The recent increase in the number of data breaches has made many financial institutions take a harder look at their vulnerability and patch management practices. This week’s Friday 5 will provide some key concepts that will hopefully help you sleep better. They are based on the problems we most often see as we are looking at vulnerability and patch management programs.
- Keep it simple. We often see institutions trying to track (and report on) vulnerabilities and missing patches in using multiple systems. This usually results in confusion, as these systems will often differ in their classification of risk and will sometimes even disagree on whether a patch is present at all. Remember that A missing patch is always a vulnerability, but every vulnerability is not a missing patch. Since a good vulnerability management system should detect missing patches as well as vulnerabilities which cannot be remediated by simply applying a patch, we recommend using the vulnerability management system as your primary window into the overall effectiveness of your vulnerability and patch management program. This makes it much easier to measure program effectiveness.
- Know your assets. Good vulnerability and patch management starts with ensuring that you know everything that is attached to your network and that you classify each device based on its risk (based on data classification, required availability, and process dependence). These classifications should then be used to prioritize how quickly vulnerabilities and missing patches are remediated. The most critical assets (external websites, for instance) should require quicker remediation than less critical assets (such as internal printers). Do not rely on manual inventory control processes alone to identify and add assets to vulnerability and patch management systems, as these processes often fail to properly account for all assets. Instead, periodically use a network scanning tool and reconcile to the vulnerability management system to help discover if there are any systems on the network which are not accounted for. Following these practices helps ensure that there are minimal unknown vulnerabilities on the network.
- Automate as much as you can, as often as you can. We often see institutions performing monthly vulnerability scanning and monthly workstation patching. We have seen many cases where a system with a high-risk vulnerability escapes detection or remediation because it is off the network during the occasional scanning. Monthly scanning or remediation is inadequate based on the rate that vulnerabilities are discovered and exploited today. The practice of monthly scanning usually comes from concerns that scanning and patching will disrupt networks and users, but it has been our experience that well-tuned scanning will very rarely be noticed by users, and that users are usually accepting of some patching inconvenience if they are educated about the risks of not patching. We recommend investing in tools that will automate scanning of all assets on at least a weekly basis, and other tools that automate the application of patches as much as possible and as often as possible based on the availability requirements of each asset. This automation will give your staff more time to focus on any exceptions.
- Regularly monitor, verify, and adjust. Vulnerability and patch management will always be an evolving process and will never be perfect. Regularly review reports generated by the vulnerability management system and discuss any improvements needed when the program is not remediating vulnerabilities as defined by the risk of the asset. Hire penetration testers to ensure that there are not undetected vulnerabilities putting your institution at risk, and when found work with your vendors to learn how to detect them. Regularly reconcile the data from vulnerability management system to the data in the patch management system and to the asset scans to verify that the systems are working together well, and work with the vendors to understand any discrepancies and adjust the systems to compensate.
- Pick your battles. There will always be vulnerabilities that cannot be easily remediated. This might be because the vulnerability is in a program that cannot be upgraded as required due to a critical dependence on another piece of software. It might be that all efforts to remediate have failed, and it is believed to be a “false positive” detection. It may be that the vulnerability requires manual intervention on every workstation across multiple locations to remediate. It is important in these cases to assess the true risk of the vulnerability within your environment, and to determine the amount of time and effort you are willing to expend on its remediation given all of the other priorities of the organization. If a workstation vulnerability is rated as critical by the vendor but requires that the user be an administrator on the system to exploit, you may decide that remediation can take more time because your users never have administrator access to their workstation. In some cases, you may determine that the effort is not worth the amount of risk reduction and may decide to accept the risk without remediating. The important thing to note here is that you need to formally document the process for these decisions (as well as the decisions themselves) and to feel confident that you can explain any decisions made to the auditors and examiners who will review the process.
If your information security program is in need of a vulnerability management program, or your current one could be improved, we can help. Send us an email at support@bedelsecurity.com
Additional Resources:
Changing How Vulnerabilities are Audited
https://www.bedelsecurity.com/blog/changing-how-vulnerabilities-are-audited
Information Security Strategy: 5 Tips for Success
https://www.bedelsecurity.com/blog/information-security-strategy-5-tips-for-success
Reactive or Proactive: What Makes the Best CISO
https://www.bedelsecurity.com/blog/reactive-or-proactive-what-makes-the-best-ciso
When Applying a Patch isn't Enough
https://www.bedelsecurity.com/blog/when-applying-a-patch-isnt-enough