December 2015 SAFE Newsletter
Vulnerability Management in Four Simple Steps
Vulnerability Management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. Primarily, vulnerabilities relate to computer security. Due to the vast array of technologies to support their customers and employees, financial organizations must ensure that each network connection point is protected against vulnerabilities. The first step in detecting vulnerabilities is to implement regularly scheduled external and internal vulnerability scans. However, to develop a proactive approach to vulnerability management, implementing regularly scheduled scans along with monitoring, maintenance, and policies can assist in furthering the amount of available protections.
There are two types of scans that are generally utilized within financial organizations to detect vulnerabilities: the external vulnerability scan and the internal vulnerability scan. An external vulnerability scan examines an organization’s security profile from the perspective of someone who does not have access to systems and networks behind the external security perimeter. An internal vulnerability scan operates within the network perimeter to identify real and potential vulnerabilities within the organization’s network. The reason for conducting an external vulnerability scan is quite evident: To prevent malicious actors who are trying to hack into the financial organization’s network from the internet or other outside source. The less obvious type of necessary scan is the internal vulnerability scan. An internal vulnerability scan detects threats that occur behind the firewall usually by internal personnel that include disgruntled employees who target key systems from then inside or malware that may be unknowingly or knowingly downloaded to a networked computer via the Internet or a USB flash drive. Once this type of malware is on the internal network it sets out to identify other systems and services on the network, usually systems or services that cannot be seen from the internal network.
Conducting automatic device driven vulnerability scans is the first step in detecting internal or external threats, however to become proactive with preventing and responding to vulnerabilities; monitoring tools and reports, scanning equipment maintenance, and policies, standards, and procedures should be developed and implemented. On a monthly basis monitoring tools and reports should be reviewed by the appropriate information security personnel at the financial organization. Although, managed service providers may be utilized to evaluate the results of vulnerability scans on a more frequent basis the ultimate responsibility for monitoring vulnerabilities is the responsibility of the financial organization and therefore a knowledgeable employee should be able to analyze and enact proper incident response procedures for handling a threat. Although internal and external vulnerability scanning and monitoring are intricate parts of detecting threats on the network, there are some instances where scanning equipment will not identify a threat.
This occurs mainly through physical threats and/or when employees do not report inappropriate security behaviors, like inserting personal devices into work computers. This may also occur if internal and external vulnerability scans and devices are not properly maintained. Not applying patches and software updates may leave connection points open to threats, thereby increasing the security risk.
A sophisticated Vulnerability Management program will incorporate internal and external vulnerability scans, monitoring, maintenance, and adherence to policies and procedures.
Penetration Testing vs Vulnerability Scans: The Final Score is Always a Tie