Vulnerability Management- Thinking Beyond Patching and Software Vulnerabilities

I also recommend taking advantage of the lightweight agents that can be utilized on remote worker systems such as laptops that infrequently connect to your network. Use automation and APIs to add CMDB data and identity to your assets through tags. Knowing the department or job title associated with an asset can provide valuable insight. For example, an asset named ABC1234 means nothing to someone, but knowing that it is issued to the CEO, provides significance and urgency to your efforts. Choose the scan frequency that works for your organization, but do ensure that you are performing authenticated scans. Otherwise, your assessment will be incomplete. This goes without saying, but don’t focus solely on software vulnerabilities, patching, and vulnerabilities in code. Attackers are not going to drop through the ceiling and deliver a 0-day exploit; instead, they will take advantage of misconfigurations and exploit the potential shortcuts made by system administrators.

Does your solution scan for misconfigurations and provide a risk score? Taking time to perform more frequent Vulnerability Assessments whether on your own or having a paid engagement performed will help you build a more effective threat map and test the effectiveness of your controls. Most solutions will allow you to add weight multipliers to their risk score by looking at these often-missed dangerous configurations, some of which include:

• A server running services or scheduled tasks configured to run under a Domain Admin account or some other privileged account.

• Does the system have any unsanctioned or unattended remote access software installed? (e.g. TeamViewer, GoToMyPC, LogMeIn, etc.)

• A built-in local admin account password, which is the same on every asset and has not been changed in a long period.

• A system not running EDR or some next-gen AV.

• Systems that have owners with an ongoing policy exception for local admin rights should be highly scrutinized and scanned more frequently.

• Does the system allow unsigned PowerShell scripts to run?

How Do I Prioritize and Effect Change?

There are numerous useful publications on prioritization on this site, so I will keep it high level. You are not going to be able to complete an enterprise-wide scan overnight nor patch everything overnight. Look for a solution that generates automated reports and delivers them to stakeholders on a reoccurring basis that emphasizes risk and provides clear actionable information. Executive-level reporting is beneficial to see trending, a breakdown by criticality, and age. Additional “Top 10” or “Top 20” reports broken down by vulnerability are helpful to give to remediation teams. It allows them to reduce a large chunk of risks on a large population of assets. Significant consideration should be taken into determining a risk score that works for you. CVSS 1-10 provides a simple to understand system, but enterprises with a backlog may find it challenging to prioritize due to the number of vulnerabilities that match the high and critical levels. Solutions that provide a broader risk score will allow you to sort by the absolute largest risk score and work your way down. Do maintain a healthy relationship with your remediation teams and do your homework. Spend time to weed out false positives and figure out what are the most critical systems and vulnerabilities and then ideally deliver it to them using an ITSM tool in groups that are realistic to complete in the time allotted. Do not overwhelm them and provide a reasonable timeframe to complete, but if it is truly urgent provide a clear explanation of the threat vector as opposed to “because I said so”. Think of how you can gamify the process with props or visuals, set monthly or quarterly risk reduction targets, and reward your teams when they hit them.

In summary, you will get out of it what you put into it. Ensure you incorporate as many vulnerability Assessment risks as you can into your VM program. It cannot be a “set it and forget it” or check the box type of program; it takes constant review, adaptation, and honestly a bit of stubbornness to be successful.