Full Report
Jordan Drysdale// tl;dr Vulnerability management is a part of doing business and operating on the public internet these days. Include training as part of this Critical Control. Users should be […] The post Small and Medium Business Security Strategies: Part 4 appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Vulnerability Management (Aligned with CSC 3)
## Overview
These practices focus on establishing a disciplined approach to identifying, analyzing, and remediating security weaknesses (vulnerabilities) within an organization's IT environment, treated here as a necessary and continuous part of business operations, especially for small to medium organizations.
## Key Recommendations
### Immediate Actions
1. **Identify Public-Facing Risks:** Immediately identify and document all publicly exposed services (e.g., Outlook Web Access/OWA, public web servers) as these represent high-value, easily testable vulnerabilities for attackers.
2. **Review Current IT Service Provider:** If currently using a Managed IT Provider (MSP), schedule a review of their established policies and procedures regarding systems management, patching, and updates.
3. **Initiate Security Awareness Training:** Begin educating users that attacks are evolving beyond simple link clicking, emphasizing that infection vectors are diverse.
### Short-term Improvements (1-3 months)
1. **Establish Vulnerability Scanning Baseline:** Execute initial vulnerability scans (internal or external) to gauge the current state of the network environment and document the findings, understanding that initial results may be severe.
2. **Formalize Patch Management Review:** Urgently review and potentially overhaul current policies and procedures surrounding system patching and software updates based on initial scan results.
3. **Define "Vulnerability" Contextually:** Officially define what constitutes a "vulnerability" within the organization, including both technology flaws (e.g., unpatched software) and configuration oversights (e.g., overly permissive public services like OWA).
### Long-term Strategy (3+ months)
1. **Formalize Vulnerability Management Program:** Integrate vulnerability management as a formal, ongoing business process, recognizing it as a required control (per CSC 3).
2. **Mandate Credentialed Scanning:** Transition vulnerability scanning practices to use authenticated/credentialed scans where possible to gain a more accurate assessment of internal security posture.
3. **Develop Risk-Based Remediation Prioritization:** Establish workflows to prioritize remediation based on the severity of the vulnerability and its exposure level (e.g., public-facing vs. internal-only).
## Implementation Guidance
### For Small Organizations
- **Leverage Managed Service Providers (MSSPs):** Due to limited internal resources and the high cost of security licensing (Nessus, Qualys, Nexpose), strongly consider hiring a reputable MSSP to manage vulnerability scanning, interpretation, and remediation guidance.
- **Budget for External Services:** Aim for an annual budget of approximately \$5,000 or less for an MSSP to perform quarterly scanning and provide directed remediation guidance for a few public IP addresses.
- **Focus on "Easy Six":** Strictly adhere to the controls identified as the "Easy Five" (now Six), including establishing Hardware Inventory, Software Inventory, and implementing Vulnerability Management.
### For Medium Organizations
- **Evaluate MSSP vs. In-House Licensing:** Analyze the Return on Investment (ROI) between purchasing expensive scanning licenses and employing dedicated internal staff versus engaging an MSSP for comprehensive IT/security coordination (estimated MSSP costs around \$2000 - \$2500 for basic services for ~30 systems).
- **Review Existing Contracts:** If existing IT support yields poor scanning results, prepare to terminate those contracts and replace them with providers capable of delivering robust vulnerability management.
### For Large Enterprises
- **Establish Full Program Maturity:** Ensure vulnerability management is fully integrated with existing governance, risk, and compliance (GRC) structures, moving beyond basic scanning to threat intelligence-driven prioritization.
- **Address Manual/Configuration Flaws:** Dedicate resources to manually identify vulnerabilities that scanner tools cannot detect, such as improperly exposed services (like OWA) or weak social engineering/employee exposure points (e.g., poor management of professional social media profiles).
## Configuration Examples
*No specific technical configuration commands were provided in the text. Implementations rely on selecting and configuring third-party scanning tools or MSSP service packages.*
## Compliance Alignment
- **Center for Internet Security Critical Security Controls (CSC):** This directly enforces **Control 3: Vulnerability Management**.
- **Related CSC Controls Mentioned:**
- CSC 1: Hardware Inventory
- CSC 2: Software Inventory
- CSC 4: Controlled Admin Privileges
- CSC 5: Secure Configurations for Domain Systems
- CSC 6: Logging Controls
## Common Pitfalls to Avoid
- **Believing Scanners Find Everything:** Do not assume that automated tools (Nessus, Nexpose) will identify all threats; manual review for logic flaws and exposed external services (like OWA) is crucial.
- **Treating Vulnerability Management as Optional:** View vulnerability management as a mandatory, continuous aspect of doing business on the public internet.
- **Ignoring Low-Tech Vectors:** Failing to recognize that employee presence on platforms like LinkedIn or Facebook can constitute an organizational vulnerability path.
- **Hiring a Poorly Vetted MSP:** Do not rely solely on the promises of a service provider; verify their credentials (e.g., SSAE-16, SOC certifications) before contracting them to manage critical security functions.
## Resources
- **Vetting Documentation:** Ask potential third-party security service providers for evidence of operational security posture (e.g., SSAE-16, SOC stamp of approval).
- **Framework Reference:** CIS Critical Security Controls (CSC).