IT Focus Area: Security
July 16, 2015
8 Steps to an Effective Vulnerability Assessment
As we conduct more and more business online, the digital world has become a hacker’s paradise. To combat the growing threat of cyber attacks, many companies are hiring chief information security officers (CISOs) whose main responsibility is to make sure data is secure. Recent high-profile data breaches have demonstrated that it is not a role for the faint of heart.
“We’re like sheep waiting to be slaughtered,” said David Jordan, the CISO for Arlington County in Virginia. “We all know what our fate is when there’s a significant breach.”
IT research firm Gartner predicts that by 2020, 30 percent of Global 2000 companies will have been directly compromised by independent cyber activists or cyber criminals.
Learn the 10 essential steps to securing your cloud data. Get your guide to creating and executing a successful cloud strategy.
In order to protect information assets, CISOs and other security professionals are facing a difficult challenge: they have to keep up with cyber criminals, check off a growing list of compliance boxes, and keep close tabs on the security practices of their partners and employees.
Addressing the sheer volume and evolution of cyber attacks is daunting for even the most security-conscious IT teams. It requires an in-depth understanding of organizational risks and vulnerabilities, as well as current threats and the most effective policies and technologies for addressing them. Only by understanding their risks can organizations target limited security dollars to the technologies and strategies that matter most.
So how can companies arm themselves with the information they need to make informed decisions about cyber security?
Many cyber attacks take advantage of basic, often unnoticed security vulnerabilities, such as poor patch management procedures, weak passwords, Web-based personal email services, and the lack of end-user education and sound security policies. This makes an effective vulnerability assessment a critical first step in the effort to protect data.
Even the most secure network is likely to have some unknown vulnerabilities. Vulnerability scanners are useful tools for identifying hidden network and host vulnerabilities. However, for many organizations, vulnerability assessments are highly technical and are carried out mostly for compliance purposes, with little connection to the organization’s business risks and executive security budget decisions.
Vulnerability assessments typically identify thousands of granular vulnerabilities and rate them according to technical severity, rather than taking into account the affected business and its mission-critical processes. They can also identify a single vulnerability several times, recommending multiple patches and upgrades, when in reality a single security solution could address all of them.
Ideally, a sound security strategy should tie business impact and an organization’s overall security strategy to the results of a vulnerability assessment, enabling an understanding not only of where true business risks lie, but also of which vulnerabilities should be addressed first and how to address them effectively.
Even the most secure network is likely to have some unknown vulnerabilities.
Tying Vulnerability Assessments to Business Impact
Getting maximum benefit from a vulnerability assessment requires an understanding of your organization’s mission-critical processes and underlying infrastructure, and applying that understanding to the results. To be truly effective, it should include the following steps:
1. Identify and understand your business processes.
The first step to providing business context is to identify and understand your organization’s business processes, focusing on those that are critical and sensitive in terms of compliance, customer privacy, and competitive position. There is no way for IT to do this in a vacuum. In many organizations, it requires collaboration between IT and representatives of the business units, the finance department and legal counsel. Many organizations put together security strategy task forces with representatives from each department, who work together for several weeks to analyze business processes and the information and infrastructure they depend on.
2. Pinpoint the applications and data that underlie business processes.
Once the business processes are identified and ranked in terms of mission criticality and sensitivity, the next step is to identify the applications and data on which those mission-critical processes depend. Again, this can be accomplished only through collaboration between IT and other business players. From extensive collaborative discussions, you may discover applications that are much more critical than expected. For example, email may be an absolutely critical application for one department, but not critical at all for many others.
3. Find hidden data sources.
When searching out applications and data sources, make sure you take into account mobile devices such as smartphones and tablets, as well as desktop PCs. Collectively, these devices often contain the most recent, sensitive data your organization possesses. Work with the business units to understand who is using mobile devices for accessing and sharing corporate applications and data. Understand the data flows between these devices and data center applications and storage. Find out if your business users are sending business emails over public email services such as Gmail or Yahoo mail. Another often hidden category to investigate is your software development environment, as they are inherently less secure than production environments. Software developers and testers often use current, sometimes mission-critical data to test new and upgraded applications.
