Understanding Vulnerability
By David E. Stern, CISSP

This is part 3 of a 3 part series about truly understanding vulnerabilities and taking this knowledge to make a difference in the way you practice information security.

How do we protect ourselves?

By now, we should have cleared a lot of the FUD (fear, uncertainty, and doubt) that surrounds vulnerability. At this point, we can begin to discuss the basics of self defense. Information security professionals will give it many colorful names and acronyms, but good self defense boils down to proactive vulnerability management.  To break down this multi-syllable phrase, we will reach into my firefighting background.

Firefighting is a dangerous and complicated profession. Modern firefighters must understand the science of fire, strategy and tactics, and dozens of other skills. However, in the thick of the fight, it all comes down to the basics of locate, confine, and extinguish. These three action words encompass the entire cycle of the fight: find the fire, use various means to keep it from spreading, and finally put it out.  This relates directly to information security self defense.

Locating vulnerabilities in systems is probably the simplest part of the cycle. Your family physician spends most of his time diagnosing and treating common ailments with industry proven tools and techniques. The information security resources available to the industry today are plentiful and system owners are certainly not lacking in access to them.  Standards groups, common criteria, open source and commercial tools, or professional services are all available for the taking. A solid information security practitioner, whether he be an in-house employee or outside consultant, can look at the blueprints to any system architecture, and find commonly known vulnerabilities as well as offer industry recognized solutions. IT departments have dozens of commercial and open source tools to choose from that can scan for and locate vulnerabilities in operating systems and network devices. Finally, application developers have some of the best online resources in the IT industry in terms of recognized secure programming methods.

Confining vulnerability requires technical, business, and interpersonal skills on the part of the information security team. Once a vulnerability has been identified, an IT department has to decide on a plan of action, whether it entails patching, configuration changes, or installation of additional systems. These things take time, and in the interim, compensating controls must be available since adversaries don’t wait long to launch attacks on newly discovered vulnerabilities. An IT organization might increase logging on anti-virus systems, tighten firewalls rules, disable certain functionality, or even establish a “fire watch” to keep a close eye on vulnerable systems. No matter the action, the idea of confining the problem is the key to keeping safe.

The most common method of extinguishing vulnerability involves applying vendor supplied patches. Patches are modules that are installed into a vulnerable system to replace the problematic sections. The process of patching can be extremely involved and time consuming – but we will leave that to another lesson. Sometimes closing out an open vulnerability involves doing nothing at all. In many organizations vulnerabilities exist on systems that cannot be changed due to age, criticality, or required functionality. In those cases, compensating controls are put in place as a permanent confining measure.

Conclusion
This first lesson should have laid down the basics of vulnerability. There is much more to learn and lots of topics to dive deeper into. Understanding the fundamental topics that we surveyed today should better prepare you to make important decisions. In the next session, we will learn how to evaluate vulnerability’s true effect on your environment. In the following session, we will take a peek under the covers at the technical underpinnings of vulnerability. In the final, installment of this inaugural program on vulnerability, we will look more closely at the tools of the trade and how to make them most effective for your organization.

Keep the discussion going in the catalyst community or the comments here!

About the Author Guest Blogger

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Don't know where to start?

Check out Security Catalyst Office Hours to meet your peers and celebrate the good, help each other, and figure out your best next step. We meet each Friday… and it’s free to attend.