How to hone an effective vulnerability management program
A comprehensive collection of articles, videos and more, hand-picked by our editors
This tip is part of SearchSecurity.com's Intrusion Defense Security School lesson, Data breach prevention strategies....
For more learning resources, visit the lesson page or the Security School Course Catalog page.
What do an auto parts manufacturer, a university hospital and an Internet technology startup have in common? Despite being very different organizations, all would likely be devastated by a significant data breach. Yet for each organization, its sensitive data, risk factors and defensive methods may be radically different.
In this tip, we'll offer a blueprint to help even the most unique organizations assess themselves to determine where their "soft spots" may be, how to quantify that risk, and how to use that metric to prioritize data breach prevention efforts.
Data security best practices: Assess "soft spots"
Every organization is unique in its own way, but since many use the same systems, services and processes, they will have many similarities. Some of the same general techniques can be used to identify the “soft spots” in networks and defenses. An organization can use risk assessments, vulnerability scanning and penetration testing to identify these soft spots.
While it's impossible to prevent all data breaches, it is possible to reduce the likelihood of a serious data breach with a pragmatic, methodical approach that assesses, quantifies and addresses risk.
During the processing of performing a risk assessment, you can identify a soft spot or potential problem that could lead to a data breach by identifying if there are any missing security controls and critically evaluating if a security control truly implements the intended security control. Let's take the example of an auto parts manufacturer. Not only must it protect its intellectual property such as designs and research, but also the processes it uses to produce its products. Plus, if some parts are used for military vehicles, there may be even more stringent data security requirements for some data. So a risk assessment should include an inventory of sensitive data -- where it travels (in motion) and where it resides (at rest) -- and the volume of data that exists, as well as an evaluation of how employees and partners interact with that data. If a large number of related controls are missing or insufficient, you might have identified a systematic issue that could set the stage for a breach.
As a part of a risk assessment or an ongoing process, you could also perform vulnerability scanning to identify systems that have missing patches, insecure configurations, or other missing security controls. The vulnerability scan could scan operating systems, applications, databases, Web applications or other system components. Applying this technique to the university hospital example, clearly the most sensitive asset would be its repository of patient data, including personal information and health care records. A vulnerability scan for this environment would likely focus on the applications used to interact with that data, examining whether an attacker without proper authorization could use malicious techniques to gain access to the data, as well as whether access controls ensure proper permissions for various user groups and that proper controls prevent data from being mishandled. The scan could also identify systems that are behind on patches or that have other potential security mis-configurations, such allowing insecure SSL usage.
On any mission-critical system, vulnerability scans should be carefully monitored and tested to ensure there are minimal issues resulting from performing the scan. For example, take a Web application vulnerable to SQL injection: Using a Web application security scanner to identify Web security vulnerabilities such as in-depth testing for SQL injection might unintentionally insert bad data into a production database.
As in the risk assessment, if a certain type of server, application or system configuration is identified as "high risk" by the vulnerability scan, this would identify an area that needs additional security controls. A vulnerability scan could classify a system as high risk based on manual classification of an asset based on the data or criticality of the system, or based on the vulnerabilities identified by the vulnerability scan. The vulnerability scan may not identify all of the security controls in place or missing, so you may need to manually configure the scans to verify the custom security controls in place. Penetration testing can also be used to identify more focused “soft spots” in more detail than a risk assessment or a vulnerability scan can, as well as identify “soft spots” a risk assessment or vulnerability scan would miss. A penetration test can identify vulnerabilities that can be exploited to gain access to a system. For example, a penetration test can confirm a detected potential SQL injection vulnerability in a Web application is actually exploitable to eventually gain complete control of a server.
Data security best practices: Quantify risk
One of the most important aspects of a risk assessment is to define the risk assessment scope and the resources available to manage the risk to an acceptable level for the organization. Each organization is different in terms of what risks are acceptable, and what resources are necessary to manage the unacceptable risks.
For instance, during a risk assessment for an Internet technology startup operating with limited funds, a risk assessment might identify gaps that are large and small. The organization likely won't have the resources in manpower or budget to close every gap sufficiently, so it would need to prioritize these gaps for remediation.
One of the easiest ways to communicate and potentially support the level of risk present in a system is to quantify the risk. Some risk assessment methodologies include metrics and prioritizing risks identified along with estimating the resources to manage the risk. The Octave paradigm has a risk score, FAIR has risk factor measurement, and other methodologies have similar quantification. The Society of Information Risk Analysts has additional resources on risk management. Plan to include these types of metrics and prioritization in your risk assessments.
Data security best practices: Prioritize prevention efforts
Based on the metrics and prioritization analysis from your risk assessment, you can focus specifically on recommendations that will reduce the risk of a serious data breach. Some problems will be easier to fix than others, but by using this method, an organization can determine whether it should start by addressing a medium-level risk that would take three days to fix, or a high-level risk that could be addressed in three weeks. You can also estimate the costs of implementing and operating the security controls over time to identify the most cost-effective security controls for reducing risk to an acceptable level for the organization. A tactic that can be helpful for many types of specialized organizations is to focus on implementing security controls for all systems with certain types of data to ensure the systems are consistently protected. A similar method is to use asset value to prioritize the remediation efforts.
While each organization is different, with unique infrastructure and unique risks, many of the same techniques can be used to identify the soft spots that can lead to a data breach. While it's impossible to prevent all data breaches, it is possible to reduce the likelihood of a serious data breach with a pragmatic, methodical approach that assesses, quantifies and addresses risk.
About the author:
Nick Lewis, CISSP, is an information security architect at Saint Louis University. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining Saint Louis University in 2011, Nick worked at the University of Michigan and previously at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University.