I
advertisement
©2003 By Information Systems Audit and Control Association www.isaca.org F E AT U R E Optimizing an Organization’s Security Effectiveness by Using Vulnerability Management to Support the Audit Function By Eva Bunker, CISSP I t is difficult to control what one cannot define, apply a process to or measure. Now more than ever, this applies to network vulnerabilities. Today’s environment is made up of interconnected, collaborative enterprises that are increasingly dispersed, complex and constantly changing. In addition, approximately 300 new vulnerabilities emerge each month, according to the CERT® Coordination Center at Carnegie Mellon University. Ongoing vulnerability management extends the traditional role of vulnerability assessments to help today’s enterprises effectively mitigate the growing set of security challenges. Today’s environment requires a process that establishes a continuous framework for linking strategic goals to tactical execution through performance measurement. This common framework should be applied across the enterprise to close the information gap among audit team executives, security teams (if they exist) and information technology (IT) operations, which results in everyone working together in an ongoing, proactive fashion. An integrated vulnerability management program also results in greater visibility, measurability and control for the processes of discovery and remediation of vulnerabilities across an extended enterprise. Audit groups in particular should realize many benefits from a strong vulnerability management program, including the ability to: • Provide more meaningful reports to management • Achieve a more complete risk analysis across the extended enterprise on a regular basis, while requiring fewer resources • Establish timely control checks that test processes on a continual basis Vulnerability management facilitates frequent assessments and the rapid delivery of assessment results. It also enables the organization to capitalize on research efforts every day through a streamlined process. Defining a remediation process allows those efforts to be optimized. Lastly, progress tracking is accessible to measure current and historical efforts from corporate and team performance perspectives. The foundation of an optimized vulnerability management program consists of: • A clear plan to set expectations and drive the process • A clearly defined “accountability map” to document roles and responsibilities as well as streamline information distribution • A central information system to facilitate vulnerability management across the enterprise by categorically storing 28 the results of assessments, cataloging information system (IS) assets, and applying accountability map rules and measurements Vulnerability management facilitates the rapid delivery of assessment results and enables research efforts to be streamlined. Remediation efforts are optimized. Progress tracking is accessible to measure up-to-date and historical efforts. Vulnerability Management Plan For a vulnerability management plan to be effective, one first must have approval from upper management. Without management support, the perceived ability to enforce vulnerability management policies is diminished severely. Traditionally, vulnerability assessment has been viewed as a technical problem that the chief executive officer (CEO) would never understand. By providing a plan with measurable results, as well as a visible means of tracking performance and linking it to business risk, upper management buy-in becomes attainable. This process transforms vulnerability assessments from a technical issue into a business issue. Planning for a vulnerability management program is similar to planning for any process or program. A plan should articulate clearly what the organization intends to accomplish. Proper planning consists of four essential steps: • Step 1: The organization should focus on specific goals that define acceptable vulnerability levels and workable remediation processes. • Step 2: After stating the goal, the organization should establish priorities and take the necessary steps to attain those goals. These steps should include determining how often assessments are to be performed and how remediation efforts are validated. The frequency of assessments should be determined by weighing acceptable risk levels against the frequency of change and criticality of devices. In addition, assessment frequency rates may vary between different groups or networks within the same organization. For example, mission-critical servers may need to be assessed weekly or monthly, while desktops in particular divisions receive quarterly testing. • Step 3: The next step is to assign roles and responsibilities, identifying who is responsible for which actions and what drivers will ensure milestones are achieved. • Step 4: Finally, the organization should set a timeline for accomplishing the milestones and goals. INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003 Successful plans are not created in isolation. This is true especially in vulnerability management. For many organizations, developing a vulnerability management plan may be the first time information about network security is shared across multiple layers of the enterprise. The plan should smooth the transition into this process and show how it will move the organization to a more secure future. A well-thought-out plan brings clarity to efforts, sets realistic management expectations and enables better return on investment (ROI). Key Components of Vulnerability Management If the vulnerability management plan and accountability map are at the center of this vulnerability management “universe,” four main bodies will orbit them (figure 2): 1. Ongoing assessments 2. Remediation program 3. Research integration 4. Regular progress tracking Figure 2—Vulnerability Management Universe The Accountability Map Every good process and plan has a clear statement of roles and responsibilities. An accountability map provides vulnerability management programs with this critical component. An accountability map formalizes the basic flow of responsibility where it exists, and defines it when there are gaps. The level of required granularity varies within organizations. While accountability maps require significant preparation to create, one can expect a correlation between the level of detail and the benefits realized. Vulnerability assessment results flow through this accountability map, enabling rapid distribution of the testing results and visibility into responsibility at a detailed level of the remediation process. An effective, well-utilized accountability map will collapse the time from vulnerability discovery to vulnerability remediation, reducing an organization’s security exposure. For example, consider a global corporation with a London headquarters and major business units in Berlin, Johannesburg, New York and Oslo. Each business unit has multiple branch offices under its direction. All of the main and branch locations