If you like running tools and getting lots of pretty coloured reports back, vulnerability management is probably for you. In essence it’s about identifying vulnerabilities and (unsurprisingly) managing them. In reality what this means is running some form of automated tool to cover all the devices on your network and reporting back details of weak configuration data.
A word about scope before we move on, I would strongly recommend working off a full IP address range rather than a host list for internal scanning. This helps the Inventory control by picking up those air-conditioning units, CCTV cameras and door controls that are unpatched. Equally make sure you add everything for your external ranges too.
Generally, vulnerability scanning is carried out by tools such as Nessus and Qualys and a good starting point is running them unauthenticated i.e. without credentials to logon to devices. The tools are good, but limited in what they can identify and equally can be prone to false positives.
They are good at:
- Finger printing operating systems and finding patches which are missing that have known exploits for example MS08-067
- Identifying known bugs in common products (SSH, web servers etc.) when the services provide the version number
- Evaluating TLS/SSL configurations
- General windows unauthenticated hardening
They’re not so good in the web server or application layer. It’s always worth reading all of the findings as you may find “Informational” rated findings which are important for your business due to information leakage.
The vulnerability management control also includes device patching and hardening. Patching is self-explanatory and everyone should be moving towards a quick release mechanism for all security patches as it’s a strong line of defence and there no value in fighting against it.
Hardening can seem daunting, but resources such as Centre for Internet Security (CIS) free Benchmarks https://benchmarks.cisecurity.org make this easier. In addition the vulnerability scanning tools above allow for credentialed scanning of devices which allow you to report against CIS and other benchmarks automatically. The best approach with hardening is to take a newly built device, scan or manually check it and use GPO’s or scripts to harden it. Once this is clean roll it out everywhere.
Tools make vulnerability management really easy, the hard part is working through the output and fixing it. As ever, avoiding procrastination is key, take the high priority issues or assets first and work through them methodically safe in the knowledge you’re making the best use of your resource.