Vulnerability Management: How Can the Infosec Team Reach an Agreement With the IT Department?

Information security supposes counteracting malicious activity. Information technology implies functional security, that is, the creation of a stable system that will not fall apart after infrastructure changes.

People in IS and IT teams compete for resources within the same company, and this, unfortunately, is a common thing. At the same time, both IT and information security are necessary for the business to work and develop. The IT department ensures the availability and operability of services. The information security department complicates the life of an attacker and prevents him from provoking events that the company has defined as unacceptable.

How can companies achieve a balance between security and operational efficiency? What should be the agreements between IT, information security, and business units? Why does the process of security analysis need to be built in advance before designing automated systems? I decided to collect the answers to these questions in one article.

Integrating security at the start of the project

The work of an information security specialist should not begin with tracking vulnerabilities in an already running automated system, but much earlier. For everything to work, you need to add an information security specialist at the start of the project. He must make sure that information security requirements are taken into account at the system design stage, including change windows for regular updates (planned downtime), the possibility of deep scanning, which requires additional load on networks and nodes. There also should be a standard plan for IT and information security departments to respond to the emergence of new dangerous vulnerabilities.

At the stage of development or trial operation, information security specialists check the system for vulnerabilities. If the security analysis results are poor, then the system cannot be put into commercial operation. If everything is fine, you can launch it and maintain the necessary level of security.

Building vulnerability management processes

The finished system needs a Vulnerability Management (VM) plan and procedures. To work effectively, VM needs synergy between IT, information security, and business. You need to act together and in a particular sequence.

Step 1. Define a list of events that are unacceptable for a particular company.

Step 2. Compile a risk rating of assets and define which of them can be the final target of an attacker and which assets can be used to reach the target.

Step 3. Draw up VM regulations and procedures for each type of asset.

Again, each step should be discussed and agreed on by all parties – business, IT, and IS.

Unit roles in a VM process

Each division is a “cog” in the vulnerability management process. Let us take a closer look at what the role of each of the departments is.

  1. Business. Role – ensuring business processes. Business leaders know the company’s top priorities and can generate a list of unacceptable events. The business unit helps determine which services need to be protected first and how much downtime the company can handle. In an ideal world, you need to protect all systems equally. In reality, companies rarely have enough resources for this. Therefore, you need to prioritize protection. The risk-based approach allows you to do it right.
  2. Department of information security. Role – system protection. Security specialists know which way an attacker may go to trigger a particular unacceptable event. Information security specialists prepare possible cyberattack scenarios in advance and, based on the ranking of systems obtained from the business unit, assign a high level of significance to those systems that hackers can use during their attacks. It is necessary to work with vulnerabilities in such systems in the first place.

Information security specialists need to sort the assets, assign them importance levels, and prioritize processing depending on which group they belong.

    1. Target assets – the endpoint where the hacker aims. It can be:
      • DBMS server with personal data of the organization’s clients
      • Server with financial reports and plans for the development of the organization
      • Automated banking system

    1. Entry points – assets accessible from external networks. These are the starting points of cyber crooks on the way to implementing the attack. Attackers will use them in any case. How quickly criminals can advance to critical objects depends entirely on the level of information security of the company. Possible penetration\entry points:
      • Servers with external network interfaces
      • Web applications along the network perimeter
      • Workstations with Internet access
      • Systems connected to wireless and virtual private networks

    1. Key assets – those that attackers use to develop an attack. These are intermediate targets. Examples:
      • Domain controller
      • Exchange servers
      • Virtualization management system
      • Workstations of users of target systems
      • Workstations of administrators serving target systems

  1. IT department. Role – system architecture and support. IT specialists are responsible for the health of all systems. In most cases, IT personnel eliminate vulnerabilities through regular updates. The task of the IT department is to ensure that updates are installed according to the schedule for each type of asset and within the agreed timeframes.

How to determine the timing of system updates?

Postulate #1: You cannot control what you cannot see.

