This article was written by Al Bredenberg and published on ThomasNet.com.
Accelerating security threats are prompting companies to ever-more-frequent assessment and monitoring of vulnerabilities in their IT systems. Trends such as mobility, bring your own device (BYOD), and adoption of cloud computing are extending the enterprise and complicating the security risk landscape.
A recent report by Cambridge, Mass.-based Forrester Research warns that the expanding enterprise is overwhelming traditional vulnerability management (VM) efforts. A recent survey by Forrester of 180 U.S. CISOs (chief information security officers) and other security decision-makers found wide adoption of continuous monitoring (CM) among firms. Respondents reported that CM provides “better visibility into their environments, enabling them to make informed decisions regarding the risks to their organizations.”
John Parkinson, affiliate partner at Chicago-based Waterstone Management Group, an advisory firm focused on serving the technology sector, told ThomasNet News in an interview that VM efforts need to focus on three particular areas of concern. First, he stressed, is the human factor: “The single biggest set of vulnerabilities you have are malicious or careless people.” Parkinson urged companies to “set clear policies on how they expect people to behave and make use of the tools you give them.” He recommended background checks on potential employees during recruiting and periodic security reviews on existing personnel.
The second area of concern should be the company’s technology itself. “The biggest sin that we commit is never throwing anything away,” Parkinson said. “We typically see technologies that span at least a decade in terms of age. Vendors might well have stopped updating at least some part of your infrastructure,” leaving vulnerabilities the company can’t do anything about, even if vulnerability scanning flags them. “Best practice is to always update to the current version of the operating system and in software to never be more than two versions back from the current version.”
Parkinson’s third point is to recognize that “the enterprise doesn’t exist in isolation, that you are likely part of an extended network that reaches out of your perimeter to suppliers, customers, and business partners.” This means in your own VM program, “you need to worry about how good their vulnerability management is,” he said.
A paper on vulnerability management by Tenable Network Security, Columbia, Md.-based cybersecurity solutions developer, identifies several key weaknesses that enterprises need to watch out for:
– Software — Bugs can lead to “security weaknesses which if exploited can impact the confidentiality, the integrity, or the availability of that software or the data within that system.” This points to the need for a robust program for updates and patches.
– Implementation and configuration — System maintenance or troubleshooting might inadvertently leave security holes, or systems might not be configured securely in the first place.
– Changes in computer systems — Systems change constantly through upgrades and functionality additions, which can result in unanticipated vulnerabilities.
– Human elements — Proper training can help users be aware of dangers around issues such as weak passwords, changing computer configuration, turning off security measures to improve workstation performance, or installing unauthorized software.
Challenges of the Extended Enterprise
Forrester’s study spotlighted challenges in asset discovery, i.e., identification of all of the servers, workstations, devices, embedded systems, and other endpoints that need to be included in scanning. The highly mobile extended enterprise complicates the VM regime, fragmenting the company’s network and placing endpoints outside the traditional control of the IT department.
Periodic scans can miss transient endpoints like mobile devices and virtual machines if they are not connected to the network when scanning is performed. There can be a delay in scanning new devices after they get added to the network. Personal (BYOD) devices are often not configured in such a way as to be scannable. Eighty-six percent of Forrester’s panel reported challenges with devices or virtual machines in asset discovery.
Should companies be concerned about vulnerabilities with cloud computing? “The cloud is really a new opportunity,” said Dennis G. Wadsworth, professor at Worcester, Mass.-based Clark University and director of the institution’s master of science in information technology (MSIT) program. Wadsworth stressed that “companies are still discovering what they can do with the cloud. We haven’t had many issues yet with the cloud, but I think they’re out there.”
As enterprises continue to extend out, companies will likely begin to trust the cloud with more critical assets. “It could become a huge vulnerability as more and more organizations take advantage of third-party providers. There’s a real downside without proper security.”
The Rise of Continuous Monitoring
Traditional vulnerability management practices typically involve periodic “snapshot” scanning using vulnerability scanners that interrogate hosts looking for vulnerabilities. Seventy percent of Forrester’s survey respondents said they conduct vulnerability scans across the organization only once a month or even less frequently. The gaps between scans offer dangerous windows for hackers to discover and exploit vulnerabilities with APT-based attacks (advanced persistent threat processes that attempt to breach security protections through continuous hacking).
A continuous monitoring regime provides ongoing real-time awareness of an organization’s threat landscape, allowing the organization to “discover, scan, and remediate continuously and with enough speed such that attackers are presented with as small of an attack surface as possible,” researchers wrote. Forrester found that 45 percent of survey respondents have implemented CM. Analysts assert that a good CM program rests on complementing traditional active scanning with passive monitoring to detect vulnerabilities under a dynamic, fast-changing network environment.
The Tenable Network Security paper says that an effective VM program must be based on a good set of KPIs (key performance indicators). Some common KPIs include number of vulnerabilities per vendor; number of vulnerabilities per technology product; aging of vulnerabilities, especially knowing how long it typically takes to apply a patch to a vulnerability; percentage of systems scanned; and number of vulnerabilities over time.
“Ideally the number of vulnerabilities detected over time should trend downwards,” according to the paper, “indicating the vulnerability management program is working.”