010 last month in search of those basics. What follows is the first of a three-part series on vulnerability management, based on a training session taught by SANS Institute President Stephen Northcutt called “SANS Security Leadership Essentials for Managers with Knowledge Compression.”For the rest of the series, seeVulnerability management 2: Tools of the trade andVulnerability management 3: Pen testing basicsWe begin by getting to the bottom of what vulnerability management is. 5 vulnerability management axiomsTo get anywhere with vulnerability management, Northcutt said there are five things to consider first: Vulnerabilities are the gateways through which threats are manifested.Vulnerability scans without remediation have little value.A little scanning and remediation is better than a lot of scanning and less remediation.Vulnerabilities in need of fixing must be prioritized based on which ones post the most immediate risk to the network.Security practitioners need a process that will allow them to stay on the trail of vulnerabilities so the fixes can be more frequent and effective.Emphasizing the value of starting small, Northcutt noted, “One reason to scan a little at a time and then remediate is to avoid a situation where you have material knowledge of a significant vulnerability. I you have that knowledge and don’t remediate, your organization is not practicing due diligence.”If a data breach happens and it’s traced back to a flaw the company knew about but didn’t fix, the consequences can be serious. “This could be factored into the punitive damages phase of a court case,” Northcutt said.Primary threat vectorsNext, Northcutt said it’s important to identify the primary threat vectors an organization must worry about. They are:Outsider attack from networkInsider attack from network (VPN)Outsider attack from telephoneInsider attack from local networkInsider attack from local systemAttack from malwareThe big worry is in what Northcutt called the “power of a pivot.” All the attacker needs is one toehold. “If there is one single vulnerability left unpatched that can be reached from outside the organization and it is compromised, that system can be used as a springboard or ‘pivot’ to attack other systems on the same network,” he said.A matter of psychology For company executives to grasp the importance of vulnerability management, it’s important to speak in a language they can understand. Forget about explaining the exact location of a software hole or how a particular piece of technology is needed. Instead, Northcutt said, it’s critical to cut right to the stuff that keeps execs awake at night.What might the boss fear? Northcutt gave the following examples:A Web server compromise could expose the organization to ridicule.A compromise might expose private customer data, which could lead to lawsuits and worse.An insider who is angry and might therefore want to do something bad, like set off a logic bomb.An insider who feels entitled and sells company trade secrets.Employees who are easily duped by social engineering tricks, leaking sensitive data to the press in the process.A hacker who penetrates systems and finds evidence of wrongdoing that can then be used to blackmail the company.To comprehend the gravity of the situation, practitioners need to look at the challenge from three different viewpoints. There’s the outside view — being able to see the world as if you were an outsider on the Internet looking at your organization; the inside view, where the focus is on how well systems are configured, and the user view, where users can access the Internet mostly through Web and e-mail from inside the network.Why does an organization need all three views? Because, Northcutt said: Most organizations only accomplish an outside or external view using a scanner like Core Impact, Nessus or NeXpose,If a user is able to surf the Web and hit a malicious site, his or her system can be used to attack seemingly unreachable systems.For years the SCADA security model was that if you weren’t connected to the Internet you had nothing to fear. Since SCADA systems are increasingly linked to the Internet, there is indeed much to fear.With these things in hand, Northcutt said the time is right to look at the various scanners and penetration techniques at one’s disposal.Part 2 of this series will focus on the available scanners, how they differ from one another and how to decide which is best for your organization. Part 3 will explore ways to determine how big a risk certain flaws are and how to prioritize fixes. Related content feature The CSO guide to top security conferences Tracking postponements, cancellations, and conferences gone virtual — CSO Online’s calendar of upcoming security conferences makes it easy to find the events that matter the most to you. By CSO Staff Dec 01, 2023 6 mins Technology Industry IT Skills Events news Conti-linked ransomware takes in $107 million in ransoms: Report A ransomware campaign linked to the ostensibly defunct Conti malware group has targeted mostly US businesses, in a costly series of attacks. By Jon Gold Nov 30, 2023 4 mins Ransomware news Okta confirms recent hack affected all customers within the affected system Contrary to its earlier analysis, Okta has confirmed that all of its customer support system users are affected by the recent security incident. By Shweta Sharma Nov 30, 2023 3 mins Data Breach news Top cybersecurity product news of the week New product and service announcements from Wiz, Palo Alto Networks, Sophos, SecureAuth, Kasada, Lacework, Cycode, and more. By CSO staff Nov 30, 2023 17 mins Generative AI Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe