Critical Security Controls: Control 4 - Continuous Vulnerability Assessment and Remediation. Today’s post is all about Control 4 of the CSIS 2. Critical Security Controls – Continuous Vulnerability Assessment and Remediation (the last post pertained to Control 3; a list of Controls covered to date is provided near bottom of the post). It’s different in that it seems more focused on the time. For example, this Control wants you to measure how quickly you’re applying available patches, and does not care how many you’ve applied. This Control, in other words, is all about the process. 1 http:// information systems. The patch management process. Patch Management Page 9 of 14 PATCH DEPLOYMENT. 2 Architecture and Key Components The automatic patch remediation license is an optional license available for use with the MAG Series Junos Pulse Gateways, SA. Shopping for a patch management system? Patch Management Systems: Evaluation Criteria and Capabilities. Remediation: Continuously deploy. Top Patch Management Software Products. PatchSimple ensures your systems are patch compliant. Lumension Patch & Remediation. I need to scan and know which vulnerabilities I am exposed to and I also want to be able to patch my systems and. Somewhat less obvious, but no less important, are integration opportunities with LDAP for user roles and the relationship of vulnerability management with configuration management. These points of interoperability are not always explicitly mentioned, but are critically important to the security automation story we would like to tell in the future. Coverage. At more than one point, the requirements explicitly state that integration with the asset inventory system is important. As you’re looking for scanning tools, be sure to have a list of all software asset classes covered straight out of your asset inventory system. Establishing patch management. 2.4 Prioritizing Vulnerability Remediation. Not all vulnerabilities have related patches; thus, system administrators. Patch management is an area of systems management that. Patch management tasks. I was looking for a patch management system. Shavlik Patch for Microsoft System Center adds non-Microsoft third-party patch to Microsoft System Center. We’ve kept abreast of the patch management tools. This will help you in your evaluation to ensure that you have adequate coverage of your enterprise. Potential Areas Of Improvement. Provide more explanation. Consider what it must be like from the organizational, non- security perspective to read some of these requirements. You want to track or trend a particular metric because it provides some insight to you, but you don’t really know what that insight is. This Control, as with others in the framework, would bode well to provide further explanation in such cases. If the reason for doing work is not clearly articulated, that work will not be supported by the organization. Categorize requirements more appropriately. This may simply be an oversight, but it’s still something that could be corrected. If I’m moving quickly or if I’m only interested in the prescribed metrics for a given control, I would miss those that are inappropriately categorized. General housekeeping. Some of the requirements should probably be reworded (one in particular talks about patches when I think it would be far better to talk about vulnerabilities), and others can be safely omitted. Requirement Listing. Description. Not because SCAP isn’t any good – it is good – but because it has fallen short in terms of available content. The point here, is that using SCAP- validated scanners should enable you to take vulnerability scanning content from multiple sources as it is released. That means you can react faster. That means you shrink the adversary’s window of opportunity. That’s a good thing. Description. The fact of the matter is that a daily scan is probably good enough, but for critical systems, having real- time vulnerability detection enabled is just that much better. Look for tools that have this capability. Description. Fixing vulnerabilities, especially in the face of a CCB, is not likely to be fully automatic, but may be automated with specific human touch points. Look for tools that are capable of easily (or even out of the box) integrating with your ticketing and change management systems, then that which is able to automate the fix. Description. First, personnel should verify that the activity of the regular vulnerability scanning tools themselves is logged. Second, personnel should be able to correlate attack detection events with earlier vulnerability scanning results to determine whether the given exploit was used against a target known to be vulnerable. It’s not unreasonable, but is yet another indication of the different ways these controls interact – it can be complicated. Description. If you use the dedicated account it’ll be easier to 1) lock it down and 2) correlate on what is actually doing the vulnerability scanning. Again, this seems to be something that touches a system or process described in another control. Description. I’m sure there are other things you can do to lock down the account, and this is where a good benchmark comes into play – take a look at Center for Internet Security or DISA sources for recommendations. Description. It’s one that explicitly recognizes that the tools used to enforce technical security controls are, themselves, subject to security controls. This is not always the case in other control frameworks, or even in other controls here – the fact is always alluded to or left to