4. Determine what hardware underlies applications and data.
Continue working down the layers of infrastructure to identify the servers, both virtual and physical, that run your mission-critical applications. For Web/database applications, you may be talking about three or more sets of servers—Web, application and database—per application. Identify the data storage devices that hold the mission-critical and sensitive data used by those applications.
5. Map the network infrastructure that connects the hardware.
Develop an understanding of the routers and other network devices that your applications and hardware depend on for fast, secure performance.
6. Identify which controls are already in place.
Note the security and business continuity measures you have already put in place—including policies, firewalls, application firewalls, intrusion detection and prevention systems (IDPS), virtual private networks (VPNs), data loss prevention (DLP) and encryption—to protect each set of servers and storage devices hosting mission-critical applications and data. Understand the key capabilities of these protections, and which vulnerabilities they address most effectively. This may require some fairly extensive research, including scanning websites and reviews, and speaking with security company representatives.
7. Run vulnerability scans.
Only when you’ve understood and mapped out your application and data flows and the underlying hardware, network infrastructure, and protections does it actually make sense to run your vulnerability scans.
8. Apply business and technology context to scanner results.
Your scanner may produce scores of host and other vulnerabilities with severity ratings, but since results and scores are based on objective measures, it’s important to determine your organization’s business and infrastructure context. Deriving meaningful and actionable information about business risk from vulnerability data is a complex and difficult task. After evaluating your staff’s level of knowledge and workload, you may determine that it would be helpful to partner with a company that is well-versed in all aspects of security and threat assessment. Whether undertaking this task internally or getting outside assistance, your results need to be analyzed to determine which infrastructure vulnerabilities should be targeted first and most aggressively. Take into account:
The number and importance of assets touched by the vulnerabilities
If a vulnerability affects many different assets, particularly those involved in mission-critical processes, this may indicate that you need to address it immediately and comprehensively. On the other hand, if the scanner finds multiple vulnerabilities in infrastructures running less critical applications accessed only by a few users, they may not have to be addressed as aggressively.
If the vulnerabilities identified by the scan affect infrastructure that already has multiple layers of protection in place, some of those vulnerabilities may, in fact, be addressed already by existing technologies. For example, a vulnerability found on a server or storage device protected by application firewalls, encryption, and other counter-measures may not be as important to address as the same vulnerability found in a less protected infrastructure used in testing and development, particularly if it makes use of data with stringent compliance requirements. It’s important to weigh criticality against existing protections to determine which vulnerability could actually expose your business to serious cyber attacks.
Available security technologies
Your vulnerability assessment report may recommend scores of software patches and upgrades to address security holes, but constantly applying patches and upgrades can drain IT time and resources. There may be other security technologies that are more efficient and effective. For example, cross-site scripting vulnerabilities may be more easily and comprehensively addressed through a strategically placed Web application firewall (WAF) than by constantly applying patches and upgrades to multiple components. The key is to understand how the risk profile would change when certain security technologies and policies are applied.
Cyber attacks frequently take advantage of the weakest links in your infrastructure, and frequently those weak links can be found at branch offices or among the mobile laptops, smartphones, tablets and other devices used by your sales and marketing staff. If your scan reveals a number of vulnerabilities at a branch office or another remote infrastructure, this could indicate that further investigation and protection measures are required.
The Importance of Adding Context
Vulnerability assessments can be invaluable, but only if their results are weighed in the context of the business and existing security infrastructure. By analyzing assessment output with business risk in mind, and applying that knowledge to the development of a sound security strategy, CISOs and other IT executives can help their organizations make the most of their security budget and strengthen their overall security and compliance posture.
Find out how to secure your cloud data. Get your guide to building a secure cloud strategy.
*Gartner Predicts: Infrastructure Protection 2014, published November 2013
View more presentations from Forsythe Technology