Why is the vulnerability management so important? The answer is so simple and in the same time so deep. Vulnerability is one of pillars of Risk Management! You must know and understand all vulnerabilities of your environment to proceed with the right decisions about information security.
First, vulnerabilities are not only about infrastructure, but about everything! I prefer the approach in layers.
For each layer we will conduct one specific vulnerability approach. At the end, we will consolidate all vulnerabilities in one simple view (with weights and impacts). Work with distributed vulnerabilities in these kind of layers is easy and simple. The results are a deep picture that will point to the right direction.
Second, with this approach we will use some security frameworks, standards and best practices to improve information security with efficiently and low costs. The following lines describe what you have to do in each layer.
Infrastructure – This is the first and most common step in information security. What are the main vulnerabilities of infrastructure? If someone try to improve information security, it will begin in the network. The network is the base of everything, and it is an old theme (almost like a commodity), but always have something to improve. You must looking for vulnerabilities around: infrastructure architecture, operating systems weakness, weak firewall rules, IDS/IPS rules, conflicting rules. You must do a Pen Test. The final report must be a comprehensive review of infrastructure, detailing all vulnerabilities and their risks.
Business Applications – This layer is very sensible and there are many vulnerabilities. New vulnerabilities are discovered in each minute, because there are not only one strength framework to development. Too many people have developed applications for business (mainly in cloud and mobile solutions). In this layer, there are vulnerabilities about Web Application Security, cryptography, databases, browser´s plugins, overload, etc. Here is very important do a specific Pen Test (brute force, back doors, SQL injection, man in the middle scenery). Another robust report will be generated (may be the big one report).
Access Management – This high-level layer is subject of IT Audit every day and the organizations still leave uncovered. Rogue accounts, incomplete approval workflows, fake approvals, misuse of privileged accounts and conflict of duty. Review of Access profiles is one of the most important tasks here. At the end, you will have an overview of your users, their behavior, weakness processes and fails. This report is support, and the same time is supported by IT audit report.
Working with these three layers will give to you a big picture of IT Vulnerability Management, and will support (with many reasons) the IT Risk Management. Therefore, is very important maintain an updated database of vulnerabilities that need to be fixed. Adopt a process that support Vulnerability Management. Remember that there are at least three levels of vulnerabilities. Nowadays it is a strong tool to fight the Cyberwar.