:star: G4 Vulnerability Management (Such acceptance of business risks for…
:star: G4 Vulnerability Management
Run automated vulnerability scanning tools
against all systems on the network
on a weekly or more frequent basis
and deliver prioritized lists of the most critical vulnerabilities
to each responsible system administrator
along with risk scores that compare the effectiveness
of system administrators
and departments in reducing risk.
Use a SCAP validated vulnerability scanner that looks for both
(such as those described by Common Vulnerabilities and Exposures entries)
and configuration based vulnerabilities
(as enumurated by the Common Configuraton Enumeration Project).
Correlate event logs with information from vulnerability scans
to fulfill two goals.
First, personnel should verify that
the activity of the regular vulnerability scanning tools is itself logged.
Second, personnel should be able to correlate attack detection events with prior velnerability scanning results
to determine whether the given exploit was used against a target known to be vulnerable.
Perform vulnerability scanning in authenticated mode either
with agents running locally on each end system
to analyze the security configuration
or with remote scanners
that are given administrative rights on the system being tested.
Use a dedicated account for authenticated vulnerability scans,
which should not be used for any other administrative activities
and should be tied to specific machines at specific IP addresses.
Ensure that only authorized employees
have access to the vulnerability management user interface
and that roles are applied to each user.
Subscribe to vulnerability intelligence services
in order to stay aware of emerging exposures,
and use the information gained from this subscription
to update the organization's vulnerability scanning activities
on at least a monthly basis.
Alternatively, ensure that the vulnerability scanning tools you use
are regularly updated
with all relevant important security vulnerabilities.
Deploy automated patch management tools and software update tools
for operating system
and software/applications on all systems
for which such tools are available and safe.
and associated administrator accounts
to ensure that this activity is limited to
the timeframes of legitimate scans.
associated with any scanning activity
Compare the results from back-to-back vulnerability scans
to verify that vulnerabilities were addressed, either by
implementing a compensating control
or documenting and accepting a reasonable business risk.
Such acceptance of business risks for existing vulnerabilities
should be periodically reviewed
to detemine if newer compensating controls or subsequent patches can
address vulnerabilities that were previously accepted,
or if conditions have changed
increasing the risk.
Establish a process to risk-rate vulnerabilities
based on the exploitability and potential impact of the vulnerability
and segmented by appropriate groups of assets
(example, DMZ servers, internal network servers, desktops, laptops).
Apply patches for the riskiest vulnerabilities first.
A phased rollout can be used
to minimize the impact to the organization.
Establish expected patching timelines
based on the risk rating level.