Infosec Blocking and Tackling - Vulnerability Management - WST

Vulnerability management!  Now there is a sexy subject.  Managing the various vulnerabilities in your environment (which is generally a lot of patching and updating) is a tedious, thankless, and never-ending task.  The problem is, however, that it is absolutely essential to the security of any network environment.

Vulnerability management is a larger task than just patching.  It is the process of identifying vulnerabilities in your environment, prioritizing, and tracking each issue to remediation (or acceptance or mitigation).

The first step in vulnerability management is knowing what you have...you can't patch what you don't know exists.

• Start with a good inventory of systems and software.
• Uninstall or retire what is not needed. If it isn't needed for business functions, uninstall it.
• Make sure you start with a clean Windows install when deploying workstations. Workstations especially can sometimes still come with a lot of pre-loaded apps you do not need and can contain vulnerabilities right out of the box.
• Lastly, ensure your new server or workstation build process includes installing all applicable patches and updates. This starts the system out at a secure baseline.

Next, you need to identify and remediate known vulnerabilities as part of an ongoing process.  This can be an in-house process, or it can be outsourced.  It can be an automated or manual process – but whatever you are doing, make sure it works for you.  Don't hesitate to switch gears if the current vendor/software product/etc. just isn't cutting it.  Other points to consider:

• Vulnerability scanning is vitally important. Again, this can be outsourced, internal, or both.  Make sure you scan everything, not just a list of known systems.  Also, scan with privileged credentials, as this is the only way to identify ALL missing patches.
• Many patch management products have vulnerability scanning built in. This is handy, but strongly consider a second product or vendor for vulnerability scanning.  The scanning built into many of these products is just not that great, and by getting a"second opinion" with a different tool on what is missing, you can double-check your results.
• Many vulnerability fixes are not patching, but reconfigurations, so don't forget to address these issues as well. Additionally, many Windows patches require both the patch AND a reconfiguration that must be done manually.  Watch out for these, as Microsoft doesn't make it easy to spot updates that need more attention.  The best resource to identify these"extra work" updates we have found is the Microsoft Security Update Guide (https://msrc.microsoft.com/update-guide/en-us).  Look for the release notes for the updates you are applying, inside the release note, there is an asterisk (*) next to the CVEs that may require further steps.

We hope you have found some helpful tips in our Infosec Blocking and Tackling series.  Keep on the lookout for more fundamental tips under this same title throughout the year!