Five steps to managing risk

For government technology managers, keeping pace with software patches and system configuration changes to thwart hackers has become an increasingly difficult job in the past few years. The challenge is causing a radical change in the way many of them manage information technology security.

Instead of waiting until attacks occur and hoping tools such as firewalls and intrusion-detection systems catch them before they inflict serious damage, many agencies have taken the offensive by hunting vulnerabilities before they are exploited.

The catchall phrase for those efforts is vulnerability management. Agencies that are successful at it know that vulnerability management entails the right mix of security tools, policies and procedures, experts say.

Although some agencies are slow to embrace vulnerability management, a number of regulations require them to be more assertive in handling security. In particular, according to the Federal Information Security Management Act (FISMA) of 2002, agencies must develop and enforce policies and procedures to ensure that their systems comply with specific security configurations.

Those requirements are only going to get tougher. The National Institute of Standards and Technology will soon publish a draft of a new document that will mandate a set of no fewer than 17 controls that each agency will have to apply to each of their major applications and general support systems. They must also tailor those controls based on how critical different systems are to an agency's mission.

Compliance with security requirements means a lot of work to accurately assess and then effectively manage vulnerabilities. Those who do it well can reap rewards. In 2003, for example, the U.S. Agency for International Development scored a C-minus on its FISMA score card. For 2004, the first full year it had a vulnerability management program in place, it posted a score of A-plus, the highest of any government agency.

"In our case, vulnerability management was a big help in our FISMA compliance," said Bill Geimer, USAID's program manager for information security.

But what is vulnerability management?

Although several vendors offer what they call vulnerability management solutions, a vulnerability management program often includes a collection of technologies and procedures that form a management process. Program components vary according to specific agency needs. But experts say the core approach usually follows a common path and includes the following steps.

1. Compare priorities to current security policies

Those responsible for implementing a vulnerability management program — usually an agency's IT department — should first talk to all senior executives and managers in an agency to identify which systems they think are critical to maintain minimally acceptable operations and what concerns they have about those systems.

Once that's done, determine what policies and procedures are already in place in terms of handling those systems and data. Do IT employees already run vulnerability scans? How do they respond to vulnerabilities? Do those existing procedures meet executives' expectations?

If they don't, change is necessary.

Don't skimp on this step, experts advise, because it will probably be the most important one.

"If all of this can be done effectively, then the rest [of the process] is more or less mechanical," said Stuart McClure, senior vice president of risk management product development at McAfee, a security vendor.

2. Inventory technical assets

Track down and identify every device and system on the network. Also, to keep track of constantly changing networks, make sure the network topology is fully described. Determine ownership of all assets to set accountability. Then prioritize them in terms of which assets are most vital to the agency.

"The most important component of vulnerability management is probably that ability to prioritize, to work out where the biggest exposure is for the organization," said Gerhard Eschelbeck, chief technology officer and vice president of engineering at Qualys, a security vendor.

3. Evaluate the risks

Using a commercial or open-source software tool, scan devices and systems for vulnerabilities. Possible problems include incorrect settings and configurations and unpatched software and operating systems.

Don't forget the network itself, said David Arbeitel, senior vice president of strategic development at network solutions vendor Lumeta. Agencies need to know how exposed the network is to outside influences.

Next, correlate the vulnerabilities to the asset inventory. The intent is not to cover every vulnerability, only those that pose the greatest risk to the most important systems.

"Vulnerability management is a matter of risk assessment as well as the ability to take a slice across an entire organization," said Mitchell Ashley, chief technology officer of StillSecure, a Latis Networks company.

4. Develop an action plan

Once vulnerabilities have been discovered and the risks assessed, you have to decide what action you can take and when. Can the most vulnerable systems be fixed immediately, for example, or does the agency's workflow prevent that?

If that is the case, what else can be done to mitigate the risks or block an attack against the asset? Would that require writing a new rule or policy, or perhaps physically changing a back-end system or inserting an intrusion-detection device so any attack could be seen in real time?

5. Evaluate effectiveness and prepare to do it all again

Whatever remediation program managers apply, they should audit the process to gauge how successfully it identified and reduced vulnerabilities and how closely the results comply with the organization's policies.

In most cases a review of the first pass will show that more work is necessary, experts say. The vulnerability identification and mitigation steps will need to be repeated.

Indeed, it's important that officials realize that vulnerability management is a repetitious process, not a one-time or occasional activity, said Roy Stephan, director of cybersecurity at systems integrator Intelligent Decisions. The goal is to get as close as possible to continuously monitoring vulnerabilities.

"Any software will consistently have holes in it, so no organization will be secure after three months or even six," he said.

Agencies should expect a lot of replication as they implement vulnerability management, at least in the beginning, said Kimber Spradlin, senior compliance architect at NetIQ. But eventually managers should reach a point when they don't need to apply as many fixes.

"What you hope to design, through this vulnerability management process, are policies that will act as a baseline and that will be fairly stable over time," Spradlin said.