How to avoid vulnerability assessment gotchas

Information security professionals don’t need to be convinced of the importance of a robust vulnerability assessment program. Published surveys including the Center for Internet Security Critical Controls consistently rank vulnerability assessment and remediation as one of the most important strategies in managing cybersecurity risk.

It is the rare organization that has the resources to fix all vulnerabilities and trade-offs that need to be made. Sometimes, businesses will choose a technology solution with known vulnerabilities, yet continue to expect that information security will somehow protect the organization from any potential exploits that could result from this selection – no matter the cost to the information security function. But what exactly does that mean, at what cost and who is paying for it?  

[ ALSO ON CSO: Audit committee cheatsheet for IT and cyber professionals ]

Audit reports – whether conducted as part of an organization’s internal audit program or from a forensic perspective after a breach reveal increasing gaps between what governance functions expected vs. what the information security function was able to deliver. Here are some gotchas that your organization can implement to mitigate these misunderstandings – hopefully saving both your organization’s reputation and your career.

No policy or service-level agreement? Then you’ll do it my way.

It begins with expectations. Too often audits (or better yet forensic reviews after the breach occurs) reveal that critical servers remain unpatched. This also includes business users refusing to reprimand or replace vendors that do not securely code or properly patch their applications. A policy or service-level agreement can be used to communicate and document mutual expectations. Needed exceptions to the policy or agreement should also be documented and communicated to the appropriate governance function. Can’t come to an agreement with your internal stakeholders? The auditor will recommend a way as part of the audit report.

Don’t have the resources to get the job done? You should have told us.

Just because you have an agreement or policy doesn’t mean you have the funding to implement the requirements. On audits we will frequently hear the “we don’t have the resources” justification for not delivering services per the policy or service-level agreement. If there are gaps, it is critical to communicate this to management and your steering or governance committee prior to problems arising (after all, you agreed to the policy or service-level agreement).

Provide options on what can be effectively and efficiently done with the resources you have and identify the threats and funding needed for what you don’t have. Seldom will insufficient resources be accepted as an excuse. Business is all about making investment decisions based on risk. Your responsibility is to expertly communicate the issues so that executive management (and the board) can make the decision that is best for the organization given their risk appetite.

What type of issues will we act upon? Don’t ignore the obvious.

Many information security functions implement some form of risk assessment to help prioritize the allocation of resources. So yes, more attention should be paid to higher vulnerabilities impacting higher risk assets (which generally makes sense). However, we frequently see that vulnerabilities resulting in information disclosures that can be used in reconnaissance get overlooked or ignored. I’m not suggesting that they should receive the same attention as higher threats and vulnerabilities, but rather there should be a periodic program to look at these lessor threats that can result in a treasure trove of information during reconnaissance exercises.

Is your hardware inventory up to date? Better find out before I do.

Perhaps no other information security-related issue frustrates the “suits” as much as an IT function that can’t accurately account for hardware (and software inventories). This is because custodianship of assets is a basic and fundamental internal control – you don’t have to be a cybersecurity expert to understand the problem. Many security practitioners believe that you can’t protect what you don’t know you have. Mapping (included as a feature in many vulnerability assessment tools) can jumpstart your inventory compliance efforts and should be reconciled to what you expected to be on the network.

Did you scan everything you had to (was everything live)? Follow up and beware change control issues.

Dead or inactive hosts provide a “quagmire” for security professionals. Yes, they may be in the current inventory of critical assets to be scanned, yet for whatever reason, they are offline or not present for the scan. As they were deemed critical, they still need to be scanned or if they have a new address, it is reflected in the assets to be scanned inventory. When technology operations do not inform information security of changes – a change control issue results (in addition to security issues) that impacts the overall control environment of the organization (e.g., Sarbanes-Oxley compliance issue). Not following up can also be an indicator of a “robot” vulnerability assessment program that does not adjust to evolving threats.

Vulnerability assessment is a critical control that will garner the attention of those responsible for corporate governance. It takes a lot of time and hard word to ensure that your organization’s assessment program achieves its goals. By avoiding the above “gotchas” you can help work toward the goal and stay out of trouble with the corporate types.