Small and Medium Business Security Strategies Part 4: CSC 3 – Vulnerability Management

Jordan Drysdale//

tl;dr

Vulnerability management is a part of doing business and operating on the public internet these days. Include training as part of this Critical Control. Users should be aware that attacks will continue to evolve and clicking links isn’t the only way to get infected these days. Hire a managed services provider worth their salt and let them manage these things for you.

Critical Controls – “The Easy Five” just became the “Easy Six”

The “easy” six review:

  1. Hardware Inventory
  2. Software Inventory
  3. Vulnerability Management
  4. Controlled Admin Privileges
  5. Secure Configurations for Domain Systems
  6. Logging Controls

So, are we there yet?

Kinda. We’re actually almost half way. So, what is vulnerability management? It depends…According to SecureWorks, vulnerability management is a drain on your security team.

What we’re talking about here is a bit more nuanced than that. I’ll define a vulnerability (under this context) as an identified or published flaw that can be tested and validated using various software toolkits generally available. Now, let’s be clear, not all vulnerabilities can be identified with current “scanner tools.” For example, OWA. If your company exposes Outlook Web Access to the public internet, this is a vulnerability. To pentesters, OWA is a gold mine of potential. LinkedIn profiles, Twitter, Facebook….if your employees are here, this is also a vulnerability of sorts.

So, with that out of the way, how does a small business assess its vulnerabilities and manage them? Owning and maintaining licenses for Nexpose, Nessus, Qualys, et al….is basically out of the question. This point harkens back to the use of managed service providers.

Bullet points for vetting a third-party service provider:

  • If you don’t know, you can ask someone who does
  • Stamp of approval of some kind (SSAE-16, SOC) to operate securely
  • Reasonable cost – quarterly scans and directed guidance against your few IP addresses should be in the range of five thousand bucks a year (or less, in my opinion)

Let’s take a step back here and ask if a managed service provider makes sense to coordinate all IT efforts at our organization. The ROI of adding a managed service provider for 30 systems, servers, network gear, vulnerability scans, and a managed help desk of some kind at around $2000 – $2500 should make sense. It is rare these days that a single human resource (employee) can come in to an organization and manage the complexities of even a small network. Those individuals also come with the benefits and salary price tag that make the ROI of paying an MSSP much more reasonable.

Now your organization is ready to mobilize and actually run some vulnerability scans. Companies running their first vulnerability scans, whether inside or outside their networks are often surprised to hear their networks are an absolute mess. Like this:

Under contracted efforts, BHIS would gently urge customers to review the policies and procedures surrounding systems management, patching, and updates most specifically. If you were previously under the protection of a managed IT provider, it is time to pull the plug. If this output is the result of their first contact with your network, give their efforts another quarter.

Thanks for reading this far, cheers!

For Parts 1-3:

Small and Medium Business Security Strategies, Part 1: Introduction

Small and Medium Business Security Strategies, Part 2: Inventory

Small and Medium Business Security Strategies Part 3 – Inventory Part 2, Software

 

External Links

Ref: https://www.cisecurity.org/controls/

Ref: http://www.onlinetech.com/resources/references/data-center-standards-cheat-sheet-from-hipaa-to-soc-2