be inferred by the reader. That said, recognize that you need to keep a list of authorized users for your vulnerability management system and that list should be role- based. Here’s another point of interoperability that would be nice to see – LDAP integration might work here. Description. But, your vendor is not the only source of vulnerability information, and you should not necessarily rely on them exclusively. Depending upon your specific enterprise needs, it may be advantageous to source vulnerabilities from several locations to ensure maximum vulnerability coverage. A simple Google search for “vulnerability intelligence sources” or “vulnerability intelligence service” turns up plenty of options. The challenge, of course, is in ensuring that the vulnerability descriptions you receive are both human and machine readable, and that the machine readable format is something that your particular tool understands. Description. The tricky part that I see right away is in- house and/or custom applications/integrations. How are your patches for these types of systems going to be automated? I understand that the requirement is worded in a way that allows for some non- automated patching, but it seems that, over time, we (as an industry) ought to be striving for standardizing patch management to the point where in- house and/or custom applications can be included in automation. Description. This “logic,” of course, ignores the potential for inside jobs, or even the use of insiders as an unknowing vector. Description. In my mind, this is a requirement better left to another control – that which is concerned with audit logging. Description. It would be enough to simply state that both authenticated and unauthenticated vulnerability scanners should be leveraged by an enterprise. How that scanner gets the job done is not something that belongs in any control framework. This requirement is simply recognizing that some vulnerabilities will go undetected without authentication to the system. Description. The vulnerability scans themselves will not understand that you’ve compensated for the control in some way (at least, not to my knowledge). You’re going to need to track this outside of your vulnerability management tool by way of exception, waiver, risk acceptance or compensating control. Additionally, and perhaps more problematic, is the reliance on “risk.” This takes some level of assessment and a good understanding of how a particular software vulnerability may impact one or more business processes. Do you have that kind of granularity in your security program? Are you able to review a list of vulnerabilities on a given system and say, “yes, if this vulnerability is successfully exploited, then I’m going to be down for up to x number of days which will cost the company y dollars in revenue and z dollars for recovery?”Description. There is no guidance provided with respect to the periodicity in this requirement. It seems to me that once per patch cycle is adequate, if possible. Description. Yes, we want to detect when unauthorized software is listening on an open port. But, where we seem to have been confined to the context of software vulnerabilities we are now expanding the context to include something that should be covered by configuration monitoring. That said, I don’t see much wrong with the idea of covering this particularly important base with more than one technical control. Description. This, too, seems like a gray area, where the requirement is a blend of configuration, change, and vulnerability management relying heavily on asset management. This particular requirement exemplifies where additional explanation would go a long way – how would this information be used? What does it characterize? Why is that characterization important? It’s almost as if control frameworks are written more for security professionals than business professionals, which I can understand, but with which I do not fully agree. Description. What benchmarks has your organization chosen? Sometimes these will be forced upon you, a la PCI, and other times you’ll just pick something to use, like CIS Metrics. Either way, you need to have some standard in place – the benchmark – and procedures to follow, and this particular metric (this really ought to be in the metrics section). Description. Alternative countermeasures should be considered. This is, in effect, a non- requirement. If a patch for a given vulnerability is not available, then the risk presented by that vulnerability ought to be addressed in one of the standard ways – in fact, this has already been alluded to by requiring a vulnerability tracking process. If you’re tracking, then you’re considering countermeasures. I would remove this requirement. Description. This is fairly straightforward. Note that this does not mean you can’t have an unpatched environment, it just means that where you’re going to be performing patching on critical systems, then you’d be better off testing the patch beforehand. Description. This control is prescribing risk treatment by specifying “mitigating controls” to “block exploitation.” While this may be true in practice – who wouldn’t want to mitigate a vulnerability on a critical system? What does “damaging” mean in this context? Description. In fact, it should be something that can be largely automated. Description. I believe what it’s trying to convey is: Be sure to assess each vulnerability in the context of your organization before prioritizing your assets.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
December 2016
Categories |