Steps for the ideal vulnerability assessment
By Ruby Bayan
There was a time when fending off hackers and viruses was regarded as mere exception processing. Today, keeping the network safe from rapidly evolving malicious intent is considered critical procedure with top-level priority. Firewalls, intrusion detection devices, antivirus applications, and vulnerability assessment tools are now vital munitions in every CIO's security arsenal.
Unfortunately, in spite of diligent efforts to thwart the growing number of attack tools and techniques, companies continue to lose millions of dollars to security incidents caused by product and system vulnerabilities.
Given the vulnerability assessment options available—manually implemented toolsets, consultant penetration testing services, and automated Web-based assessment—how should the CIO map out the best solution for his enterprise? The experts we interviewed suggested a holistic approach to vulnerability assessment.
Start with risk assessment
According to Stan Quintana, Vice President of Managed Security Services of AT&T, any kind of corporate assessment should be one that is risk-based and quantifiable. "The intent of a risk-based security assessment is to isolate corporate assets that generate the highest value to a corporation and, at the same time, present the highest potential threats and vulnerabilities associated with the assets," he said.
Quintana added that by understanding the company's risk profile—"value X threats X vulnerabilities"—it could more readily identify areas in which to invest its precious funds.
"And a CIO will likely have a request from the company’s auditors for some form of risk model," Quintana explained. "An assessment will help to pinpoint the areas where security investigation is needed and where it's likely to be fraught with consequences. Such an assessment will also point out whether a business continuity/disaster recovery plan is needed. This, then, forms a holistic security architecture approach."
Understand the compliance obligations of your organization
"When purchasing any security solution, it is important to understand the regulatory obligations of your organization, as this will dictate your specific requirements," said Andrew Maguire, director of product marketing at nCircle, a provider of appliance-based vulnerability management solutions.
Regulatory compliance used to be a non-critical issue; it was enough to meet the minimum requirements, if the rules were pertinent at all. But as technology matured, so did the regulations, along with strict enforcement.
Maguire's example was the Sarbanes-Oxley Act, which holds company officers accountable for the enforcement of "best practice” in audit and compliance. "This has been done in an effort to increase the overall security of sensitive data. Compromise of that protected data and failure to prove best practices can lead to severe fines for the company and potentially jail time for the company officers responsible."
George Lekatis, general manager of George Lekatis Inc., a firm that specializes in network security, computer forensics, and litigation, stressed the same point: "The CIO must customize the network vulnerability assessment according to his company's technical and legal needs."
He mentioned the need for compliance with regulations such as the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act, and the ISO-17799. He also advised understanding the differences in the data protection directives in the USA and Europe.
Review security testing methodologies
Lekatis also said that in evaluating vulnerability assessment solutions, CIOs should look into tried and tested methods of security testing, such as the Open Source Security Testing Methodology Manual (OSSTMM), an open standard that claims to be the most widely used, peer-reviewed, comprehensive security testing methodology.
He suggested checking out the National Institute of Standards and Technology, which provides access to other methodologies like the Computer Security Resource Centersecurity testing systems and standards, and the Common Criteria for IT Security Evaluation (ISO International Standard 15408).
Study the pros and cons of vulnerability assessment tools
The next major step in determining the best vulnerability assessment solution is to scrutinize what's available. Quintana recommended finding answers to important questions.
When considering manual tools—whether commercial or open source—ask if the staff using them have the skills and time to wield them effectively and safely, Quintana advised. "What consequences are likely, and what mitigation plan is in place, if the tools are accidentally or intentionally misused?"
As to using consultants, Quintana said an important question would be whether they are skilled in your enterprise's chosen infrastructure. Also, "Are they ethical and trustworthy? Do they offer guarantees? Are they too expensive or too cheap?"
Quintana added, "For automated, Web-based assessments, the CIO should be aware that these are always less thorough than either of the other two options. They are, however, useful when a company has a significant outward-facing infrastructure and needs to 'keep an eye' on it. I would use the same criteria on automated assessment providers as on professional services firms: reliability, ethics, and skill."
But would a specific tool be the one best solution for a particular enterprise? Not necessarily.
Consider an ensemble of tools
"Every solution is different for every customer," said Quintana. "For a hypothetical average customer, I would recommend a program of security training for the existing staff, a detailed penetration test from an outside consulting firm, with a follow-up from a different firm six months later, and perhaps regular scanning of the company's Web and server infrastructure that faces the Internet."
Quintana said this might be the best and most effective use of company dollars. "Training will educate the staff to be more proactive. The external penetration test's first readout will baseline the current status and give a roadmap for improvement. The second iteration will validate the work done to fix problems found the first time around." Regular scanning will keep a "weather eye on the Web-and-server farm," he said.
"For my money, I would make external scanning more important if the customer's Web infrastructure is not running highly secure software packages," Quintana added.
Explore vulnerability management
Maguire said that although "vulnerability assessment bolsters the last line of defense by helping make the target immune to attack," it is important that "enterprises take into account that they need to do more than just identify vulnerabilities."
"Vulnerability management technology extends the capabilities of vulnerability assessment by providing a framework for addressing vulnerabilities," said Maguire.
"To take a truly proactive approach to network security, the IT team needs to take action to eliminate threats. In contrast with vulnerability assessment, vulnerability management provides for a structured security program where budget and resource planning can be executed based on measuring the company’s level of exposure."
Maguire advised that if investing in vulnerability management, CIOs should look for solutions that are scalable and will meet the complex requirements of their organization. That is, "offer seamless deployment across multiple locations."
He also said a good vulnerability management solution has specific management features that include remote device configuration, role-based access, auditing, reporting and remediation management. More important, it provides for ease of management "so IT staff can manage a security program instead of it managing them."