The more applications enterprises use, the more complicated Security Vulnerability Management. When identifying every security vulnerability and fixing it to prevent hacker attacks, it is easy to miss something important. If you are an IT administrator who is implementing multiple tasks that contain a security task, this is especially easy to happen.
Security practitioners cannot capture everything. However, by dividing Security Vulnerability Management into basic parts, it is possible to achieve more effective defense. The Chief Security Officer at last month's "SANS Boston 2010" meeting was looking for these basic components. The following is the first part of a series of articles about Security Vulnerability Management. This was organized according to a training course by Stephen Northcutt, president of SANS Institute. This course is entitled "SANS Security Leadership essential tials for Managers with Knowledge Compression ".
Before introducing all the security vulnerability management tools and technologies (these technologies will be introduced in the next two articles), let's first get familiar with what security vulnerability management is.
Five Principles of Security Vulnerability Management
Northcutt said that to learn about Security Vulnerability Management, we should first consider the five principles of Security Vulnerability Management:
· Security vulnerabilities are the barrier of threats.
· Security Vulnerability Scanning Without remedial measures is meaningless.
· Fewer scans and remediation measures are better than many scans and no remediation measures.
· Security vulnerabilities that need to be repaired must give priority to those that directly threaten network security.
· Security practitioners need a process that allows them to continuously test security vulnerabilities to provide patches more often and effectively.
Northcutt emphasizes the value of starting from an early age. He pointed out that one reason to do a small scan and then fix it is to avoid situations where you know a large number of security vulnerabilities. If you understand the situation and do not take remedial measures, your institution will not be responsible.
Northcutt said that if data is leaked and traced back to the security vulnerabilities that the company knows but have not fixed, the consequences would be very serious. This is a factor that will be taken into account in the court's consideration of punitive damages.
Major threat carriers
Northcutt went on to say that it is important to identify a major threat carrier that an organization must be concerned. These carriers include:
· External attacks from the network.
· Internal attacks from the Network (Virtual Private Network.
· External attacks from telephones.
· Internal attacks from the local network.
· Internal attacks from local systems.
· Attacks from malware.
The biggest concern is what Northcutt calls "the power of pivot ". All Attackers need a foothold. If there is an unrepaired security vulnerability that can be accessed from outside the Organization and exploited, the system can be used as a springboard or "pivot" to attack other systems in the same network ".
Psychology problems
To enable corporate officials to understand the importance of security vulnerability management, it is important to use a speech that they can understand. Do not explain where a software security vulnerability is located or what specific technology is needed. Northcutt says it's important to point out things that can make corporate officials sleep at night.
What do bosses worry about? Northcutt provides the following example:
· Cracking Web servers will make organizations laugh.
· The Web server may leak customers' private data, resulting in legal proceedings and worse cases.
· Internal personnel may want to do bad things out of anger, such as setting a logic bomb.
· Internal Personnel feel they have the right to sell the company's trade secrets.
· Employees are easily deceived by social engineering means and will leak sensitive data to the media.
· Hackers may find evidence of the company's mistakes in the company's system and then use the evidence to extort money from the company.
To understand the seriousness of this incident, security practitioners need to look at this challenge from three aspects. From an external point of view, it seems that you are an external person on the Internet observing your organization. From an internal point of view, the focus is to check whether the system settings are appropriate. From a user's point of view, users access the Internet through Web and email in the network.
Why do organizations need to observe the problem from these three perspectives? Northcutt pointed out that because:
· Most organizations only use Core Impact, Nessus, or NeXpose scanners for external observation.
· If a user can access the Internet and click a malicious website, his or her system may be used to attack a system that does not seem to have been cracked.
· For many years, the SCADA security model is that if you are not connected to the Internet, you have nothing to worry about. As SCADA systems are increasingly connected to the Internet, there are indeed many worrying things.
Taking these things into consideration, Northcutt says, now is the time to freely examine various scanners and intrusion technologies.
The second part of this series focuses on the differences between available scanners and how to determine which scanner is best suited to your organization. The third part explores how to determine which security vulnerabilities are most risky and how to prioritize patches.