have networks, and three locations have data centers. The data centers are staffed fully and have several layers of responsibility, from the chief information officer (CIO) to the IT director to team leaders (figure 1). Figure 1—Sample Business Structure The accountability map drives information dispersal, from disseminating assessment results to streamlining new research and measuring control points. Throughout this process, the map infuses accountability into an organization, highlighting areas of excellence and lapses in processes. While a plan often contains an outline of an accountability map, it is important that the accountability map be a separate, detailed and continually maintained entity. These four components generate the information that powers the process framework created by the plan and accountability map. Assessments measure current posture from a vulnerability perspective and report the findings. The remediation program provides structure and a record of remediation efforts. Research integration streamlines the discovery of new vulnerabilities, maximizing efforts while minimizing the use of resources. Finally, progress tracking measures security posture with a historical backdrop, from team performance and corporate performance perspectives. Ongoing Assessments Ongoing assessments feed a steady stream of critical information to the vulnerability management system. The organization should schedule assessments systematically and periodically. When assessments are predictable, all parties involved will become more comfortable and familiar with the process. To be complete, assessments should cover the external network perimeter and the internal network. Once the system is in place and accepted, random assessments also will provide a useful “spot check” mechanism as needed. Three main benefits result from ongoing assessments. Assessments serve to: • Highlight methodically the issues that need addressing • Instruct how to repair vulnerabilities • Supply the information that will be used to provide metrics to measure the effectiveness of the processes INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003 29 Remediation Program A remediation program establishes consistent processes that determine how the organization will remediate vulnerabilities. Processes for prioritizing and resolving vulnerabilities should be formalized. Specific remediation goals may vary based on the criticality of systems or networks, and policies; therefore, they should reflect business and technical considerations. For example, some organizations rely on a web presence for their revenue stream. For such organizations, their web site may have the highest priority. Other enterprises’ network architectures may have critical points that bear most of the traffic, elevating their technical importance to the overall network function. A remediation program, especially when tracked through a central repository, gives added measurability to the control process. The program answers the question of whether an enterprise’s remediation goals are being met. When framed in the accountability map, the program enables individual, team, division and organizationwide efforts to be analyzed for their effectiveness in reaching the goal of securing the enterprise. Optimized Research Integration Even with 300 new vulnerabilities a month, optimized research integration enables near-immediate response to new vulnerability issues. However, two key functions need to be integrated—pulling new vulnerability information into the centralized research team and pushing filtered information to appropriate recipients per the accountability map. Information can be pulled by an in-house research team or aggregated by an outsourced research team. Internally, the information generally is gathered from such locations as vendor notices, security groups, news groups and bug-tracking sites. The process should catalog the information according to the type of systems affected, compare findings against the current inventory of systems and send targeted notices to those affected. The more accurate and detailed the current inventory, the more targeted the information recipients receive. This enables rapid fixtime with minimal distractions from other duties. Consider a situation with 100 network administrators, all receiving a general security warning that may affect only 40 of them. Now consider the time required for each administrator to determine the meaning of the message and to evaluate whether he/she is affected. In comparison, with an optimized research integration approach, security alerts to the recipients are prescreened. Given the same scenario, 40 security warnings would be issued. Ideally, each warning would focus precisely on which systems need to be addressed. Central Information System The central information system provides historical information. With this information, the organization should be able to measure variance in vulnerabilities, ability to remediate, recurrence of issues, as well as other trends in the organization’s security and processes. And, with the accountability map as the frame, all these points can be analyzed from a corporate performance level to the levels of the business unit, division, specific network and team performance. Limitations here are driven only by the granularity of the accountability map. Vulnerability Management in Action Put in motion, a vulnerability management program provides an ongoing framework to link goals to execution, thus fostering continual improvement. Security gains a more tangible feel, as all participants can see the measurable effects of the program. Applying the process at all levels with a clear accountability map engenders a personal stake for the participants. A standardized system also allows for knowledge sharing and encourages a participatory approach to managing vulnerabilities. The closed-loop nature of the vulnerability management program enables a system that self-feeds positive momentum toward continual improvement to better secure an enterprise’s information assets. Eva Bunker, CISSP is the cofounder and CIO of Critical Watch, a Dallas, TX, USA-based provider of Internet security solutions for Fortune 2000 companies. She is responsible for the research, design and development of current and future product offerings. Her background combines experience in Internet technology product development and business operations. Bunker has served as an expert speaker on network security and also is a member of the Dallas Infragard and Dallas Chapter of ISSA. Progress Tracking Progress tracking is one of the most powerful benefits of implementing vulnerability management as a closed-loop system. Results from vulnerability assessments become the baseline against which improvements and regressions can be measured. The combination of goals set in the plan and set for remediation management serves as a benchmark to determine how effectively the organization is moving toward its security goals. 30 INFORMATION SYSTEMS CONTROL JOURNAL, VOLUME 4, 2003
