Overcoming Vulnerability Management Challenges
Any change to your environment could introduce a new vulnerability — and new threats are constantly emerging. Network equipment, server and workstation operating systems, printers and any type of software as well as mobile, virtual and cloud environments have and will continue to have vulnerabilities
Any change to your environment could introduce a new vulnerability -- and new threats are constantly emerging. Network equipment, server and workstation operating systems, printers and any type of software as well as mobile, virtual and cloud environments have and will continue to have vulnerabilities. Couple that with continuing concerns about data breaches and regulatory compliance, and the need for vulnerability management capabilities becomes obvious.
Unfortunately, healthcare organizations face a variety of challenges in pursuing this effort. This can include decentralized or inexperienced resources supporting the process, a lack of an accurate IT asset inventory and determining and documenting if a fix was applied or if an exception was granted.
Another challenge with vulnerability management is that the scope of the problem typically exceeds the span of control for the information security team. For any comprehensive vulnerability mitigation and ongoing maintenance to occur, information security teams almost completely depend on the cooperation of other teams, such as desktop and server support, systems administration and network operations, to make the necessary remediation changes. These groups know that each change can potentially be time consuming and possibly require reboots or scheduled downtimes. Consequently, these groups usually have different timelines and sets of priorities compared to the information security teams that want to address the identified vulnerabilities as quickly as possible before they become unintended problems of their own.
Regrettably, you cant just go out and buy vulnerability management. It can only be established, administered and matured.
And healthcare organizations need to do more than just scan for known problems and provide a huge vulnerability report to system and network administrators for remediation.
In a nutshell, vulnerability management is a set of processes and technologies that establishes and maintains a security configuration baseline and discovers, prioritizes and mitigates exposures. To reduce information risk, effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets. There are hundreds of system settings that should be managed to achieve a secure environment. Technical security configuration policies based on industry recognized practices provide implementation details for hardening and for specify the recommendations of organizations such as the Center for Internet Security (www.cisecurity.org), the SANS Institute (www.sans.org) and vendor-specific guidelines.
Healthcare organizations that reference policies based on industry recognized practices also demonstrate due diligence during audits or regulatory compliance investigations. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames. Some vendors provide templates they declare to comply with regulations like HIPAA. However, these templates can't directly map regulatory requirements to the various technical settings because the regulations arent typically specific enough in this area.
Where to start? Healthcare organizations should begin a vulnerability management program by:
Vulnerability management requires an automated or manual workflow in which the vulnerability assessment reports are passed to network, system and application administrators and then verified by an auditing and feedback process. Once corrective action is taken to remediate the vulnerability, the IT asset should be re-examined for compliance. The more automated the process, the more efficiently your organization can correct known vulnerability exposures through patching and configuration changes.
It is essential to recognize that resolving the vulnerability for good, by remediating it, depends on the IT asset, as well as its role. The following can be considered remediation measures:
The need to find and fix vulnerabilities will persist for the foreseeable future. As a result, healthcare organizations should implement a vulnerability management program that begins with a security configuration baseline and references best-practice policies. Strong leadership can promote top-to-bottom commitment to the vulnerability management process. A layered approach to vulnerability management that combines strong perimeter protection and other forms of blocking with general system hardening should be fundamental to adequately secure any healthcare environment from external and internal threats.
Vulnerability management, therefore, should be a foundational element to every information security program.
Unfortunately, healthcare organizations face a variety of challenges in pursuing this effort. This can include decentralized or inexperienced resources supporting the process, a lack of an accurate IT asset inventory and determining and documenting if a fix was applied or if an exception was granted.
Another challenge with vulnerability management is that the scope of the problem typically exceeds the span of control for the information security team. For any comprehensive vulnerability mitigation and ongoing maintenance to occur, information security teams almost completely depend on the cooperation of other teams, such as desktop and server support, systems administration and network operations, to make the necessary remediation changes. These groups know that each change can potentially be time consuming and possibly require reboots or scheduled downtimes. Consequently, these groups usually have different timelines and sets of priorities compared to the information security teams that want to address the identified vulnerabilities as quickly as possible before they become unintended problems of their own.
Regrettably, you cant just go out and buy vulnerability management. It can only be established, administered and matured.
And healthcare organizations need to do more than just scan for known problems and provide a huge vulnerability report to system and network administrators for remediation.
In a nutshell, vulnerability management is a set of processes and technologies that establishes and maintains a security configuration baseline and discovers, prioritizes and mitigates exposures. To reduce information risk, effectively managing vulnerabilities is really about patching, updating software, hardening configurations and implementing technical policies on IT assets. There are hundreds of system settings that should be managed to achieve a secure environment. Technical security configuration policies based on industry recognized practices provide implementation details for hardening and for specify the recommendations of organizations such as the Center for Internet Security (www.cisecurity.org), the SANS Institute (www.sans.org) and vendor-specific guidelines.
Healthcare organizations that reference policies based on industry recognized practices also demonstrate due diligence during audits or regulatory compliance investigations. For example, the Payment Card Industry Data Security Standard (PCI DSS) mandates vulnerability scanning, reporting and even specific remediation time frames. Some vendors provide templates they declare to comply with regulations like HIPAA. However, these templates can't directly map regulatory requirements to the various technical settings because the regulations arent typically specific enough in this area.
Where to start? Healthcare organizations should begin a vulnerability management program by:
- Documenting the current state of the environment
- Inventorying systems and applications
- Documenting the security infrastructure and external access to corporate systems and support processes
- Establishing a security configuration baseline or desired state for each component of the IT infrastructure, based on industry recognized practices
- Conducting internal vulnerability scanning across the entire network at least annually
- Conducting external network perimeter scanning at least quarterly
- Identifying the patch and configuration issues responsible for the most numerous and serious vulnerabilities
- Creating a vulnerability remediation plan of action
- Prioritizing remediation actions based on potential business impacts and the likelihood or probability that a vulnerability will be exploited
Vulnerability management requires an automated or manual workflow in which the vulnerability assessment reports are passed to network, system and application administrators and then verified by an auditing and feedback process. Once corrective action is taken to remediate the vulnerability, the IT asset should be re-examined for compliance. The more automated the process, the more efficiently your organization can correct known vulnerability exposures through patching and configuration changes.
It is essential to recognize that resolving the vulnerability for good, by remediating it, depends on the IT asset, as well as its role. The following can be considered remediation measures:
- Patching the vulnerability
- Disabling vulnerable functionality
- Uninstalling vulnerable components
- Changing the system configuration to reliably prevent exploitation
The need to find and fix vulnerabilities will persist for the foreseeable future. As a result, healthcare organizations should implement a vulnerability management program that begins with a security configuration baseline and references best-practice policies. Strong leadership can promote top-to-bottom commitment to the vulnerability management process. A layered approach to vulnerability management that combines strong perimeter protection and other forms of blocking with general system hardening should be fundamental to adequately secure any healthcare environment from external and internal threats.
Vulnerability management, therefore, should be a foundational element to every information security program.
Brian Evans
More for you
Loading data for hdm_tax_topic #better-outcomes...