Five steps to managing risk

Experts recommend going on the offensive to deal with vulnerabilities

For government technology managers, keeping pace with software patches and system configuration changes to thwart hackers has become an increasingly difficult job in the past few years. The challenge is causing a radical change in the way many of them manage information technology security.

Instead of waiting until attacks occur and hoping tools such as firewalls and intrusion-detection systems catch them before they inflict serious damage, many agencies have taken the offensive by hunting vulnerabilities before they are exploited.

The catchall phrase for those efforts is vulnerability management. Agencies that are successful at it know that vulnerability management entails the right mix of security tools, policies and procedures, experts say.

Although some agencies are slow to embrace vulnerability management, a number of regulations require them to be more assertive in handling security. In particular, according to the Federal Information Security Management Act (FISMA) of 2002, agencies must develop and enforce policies and procedures to ensure that their systems comply with specific security configurations.

Those requirements are only going to get tougher. The National Institute of Standards and Technology will soon publish a draft of a new document that will mandate a set of no fewer than 17 controls that each agency will have to apply to each of their major applications and general support systems. They must also tailor those controls based on how critical different systems are to an agency's mission.

Compliance with security requirements means a lot of work to accurately assess and then effectively manage vulnerabilities. Those who do it well can reap rewards. In 2003, for example, the U.S. Agency for International Development scored a C-minus on its FISMA score card. For 2004, the first full year it had a vulnerability management program in place, it posted a score of A-plus, the highest of any government agency.

"In our case, vulnerability management was a big help in our FISMA compliance," said Bill Geimer, USAID's program manager for information security.

But what is vulnerability management?

Although several vendors offer what they call vulnerability management solutions, a vulnerability management program often includes a collection of technologies and procedures that form a management process. Program components vary according to specific agency needs. But experts say the core approach usually follows a common path and includes the following steps.

1. Compare priorities to current security policies

Those responsible for implementing a vulnerability management program — usually an agency's IT department — should first talk to all senior executives and managers in an agency to identify which systems they think are critical to maintain minimally acceptable operations and what concerns they have about those systems.

Once that's done, determine what policies and procedures are already in place in terms of handling those systems and data. Do IT employees already run vulnerability scans? How do they respond to vulnerabilities? Do those existing procedures meet executives' expectations?

If they don't, change is necessary.

Don't skimp on this step, experts advise, because it will probably be the most important one.

"If all of this can be done effectively, then the rest [of the process] is more or less mechanical," said Stuart McClure, senior vice president of risk management product development at McAfee, a security vendor.

2. Inventory technical assets

Track down and identify every device and system on the network. Also, to keep track of constantly changing networks, make sure the network topology is fully described. Determine ownership of all assets to set accountability. Then prioritize them in terms of which assets are most vital to the agency.

"The most important component of vulnerability management is probably that ability to prioritize, to work out where the biggest exposure is for the organization," said Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys, a security vendor.

3. Evaluate the risks

Using a commercial or open-source software tool, scan devices and systems for vulnerabilities. Possible problems include incorrect settings and configurations and unpatched software and operating systems.

Don't forget the network itself, said David Arbeitel, senior vice president of strategic development at network solutions vendor Lumeta. Agencies need to know how exposed the network is to outside influences.

Next, correlate the vulnerabilities to the asset inventory. The intent is not to cover every vulnerability, only those that pose the greatest risk to the most important systems.

"Vulnerability management is a matter of risk assessment as well as the ability to take a slice across an entire organization," said Mitchell Ashley, chief technology officer of StillSecure, a Latis Networks company.

4. Develop an action plan

Once vulnerabilities have been discovered and the risks assessed, you have to decide what action you can take and when. Can the most vulnerable systems be fixed immediately, for example, or does the agency's workflow prevent that?

If that is the case, what else can be done to mitigate the risks or block an attack against the asset? Would that require writing a new rule or policy, or perhaps physically changing a back-end system or inserting an intrusion-detection device so any attack could be seen in real time?

5. Evaluate effectiveness and prepare to do it all again

Whatever remediation program managers apply, they should audit the process to gauge how successfully it identified and reduced vulnerabilities and how closely the results comply with the organization's policies.

In most cases a review of the first pass will show that more work is necessary, experts say. The vulnerability identification and mitigation steps will need to be repeated.

Indeed, it's important that officials realize that vulnerability management is a repetitious process, not a one-time or occasional activity, said Roy Stephan, director of cybersecurity at systems integrator Intelligent Decisions. The goal is to get as close as possible to continuously monitoring vulnerabilities.

"Any software will consistently have holes in it, so no organization will be secure after three months or even six," he said.

Agencies should expect a lot of replication as they implement vulnerability management, at least in the beginning, said Kimber Spradlin, senior compliance architect at NetIQ. But eventually managers should reach a point when they don't need to apply as many fixes.

"What you hope to design, through this vulnerability management process, are policies that will act as a baseline and that will be fairly stable over time," Spradlin said.

New tools reduce the labor required

A few years ago, vulnerability management meant scanning the network with stand-alone instruments maybe once every six months, going through fairly cryptic reports to determine which systems might be at risk, and then manually loading software patches or resetting misconfigured systems.

The latest trend among vendors is to combine many of the elements needed for vulnerability management into a single, centralized solution that automates many of the processes involved. Here are some examples:

  • StillSecure's VAM platform scans for vulnerabilities according to a schedule or on demand, manages remediation activities and then produces a range of reports tailored to auditors, executives or operational information technology staff.
  • NetIQ's Vulnerability Manager likewise offers a central console that in many cases allows users to fix systems directly from the console in response to policy violations or discovered vulnerabilities.
  • Citadel Security Software's Hercules goes one step further by allowing users to do their own remediation or enabling automated remediation according to a built-in knowledge base of procedures needed for a wide range of platforms.

At some point, "a good 90 percent of the procedures involved with vulnerability management will be automated," said Stuart McClure, senior vice president of risk management product development at McAfee. He said the figure is closer to 40 percent now.

One way or another, however, the convergence of vulnerability and IT security management is inevitable. Industry watchers such as Gartner believe security management vendors who don't have seamless integration with vulnerability management processes will be reduced to a niche status as early as 2006.

— Brian Robinson

Getting bosses on board is essential

A crucial ingredient for successful vulnerability management is having the support of executive managers, because responsibility and accountability for security compliance runs across the organization and the process involves all departments.

However, vulnerability management can be a hard sell, said Tim Keanini, chief technology officer at nCircle Network Security. That's because it's in a different category from more familiar reactive technologies, such as firewalls and intrusion detection, which work on the premise of plugging a hole once an attack has been discovered.

"But vulnerability management is about finding holes in something that hasn't been attacked yet," he said. "That's what makes it hard."

Once that issue is overcome, high-level backing makes the process much easier.

At the California Department of Insurance, for example, the vulnerability management process was seamless, said Archie Alimagno, the department's information security officer. Network managers were willing to work with information technology security staff. People even seemed grateful when the management process found vulnerabilities.

"But you need upper-level management support and open communications with the chief information officer for that to happen," he said. "If you don't have that in place, it's very difficult."

— Brian Robinson

Who's Fed 100-worthy?

Nominations are now open for the 2015 Federal 100 awards. Get the details and submit your picks!

Featured

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above