Threat & vulnerability management

 

Successful cyber attacks are committed by individuals - often referred to as Threat Actors.  These Threat Actors range from script kiddies to individuals seeking fame and fortune, organised criminal gangs through to state-sponsored hackers.

Attackers are aware that projects - such as new web sites - are launched without completing a full quality check, and more often than is healthy, computer programmers / developers cut corners to ensure that project launch dates are met.

Additionally, and, as importantly, systems and applications are seldom patched to defend against the latest threat, thereby making successful intrusions easier because Threat Actors are able to, fairly trivially, exploit existing vulnerabilities.

 

Be ready, be practised

Our experience shows that organisations fail to take a systematic approach. This is supported by a Gartner recommendation to implement an adaptive protection process integrating predictive, preventative, detective and response capabilities.


All organisations will, at some point, experience an information security incident. Knowledge of what assets you have, managing them, monitoring them and reporting on their status, combined with an effective incident management plan (known, owned and practised) will provide the necessary mindset to react accordingly.

 

Eradicating persistent network vulnerabilities

Threat & Vulnerability Management needn't be overly complex but teams have a tendency to make it so.  Keeping to simple steps is key to a successful outcome:  consider these simple steps:

    • Asset management: ensure that you can track your network assets, records their details in some sort of list / inventory / database, such as a CMDB (Configuration Management DataBase)
    • Review the importance of each asset and assign a risk value to that asset
    • Map your network: scan the whole ICT infrastructure
    • There are many specialist vendors out there that have excellent tools to give you a much clearer picture of where you are.  They can provide the following:
      • asset identification
      • asset configuration
      • patch / vulnerability status
      • policy compliancy
      • identification of rogue devices: for example, unauthorised WiFi devices
    • With solid information it will now be possible to remediate; however, this should be linked to bullet 2. That is, classify finding results which can be linked to business risk:
      • some tools provide direct links to auto-download patches and auto-install them
      • many are able to automatically link to IT ticketing solutions and raise "trouble / event" tickets
    • Output reports are essential in providing a detailed view of your current security status: 
      • these are easily tailored to provide as much (or little) information from technical teams, to legal, audit and risk staff, and finally at Boardroom level
      • such reports can be used as matrices, allowing you to track trends of discovery / remediation information
    • Rescan to validate whether or not remediation has been completed


    Remember: if you can't measure, you can't manage