Vulnerability management is part of every organization’s IT security program in one form or another. For many industries, it’s part of the minimal operating state.
For this reason, many organizations may have a vulnerability program that isn’t well defined or matured. In refining minimal vulnerability management programs, a few pitfalls could actually reduce the effectiveness or maturity of a strong program.
Following are three challenges to consider that could negatively impact your vulnerability management program and impede actionable results for mitigating risk in your organization.
- Utilizing vulnerability management tools as asset management tools
- Relying on uncredentialed scans
- Incomplete vulnerability exposure visibility
Utilizing Vulnerability Management Tools as Asset Management Tools
Asset management usually stands as a high priority item for most cybersecurity frameworks—including the International Organization for Standardization (ISO), the National Institute for Standards and Technology (NIST), Service Organizational Control (SOC), and Computer Information Systems (CIS). However, robust asset management isn’t usually the primary focus for many organizations.
Often, asset management is an afterthought, and many system administrators are incapable of giving a confident and complete picture of all assets controlled within the environment.
Far too many organizations use network scanning applications to return lists of IP addresses (IPs) that respond to a ping, transmission control protocol (TCP) handshake, or route trace as their asset list, which is insufficient.
Assets lists should be static, maintained, reviewed, audited, and detailed. The organization should have a single record of authority and not something that’s split between a network scanning tool and a sparsely updated spreadsheet tucked away on a cloud sharing program.
This record shouldn’t be your vulnerability scanner. Your asset list should inform your vulnerability scanner, not the other way around. Assets are discovered, moved, and removed from the vulnerability scanner as they’re turned off and on, change IPs, or get reimaged.
Asset Reconciliation
There are vulnerability management programs that end each cycle with an asset reconciliation exercise to discover which assets were missed during the scan, no longer exist, or were duplicated.
While biannual or quarterly asset reconciliation can be important, weekly or even monthly reconciliation can be excessive, possibly causing error-filled asset lists to distribute throughout multiple systems. This can lead to weakened confidence in reported vulnerability results.
Software Management
Many vulnerability scanners have handy features that allow you to determine which assets run which operating system version or application. They can certainly be helpful for analysis and research, but they’re too dynamic to fit the definition of a confident and complete record of authority.
Reconsider the next time you’re tempted to use your vulnerability scanner as an asset management tool. Find an asset management product that better fits your needs, and let that product inform your vulnerability scanner on which assets should be present in the environment.
Relying on Uncredentialed Scans
Often, vulnerability scanners are deployed with default configurations and pointed at a subset of high value assets in their environment—a set-it-and-forget-it mentality. This default configured scan is typically an uncredentialed assessment against known ports.
With these settings, an IT security analyst could assume the results will contain only best guesses for vulnerabilities based on the perceived operating systems running, headers received and other network level communications, and applications running based on ports open.
There’s little confidence offered from such results, yet many organizations use them as the basis for their vulnerability management processes.
To generate truly worthwhile vulnerability reports, scans should be configured to use credentials or agents for collecting device-level information. These scans allow for local authentication on the device, which returns a confident understanding of what operating systems, applications, and services are active.
With assurance of what’s operating on the device, the vulnerability scanner can return more valuable vulnerability data.
However, while credentials and agent-based scans can produce high confidence results, there are a few risks that also need to be managed:
- Performance degradation on assets
- Increased management of credentialed scans
- Compliance concerns
Performance Degradation on Assets
Credentialed and agent-based scans can be process heavy on end point devices. If you run agents on all compatible devices, you may experience performance degradation on assets.
Many system administrators have noted outstanding performance issues on assets running agents. Performing a proof-of-concept on some test endpoints before deploying agents or running credentialed scans is thus important, especially if you’re scanning Operational Technology (OT) and Internet-of-Things (IoT) devices.
Increased Management of Credentialed Scans
With credentialed scans, system administrators may need to manage a new set of credentials for the vulnerability scanner to use against all assets.
This could be either one set of shared credentials, or a separate set of credentials for each device, which could be a headache to maintain.
Shared credentials can introduce serious risk to an organization. Depending on how they’re managed and how many people have access to them, establishing an audit trail for shared credential usage can prove difficult.
Additionally, shared credentials are often forgotten and left unmanaged. A shared credential with access to devices throughout the information system introduces a single point of entry for numerous assets.
Consider taking the following steps to secure credentials:
- Use strong and long passwords
- Cycle passwords quarterly or annually
- Limit the number of devices a shared credential can access
- Enable access control lists (ACLs) so the shared credential can only be used by the internet protocol (IP) address belonging to the vulnerability scanner
- Monitor usage of the credential outside the regular scanning windows
There are options to help relieve some of the burden of managing multiple credentials, such as some privileged account management solutions on the market. However, these solutions can be hard to integrate and are prone to credential failures during scanning.
Compliance Concerns
Note that using credentialed scans can have large implications on IT compliance or regulatory needs. Many regulatory bodies want organizations to:
- Perform vulnerability scans
- Prove they’re working to remediate discovered vulnerabilities
This can be easier to do when performing uncredentialed scans that return far less results than a credentialed scan.
Note that some regulator bodies require credentialed scans. For example, the Payment Card Industry Data Security Standard (PCI-DSS) version 4.0 will require credentialed scans in 2025.
Overall Benefits Outweigh the Costs
A credentialed or agent-based scan will always return data that’s magnitudes better than an uncredentialed scan. Each organization should weigh the risks and requirements for implementing the option or a combination of each. Better data flowing into the vulnerability management program will result in better results on the back end.
Incomplete Vulnerability Exposure Visibility
Vulnerability management programs often only monitor a sub-population of their environment. Vulnerability scanners are frequently pointed at the following critical systems:
- Web
- Application servers
- Databases
- File storage
Commonly Forgotten System Components
- Networking devices
- Workstations
- Virtual machines
- Cloud environments
- Containers
- Application programming interfaces (APIs)
- Mobile devices
Vulnerability management programs previously relied on several different scanning solutions to cover a whole population of utilized technologies. However, more scanning products now come combined with additional features to scan for vulnerabilities across diverse populations of technologies, albeit for a price.
Determine Needs Based on Current Technology
Determining your organization’s needs based on current technologies will help you understand what you need to scan to get a complete picture of your vulnerability exposure.
When shopping for a new scanning solution, check for options to scan the emerging technologies relevant to your system.
Don’t Skip Vulnerability Management
Verizon’s 2021 Data Breach Investigation Report reveals the impact that non-remediated vulnerabilities can have on an organization’s ability to stay secure.
The report reinforces the idea that newer vulnerabilities are typically not the route that attacks take when trying to exploit a system. Rather, attempts are made on older, more researched, and exploitable vulnerabilities.
Vulnerability management programs and processes should be developed to:
- Understand exposure
- Drive decision making
- Focus on risk
- Gain assurance via a feedback loop
Also, vulnerability management programs shouldn’t step outside of the lane to where they start functioning as asset trackers. With these pitfalls avoided, the organization can begin to see true impacts to their risk exposure.
We’re Here to Help
Find more information about penetration testing and security assessments at our Cybersecurity practice. If you have any further questions about vulnerability management, reach out to your Moss Adams professional.
Special thanks to Trevor Lapointe, Manager, IT Compliance Services, for their contributions to this article.