Rationale for a VM Program | Vulnerability Management



So, why do we undertake a VM program? There are several good reasons, which are either technical or just make good business sense. Choose what best fits your situation.

Overexposed Network

In the context of IT security, businesses have two kinds of objectives: mission and compulsory. A mission objective is directly related to producing revenue or enhancing profits. Compulsory objectives are those that must be achieved as a matter of prudence or regulation. Insurance is an example of a compulsory objective. Companies purchase liability insurance to reduce their exposure to loss. Many organizations place a high priority on meeting mission objectives and not compulsory ones. Network security is another example of a compulsory business objective. In this scenario, network-based defenses are inadequate to stop a well-designed attack. Naturally, some companies may choose to perform a risk analysis and will subsequently determine how much to spend on network security. Sometimes the size and complexity of the network make cost-effective defenses impractical to meet the risk. In other cases, the company simply chooses to accept the risk.
If your company has strong network defenses, then perhaps there is a lot of focus on detecting and preventing an attack. However, blocking in the network or on the perimeter is not enough. It is unlikely that the defenses are completely reliable and foolproof, and address all of the potential attacks from every vector. Any security professional knows that the insider threat is as great as the external one. Most defenses are not directed towards insider threats. At present, it is not financially practical to put intrusion protection, anti-virus, content filtering, traffic analysis, and application behavior analysis on every single port on a network of 50,000 nodes. Even if one could achieve this in a financially sound way, additional, redundant layers of defense will be needed because some of those network-based defenses will have weaknesses that are exploited and may even be used against the organization. For example, there are several well-known methods for evading intrusion detection systems. Encryption is a simple method for obfuscating an attack. Applications that use encryption are very helpful in concealing attacks.
The only way to address these weaknesses is a basic defense-in-depth strategy that removes single points of failure. Most network security strategies rely on perimeter and/or bolt-on defenses, which, if they fail, will leave a vulnerable host wide open to exploitation. This is overexposure at its worst. There is a perception of security but no real security without adding additional layers, one of which must be a host hardened against attacks by taking away the vulnerability.

No Standard for Secure Systems Configuration

Large companies typically develop one or more standard configurations for systems connected to a network. This includes standards for desktop and server operating systems, network devices, and even printer configurations. These standards often have security practices built in. When these standards are absent, more vulnerabilities are likely to exist than when the standards do not exist. The mere fact that a standard exists suggests that some care and thought is being given to the state of a device.
However, even if there are standards, configurations can age. Once a standard is established, it is difficult to change and bring all hosts into compliance. Even if there is a patch management system in place, those configurations cannot be fully addressed by patches. In most cases, patch management systems will not find everything requiring remediation. It is no substitute for VM.
The negative side of standardization is the ubiquity of vulnerabilities. If a standard configuration is deployed globally and has a vulnerability, then the vulnerability is everywhere. If not detected and remediated quickly, it can lead to serious security problems.

Risk of Major Financial Loss

When the risk of a breach is high, concerns of management naturally turn towards the impact of realizing the risk; that is, with increasing regulation from government and an aggressive tort system, the potential for financial loss greatly increases. These losses can come from litigation and/or civil penalties. Imagine losing a client’s confidential data due to failure to remediate a critical, published vulnerability. I can see the tort lawyers circling!
California Civil Code § 1798.84 specifies considerable penalties for companies doing business with California residents when those companies fail to notify the victims of a security breach within a certain period of time. The damage from such disclosure could be large but so could the civil penalties. The legislation is only one example of a growing trend towards punishing companies responsible for data breaches regardless of their physical location because they do business with local residents.

Loss of Revenue

A more direct loss, that of revenue or potential revenue, is of major concern in any business. When a client is lost, the business suffers not only the loss of revenue but also the damage to reputation. It is ten times harder to recover from this than any other kind of loss. Customer confidence must be re-earned to the extent that it overcomes the bad taste of the past. And this applies to future customers as well. It is generally much more difficult and expensive to win new customers against the headwind of a highly publicized security incident.
Oddly, it is beginning to appear that consumers are easier to appease than corporate customers. For some reason, consumers tend to forget or ignore security breaches for a specific company more frequently than do business customers. However, consumers gradually become more weary of conducting transactions with any company that ultimately lead to more expensive government regulation. Businesses can do everyone a favor by being more diligent in managing vulnerabilities.

Lost Productivity

When systems are compromised, they often become unusable for a period of time. If these are critical systems, significant productivity is lost from employees who cannot perform their jobs. Less measurable than employees just sitting around are the cases where employees can continue working but take much longer to complete a task. This workaround environment can sometimes be difficult to start and equally difficult to stop once the affected systems are returned to service. Even if current records are available at the conclusion of an incident, the data must be resynchronized with the now-operational system.
It is also often the case that many time-consuming activities must take place before a system is returned to service. It must be analyzed for the cause of the failure, rebuilt, patched, additional security considered, and closely monitored for a secondary attack. To add to this, IT employees who must clean up the mess are taken away from other activities that could be more directly focused on producing more income, reducing costs, and enhancing productivity in other areas. The latter point further extends into the opportunity cost of not meeting a market need in a timely manner. After all, there are no IT cleanup guys just sitting around waiting for something to happen. Existing resources must be redirected to put out fires.

0 comments:

Popular Posts