Removing vulnerabilities is crucial to managing your information security risks.
We can help lower an organization’s ongoing security risk by lowering the vulnerabilities or weaknesses in computer software and operating systems. This reduces weaknesses available for exploit by a cybercriminal or malware or other threat.
Leave the keys in the car with the door unlocked and sooner or later the car is going to be stolen.
Leave the infrastructure and applications that run the business unpatched and sooner or later something bad is going to happen.
Vulnerability management (or VM for those of you who insist on communicating with acronyms) a repeatable process or practice of identifying vulnerabilities (especially for software and firmware) within the enterprise, classifying them by their severity and either remediating or accepting the risk they pose to the environment. A vulnerability management process steps through identifying, classifying, remediating and mitigating vulnerabilities, or weaknesses, in software applications and operating systems.
Vulnerability management is a critical leading security practice for an organization of any size. It is an expectation to meet compliance with the Payment Card Industry’s Data Security Standard and other regulatory authorities.
Many of the steps or processes involved in VM use technology to automate some of the work.
Jacadis uses QualysGuard in the field as well as with customers building their own vulnerability management program. With Qualys we can map a network to identify the systems that are on it. We can then scan each system and identify vulnerabilities on that system. Qualys ranks vulnerabilities by severity. We can then prioritize fixing them by severity. Qualys provides support for the workflow of getting found vulnerabilities fixed and confirming that the fix has been successful.
Some clients are overwhelmed with vulnerability data and find they need consider threats as a part of their vulnerability prioritization. In those environments Jacadis uses Kenna’s product to integrate the results of vulnerability scan data with the results from 8 different threat feeds. This accelerates the prioritization of what needs fixed first in order to improve the company’s security posture.
Tools are important, but it isn’t as simple as just scanning and fixing.
Once scanned there are other steps that need IT staff involvement. Patches need to be deployed, applications updated and systems hardened. Sometimes exceptions need to be managed. Other times countermeasures need to be implemented because not all vulnerabilities can simply be fixed with a patch.
And the process isn’t a one-time thing. It needs to be implemented as a routine regular recurring mature process.
We believe there are five core components to a mature vulnerability management program:
- Vulnerability Management Policy, which defines the organization’s vulnerability management posture, the level of security the firm wants to maintain, key processes within the firm’s vulnerability practices, reporting and compliance. The policy guides IT staff in performing the function and guides management in providing oversight.
- Patch Management Policy, which defines the organization’s stance on patching including the frequency of patching, testing, deployment, auditing, recovering from flawed patches, reporting and compliance.
- Automated vulnerability scanning tools are necessary in today’s environment as both a security leading practice and oftentimes as a compliance requirement.
- Reporting and metrics requirements should be defined in both the Vulnerability Management and the Patch Management Policy. Many of our clients regularly report vulnerability and patch management efforts to their information security steering committee for oversight.
- Audit and compliance requirements should be defined in both the Vulnerability Management Policy and the Patch Management Policy. Staff and tools need to be deployed to verify that the practices defined in the policies are being followed.