With my upcoming CompTIA Cybersecurity Analyst certification exam and a few fun upcoming projects, I thought it would be good to go over a few things I learned about starting a new vulnerability management program.
Update: I passed the CompTIA CySA+ no problem 🙂
Getting Started With Vulnerability Management
Don't scan through:
- Load balancers
- Credentialed in the inside
- Non-credentialed on the outside
- Chase the read
- Web scanning
- Discovery scanning
- Full network scanning
Using RSA Keys for Running Credentialed Scans
Using a 2048-bit RSA key can grant network vulnerability scanners SSH access to your servers with a specified user. This helps credentialed scans without having to share credentials through another service.
Why Do Credentialed Scans?
Network vulnerability scanners work their magic by identifying the type and version of network services. Vulnerability databases are used to compare against the scanned data for each service.
There are challenges with accurately identifying service versions. So you may a get false-positives when trying to see what patches are missing from a simple connection.
Penetration testing would give you more accurate information but as we all know, there are significant risks to running pen tests.
Providing credentials for a vulnerability scan allows for a more accurate scan by securely connecting in order to actually identify running services and see the patches installed.
Some scans also check configuration files for common issues. Very useful stuff.
Way of Tackling the Vulnerabilities
I had an interesting discussion from a former CISO about how he directed his IT crew to patch the vulnerabilities bit by bit. His way of reducing their organization's overall risk was by keeping focus of completing 10 vulnerabilities a week.
Naturally, starting a vulnerability management program is no small feat. Especially since operations always take precedence over security projects.
So how did his crew find the time? Well, for one the task came directly from leadership, so it's important for you leaders to understand that cybersecurity is important.
Next, he knew with the backlog of vulnerabilities and new ones potentially rising weekly, they were never going to get to 0. So he made the task of getting 10 of the highest criticality vulnerabilities every week to consistently grind it down. With a new habit, this security task turns into an operations task that can be done with other projects.
It's simple, but requires patience and consistency. I'm sure at times it was a pain. At least there are KPIs to be drawn from this. Brilliant!
Complementary Products For Shoring Up Your Network
1. Web and Network Scanning
My tests with Tenable.io were favorable. However, it's worth noting that Tenable have multiple products to choose from. Therefore, you'll see their link again below in the sample solutions.
1.1 Sample Solutions
- OpenVAS, open source vulnerability scanner
- Tenable, the OGs
- Nmap, needs no introduction, use to help verify
2. Deploy Decoys
Use a honeypot, honeynet, or even active hunting technology.
2.1 Sample Solutions
Active hunting tech with Attivo:
- Map network
- Deploy decoys
- Look for bad guys
3. Packet Capture
For a few select machines or entire network.