Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Chris Schwartzbauer, Shavlik Technologies, LLC: Vulnerability Management -Battling the Unknowns with Intelligence

January 2009 by Chris Schwartzbauer, Vice president of development and customer operations, Shavlik Technologies, LLC

Too many companies, today quite savvy about security and compliance requirements, continue to struggle to get to grips with the basics – understanding what is on their network, how it is configured, its purpose and what is running on it. Often the decision makers, the CIO, Security and Risk Managers, assume the basics are resolved because a significant investment has been made in sophisticated security strategy and technologies. They have not, however, recognised that it is the mundane processes, the policy and configuration management where the vulnerability gaps are left wide open. This leaves them working in the dark, unable to track and therefore effectively enforce IT security policy. Ongoing investments in security compliance for PCI, or to adopt ISO 27002 standards and others are also compromised as this weak link in security strategy persists.

You can’t secure what you don’t know about and unfortunately the unknowns are many:

• Companies are often unaware of all of the servers live on their network
• Laptops are offline when vulnerability scans occur/its agent software is not activated
• Data governance is poor – easily copied and moved around the organisations by employees
• Virtualisation has proliferated the number of machines that must be protected, while too many can create virtual machines
• Unknown network connections & account privileges persist
• Unknown applications – whether malicious or loaded inadvertently by employees, for the latter patches are never applied
• Oversights in configuration settings

The resolution lies in addressing the problem from the ground up. Attention must be paid to equipping the administrator with the ability to discover and evaluate all of the systems on and connecting to the network. They need access to usable information to ensure they comprehend the entirety of the problem, can set priorities, and instil confidence by communicating progress. The vulnerability gaps, once discovered, will usually require the most basic of security controls – configuration according to current access policy or removal of unauthorised software. The complexity lies in finding the gaps so that they can be filled.

For their part security administrators tell us that they are recognising the need to develop a meaningful overview of their network assets, largely a response to the increasing pressure to report more on their security status from the executives newly motivated to demonstrate responsibility to customers and board members alike. They are challenged however, by the complexity of their heterogeneous networks, an overwhelming amount of log data that is too time consuming to interpret, and a reticence to automate where manual processes are no longer adequate. The latter point is illustrated in a recent international study released by industry analysts Aberdeen Group which suggested only 51% of companies have automated basic vulnerability management operations such as patch and configuration management despite widespread acceptance that many security vulnerabilities can be avoided by fixing this issue.

The struggle to glean good, complete information about the security status of their information systems is most obvious when it comes to audit time. In a 2008 survey Shavlik conducted of over 400 delegates attending trade shows in the US and Europe, they identified over 120 different solutions for managing the audit process, with many trying to develop their own management programs or pull together information from `a lot of systems.’ A significant proportion, nearly 40%, indicated that they were dissatisfied with this situation. Other feedback shared by our customers suggests that they want interoperability or even integration across the disparate solutions they have deployed for vulnerability management-application control, configuration management, and virtualisation control, patch management, even anti-virus and spam control- so that they can develop that comprehensive view of what it is happening.

Some vendors are responding: Many of us are committing to standards such as SCAP, which though an initiative of a US government agency, leverages internationally recognised open standards, such as the Common Vulnerabilities and Exposures (CVE) identifiers, the Open Vulnerability and Assessment Language (OVAL), and Common Vulnerability Scoring System (CVSS). Commercial application promises to deliver the improved interoperability across functions that are being demanded. The opportunity is there for companies and organisations is to establish an integrated approach for their security operations.
It used to be that hackers wanted to make a big impact- create and distribute malicious programs that could proliferate quickly and cause great disruption. Now most attacks are designed to go undetected to give the program the time to invade a piece of software, search out, and steal valuable data that can be sold on a black market. They are also more focused on endpoint machines and PCs, given the comprehensive investment in firewalls and historic focus on defending the network itself. Such an attack can last for months, and avoid detection until a customer realises that a breach has occurred. This phenomenon is catching public attention with publicised data losses alerting everyone of their vulnerability—while executives are increasingly asking their CIOs if their company could make the next news headline.

It’s time to recognise that organisations must work with a solid understanding of whether a given box is relevant and configured for its task, whether users downloaded anything, whether it’s all patched— there can be hundreds of checks that administrators will want to and should verify. This will rely on the will to plan, organise and take advantage of their security management information, starting with a query of the potential unknowns. Before systems can be patched and configured according to policy, administrators must proactively scan for what systems exist, and ensure laptops are detected whenever they connect to the network. They must understand what software exists on them, and whether the approved configuration is appropriate. The remediation that follows can be systematic and sustainable, and communicable through a rich resource of reporting information that can be tailored for whoever may be looking for reassurance. Until these basics are effectively managed, there will always be a risk to company security and any effort at compliance with security policy or external regulation.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts