Page 47 - index
P. 47
appropriate operational team and assign ownership to the team. This process includes plans for
the organization’s next vulnerability re-scan to measure how the operational team is doing.
PCI-based. PCI recommends organizations take a risk-based approach towards remediating
vulnerabilities. These organizations often take a strict pass/fail approach – if the vulnerability
would cause a failing report, that’s what the organization fixes first. For example, there is an
issue with a Denial of Service vulnerability assigned a Common Vulnerability Scoring System
(CVSS) score of 10.0, but considered “passing” by PCI. It is not out of the realm of possibility
that it could be ignored by most organizations because it wouldn’t affect their PCI-compliance
status.
Given these types of processes, it is crucial that organizations understand the root cause of
vulnerabilities and identify security controls which failed or were missing. Organizations tend to
look at vulnerabilities as something that happened to them rather than taking a proactive
approach to understand why their systems and environments become, and often times remain,
vulnerable. Not to discount the fact that some vulnerabilities are legitimately the result of
weaknesses in the firm’s software, but in many cases the vulnerability results from actions taken
– or lack-there-of – by the organization.
VLM shouldn’t just be about reporting the number of critical, serious, or informational
vulnerabilities in January and repeating the same statistics in February, March and so on. It
should be an analysis of what third-party vendors, products, security controls or processes
caused the vulnerabilities and what was done to address them. The most secure organizations
emphasize what can be done to prevent similar vulnerabilities in the future.
The results are only meaningful if they actually help you manage the vulnerabilities and improve
the organization’s overall security posture. Not all vulnerabilities pose an equal threat to the
organization, and not all vulnerabilities can be closed with the same level of effort. The “find it,
fix it and move on” approach misses the opportunity to avoid future threats through increasing
the baseline security of deployed systems and that is where organizations are missing the mark.
VLM should be about understanding what the root cause of the vulnerability is, how it impacts
your organization, addressing that cause, remediating the vulnerability and validating the fix
across repeated scans via ongoing verification of the security control. An effective VLM will not
just ensure that isolated patches have been applied to specific systems, but will improve the
effectiveness of actually managing (identifying, tracking, mitigating and reporting) vulnerabilities
across the entire enterprise.
About the author
Jon-Louis Heimerl is the senior security strategist for Omaha-based
Solutionary, Inc., a provider of managed security solutions, compliance and
security measurement, and security consulting services. Mr. Heimerl has over
25 years of experience in security and security programs, and his background
includes everything from writing device drivers in assembler to running a
world-wide network operation center for the US Government. Mr. Heimerl has
also performed commercial consulting for a variety of industries, including
many Fortune 500 clients. Mr. Heimerl's consulting experience includes
security assessments, security awareness training, policy development,
physical intrusion tests and social engineering exercises.
! " $
! # ! "
