Vulnerability Management – Assessment and Patching

An effective Vulnerability Assessment (VA) approach

Organisations are most likely to fall victim to automated, indiscriminate attacks which use known vulnerabilities to compromise an environment. Patching, remediating and mitigating the right vulnerabilities at the right time is critical to an organisation’s overall security strategy.

However, with the amount pf patches required through-out an environment it becomes almost impossible to know what to patch and when without an effective vulnerability prioritisation program. Further, addressing vulnerabilities requires a precise, automated and systematic approach to ensure continuous coverage within an organisation.

Ideally an organisation should be able to address critical vulnerabilities within 24 hours. Although in a real world this is sometimes a streatch for organisations, it should be noted that organisational risk reaches moderate levels when a vulnerability remains in an environment for one week and becomes high when it remains within a critical system for a month or longer.

Policy and Setup – considerations

When considering the Vulnerability Assessment business case a number of items need to be considered.

What systems are critical to keep your business running?
How do you rank and prioritise your systems (for patching purposes)?
How will a patching cycle impact your Change Management process?
Is there an Approved Software Listing within your organisation that the patching policy should adhere to?

General VA and Patching Sequencing

Regardless of the underlying technology used within the environment an effective VA and Patch Management solution combine to address two items, “Patch Applications” and “Patch Operating Systems” within the organisation. (Perhaps we have a link to the ASD Essential 8).

Essentially the Vulnerability Assessment determines which systems are vulnerable and the Patch Management cycle remediates these vulnerabilities.

Automated Scanning – The cornerstone of good Vulnerability Assessment

Critical to any Vulnerability Assessment is knowing what systems are running on your network. Good VA tools and regimes use a combination of both active and passive scanning of assets across a client’s organization and should include Subnet scanning, Windows Network Scanning and Active Directory Scanning.

Vulnerability Assessment

Regularly scanning your devices for vulnerabilities is critical and should be completed on regularly scheduled basis. Separate schedules can be setup based upon your Asset Grouping (around risk rating of assets etc.). The following table enables different scanning schedules based upon different groupings.

Patching Policies

Consideration should be given to both scheduled and emergency patching policies. Clients should review policies, procedures and change management implications around regular patching vs emergency patching options. An emergency patching situation may require an immediate patch to systems (at either the OS or Application level) to counter a recent attack against a previously unknown vulnerability.

Automated Patching

Automated Patching can be completed on a scheduled basis. Again tasks (and in turn schedules) can be created for differing Asset Groups. Asset Groups should have been defined in prior requirements gathering activities.

Patching of vulnerabilities can be completed based upon the severity level. For instance all vulnerabilities can be patched with severity level of High and above, meaning all High and Critical vulnerabilities could be patched, regardless of whether they are approved or not.