The reality we must face is that Internet security vulnerabilities are never going away. Every year the number of identified vulnerabilities increases at an alarming rate.
Last year, the CERT Coordination Center at Carnegie Mellon University in Pittsburgh reported 4,129 vulnerabilities, compared with 1,090 in the year 2000. That's an increase of 378% in only two years.
CERT also reported that more than 95% of intrusions result from the exploitation of known vulnerabilities or configuration errors where countermeasures were available. The hackers who exploit these vulnerabilities are continually getting more sophisticated. Add to that the heightened threat of terrorist activity and the looming fear of what organizations have to lose, and you have daunting security challenges.
How can overwhelmed administrators who are already short on resources prepare and execute the tactics of a vulnerability defense strategy? And can those defense preparations wait? These questions, among others, haunt security administrators who understand the severe damage and information loss that can result from an exploited vulnerability.
Administrators must take a proactive approach to resolving vulnerabilities. If recent history of cyberattacks has taught us anything, it's that you can't protect yourself after the attack has started.
The best practices of vulnerability remediation outlined below are crucial to helping administrators assess their current risk, take steps to prepare their vulnerability defense with minimal interruption to current processes and lay the groundwork to proactively address future vulnerabilities (with their current IT staff) before they are exploited.
Step 1: Identification/Discovery of Systems
This initial step gives you, as security administrators, a clear view of the network through the use of an assessment tool or network mapping software that can scan all networks (and subnetworks) to determine used TCP/IP addresses and the associated devices connected to them.
Once all devices are identified, you can determine which systems are most critical to protect and then put them in order of priority.
Step 2: Vulnerability Assessment
Vulnerability assessment tools or scanners are used to identify vulnerabilities within the network. The vulnerabilities identified by most of these tools extend beyond software defects (which are fixed by patching) to include other easily exploitable vulnerabilities, such as unsecured accounts, misconfigurations and even back doors. There are several types of assessment tools available.
Although these tools have general similarities, they can vary in the methods and processes they employ to identify vulnerabilities. As a best practice, you shouldn't rely on a single assessment tool but should use different tools to gain a broader perspective of their exposure to vulnerabilities. Open-source or shareware assessment tools are available online and can be used to supplement commercial scanners.
Information on commercial scanners can be found on the Common Vulnerabilities and Exposures (CVE) Web site.
 |
  |
|
Carl Banzhof is the CTO at Dallas-based Citadel Security Software, a maker of automated vulnerability remediation and policy compliance solutions. He can be reached at cbanzhof@citadel.com. |
Step 3: Vulnerability review
Vulnerability scanners generate reports that can be hundreds or even thousands of pages long. They provide details such as names, descriptions and assessments of severity. Some scanners provide remedies that can be manually applied to effectively neutralize the vulnerability.
This critical step is often the point where administrators give up because of the perceived magnitude of manual work required to neutralize the vulnerabilities. Some fail to realize that all the vulnerabilities found don't necessarily need to be resolved. In fact, some of the resolutions required may interrupt other network operations and therefore shouldn't be resolved.
The key objective of this step is to clearly understand where your network is at risk and to prioritize the most critical vulnerabilities and systems in preparation for remediation. Some limited review capabilities are available within the scanners or the scanning report. A more effective approach is to leverage vulnerability remediation and review tools that allow administrators to combine data from multiple scanners and provide several ways to organize and review the data.
Step 4: Vulnerability remediation
Once the vulnerabilities have been reviewed and put in order of priority, you must determine how to approach the remediation. There are three typical options available to security administrators:
- Manual remediation: This option is effective only if you are managing a small network and have determined that relatively few vulnerabilities (fewer than 10) need to be remediated. Through this option, you simply follow the steps outlined by the commercial scanner to manually address the vulnerabilities.
- Patch deployment tools: Using patch deployment tools provides a way for administrators to resolve some vulnerabilities through deployment of patches or hot fixes. This solution identifies only a subset of the vulnerabilities plaguing the network, namely those that can be resolved through patches, and patch deployment tools rarely integrate with commercial vulnerability scanners. So it's essential to run a "rescan" of the network with a secondary scanner to identify the vulnerabilities that aren't addressed through a patch or hot fix. The additional vulnerabilities identified can be addressed manually or with automated remediation tools.
- Automated remediation tools: Using automated remediation tools is the most effective for companies or smaller organizations that want to resolve more vulnerabilities than can be managed manually. Vulnerability remediation technology not only deploys patches and hot fixes; it can also can address the other vulnerabilities identified by commercial scanners. These tools give administrators control of exactly what vulnerabilities will be repaired and when. They also provide flexibility by supporting multiple commercial scanners and providing customizable remediation policies.
The Common Vulnerabilities and Exposures Web site is also a good resource for finding information about these tools.
After any of the above options are completed, a differential scan of the devices that were repaired should be run to verify the effectiveness of the remediation efforts.
Step 5: Ongoing vulnerability management
The need for ongoing management of network vulnerabilities is often overlooked at the onset of a vulnerability remediation project. Yet with new vulnerabilities being identified every day and users reintroducing vulnerabilities into their environments, the remediation strategy needs to be repeated regularly.
Consequently, this step must be taken into consideration in the early project planning stages. The tactics you use to identify and repair the vulnerabilities must be scalable and repeatable. As a result, many security administrators are testing and implementing more automated solutions that enable them to remediate their network at least every quarter -- and in some cases monthly.
There is no silver bullet that will eliminate the growing list of vulnerabilities. But IT security professionals can address their current vulnerability exposures and prepare an adequate defense by proactively defining and executing a plan that follows these best practices and leverages the latest automated technologies that make the plan repeatable.