It is confirmed that vulnerability management is essential for information risk management and security programs. Unfortunately, many organizations’ vulnerability management processes are reactive and inefficient. It is ironic because organizations that implement a comprehensive and proactive vulnerability management program will gain a significant increasing success in protecting their data and business.
By definition, vulnerability management is a security practice designed to proactively prevent the exploitation of IT vulnerabilities that exist within an organization. The expected final result is reducing the efforts dealing with vulnerabilities and exploitation of those vulnerabilities. Ideally, it has to be done proactively as when it is performed proactively, it will reduce or eliminate the potential for exploitation and involve considerably less time and effort than responding after exploitation has occurred.
According to The National Institute of Standards and Technology (NIST), first step that has to be done in order to perform vulnerability management is by forming a patch and vulnerability group (PVG), consists of information and security people that actively work with local administrators. This group is later become the one that perform the vulnerability management.
PVG has to be able to determine which hardware and software they will support for vulnerabilities using company IT inventory. The PVG will then be responsible for monitoring information regarding vulnerabilities, patches, and threats corresponding to the supported hardware, operating systems, and applications. Also, it is a must to clearly communicate the supported resources to system administrators so that the administrators know which hardware, operating systems, and applications the PVG will be checking for new patches, vulnerabilities, and threats.
The PVG is expected to be able to set priority of the hardware and software for vulnerabilities. They have to define the threat and its potential impact on the organization when setting priorities for vulnerability remediation. In addition, it is important to be aware of the resource constraints of local administrators and should attempt to avoid overwhelming them with a large number of patches or other remediation for identified vulnerabilities.
Next step is to create an organization specific remediation databases. This database has to be managed either automatically or manually by PVG. Whether automated or manual, databases should contain a copy of each patch for situations when the Internet may not be accessible or when the vendorâ€™s Web site may have been compromised.
Organizations should deploy vulnerability management to all systems that have the vulnerability, even for systems that are not at immediate risk of exploitation. Thus, deploy the vulnerability remediation is the next step. There are three primary methods of remediation that can be applied to an affected system: the installation of a software patch, the adjustment of a configuration setting, and the removal of the affected software.
After the remediation and vulnerability is deployed, make sure that all administrators know regarding the details information of vulnerability and remediation. The primary way is through enterprise patch management software. However, direct communication, email blast, floppy disk are also the alternatives that can be used to distribute the information.
The PVG and system administrators should verify that they have remediated or mitigated vulnerabilities as intended. There are understandable benefits in confirming that the remediation has been conducted appropriately, possibly avoiding experiencing a security incident or unplanned downtime. This verification may involve exploit test that usually can be done only by experienced administrators or security officers. Generally, this type of testing should only be performed on non-production equipment and only for certain vulnerabilities. The tests should only be conducted by qualified personnel who are thoroughly aware of the risk.