Until you know what is included in the infrastructure of the company, you will not be able to ensure its security. You need to constantly monitor and understand how the infrastructure is changing and where the assets that are important from the point of view of information security are located. Inventory and keeping information about assets up to date is necessary in order to know possible penetration points and what vulnerabilities hackers can exploit for a sequential attack from the perimeter to the target.

 

Postulate #2: Security cannot be considered in isolation from business.

Information security risks should be considered as risks that hinder the business. At the same time, security professionals should not spend resources on protecting every asset but should focus on preventing unacceptable events.

In large companies, infrastructure represents a large set of automated systems. Each of them includes servers, workstations, and network equipment. These systems can overlap. It is normal when several services belonging to different systems run on the same server. It is clear that the network equipment will be common for them, at least the core network of the enterprise.

 

How to form the risk rating of assets?

The company may not have enough resources to keep absolutely all systems up to date. So, you need to determine their importance. Again, important systems are those that will help an attacker implement an event that is unacceptable for business. To understand which components of the system are most important for business processes and to form a risk rating of assets, you need to contact its owner and operator in each department.

Target systems can only be named by the business leaders, but assets that are likely to be key systems will be shown by the vulnerability management system. Some VM solutions help with assessing the significance of specific assets. They highlight important infrastructure parts. For example, it would be bad if someone could hack into a domain controller. This is clearly a highly valuable asset in all systems except the test environment.

 

How to set time frames for patching and updating?

Technology (change) windows are required for scanning and updating software. This is the time to reboot the system. The functionality or performance of services may be limited during these periods.

Be sure to take care of the duplication of systems. If the service cannot be interrupted, you need to figure out how to update it in parts. It is necessary to strike a balance between load, availability of services, and security.

And here is the paradox – it often happens that critical systems are rarely updated because they cannot be stopped. This is a big problem. Therefore, as I stressed at the very beginning, information security specialists should participate in the design and development of the automated system. Security specialists should put forward separate requirements for various types of updates – regular updates and emergency updates (when a dangerous vulnerability is discovered that needs to be fixed urgently.

Examples of parameters that help determine the SLA:

  • Risk rating of assets
  • Change windows
  • Requirements for the availability of assets
  • Versioning requirements

 

Is it necessary to revise the terms of updates?

For each group of assets, you need to determine how often IT professionals can update something. In the case of Windows, everything is simple: Microsoft provides updates once a month if nothing critical comes out. IT departments may need a week to test critical systems or two weeks to test and roll out to office machines. So, this period may be fixed: within 14 days all versions must be updated. If later, in the process of operation, you see that it is not possible to meet these deadlines, then you need to change the initial agreements and set new terms so that there are no delays.

It is impossible to set uniform update procedures for all systems. For example, ATMs use Windows IoT (formerly Windows Embedded) and you cannot get away from it. But not all organizations work with ATMs, so it is difficult to give uniform recommendations. The main thing is to check on a quarterly basis how well the existing policies and procedures are followed. If deviations occur regularly, you need to understand why. Some VM solutions offer built-in reports that allow you to evaluate the effectiveness of current update practices and check for deviations.

 

How to reach an agreement with the IT department

Postulate #3: You need to patch everything.

It is difficult to force IT professionals to keep track of software updates that are not directly related to their goals. Often, the IT department waits for the information security department to ask for it. The situation needs to change because if most vulnerabilities are not eliminated through regular patching and version updates, then systems will sink in numerous vulnerabilities.

An additional benefit of tracking updates is the speed of response. When something dangerous is discovered, and your company uses, for example, a big “zoo” of DBMS versions, then you will never have time to quickly update all of them. Therefore, it is necessary to have the minimum possible number of working versions that can be constantly and synchronously updated by IT personnel.

Information security specialists should not form a long and detailed list of vulnerabilities for IT specialists. You need to talk to them in their language. Take a list of endpoints and software and agree on an update schedule. Then make sure that patches are installed on time, and come with reminders and questions if something suddenly goes wrong.

 

Conclusion

To run a quality vulnerability management process, it is important to:

  • Know what kind of infrastructure you have and what assets are significant.
  • Understand how often to update each group of assets.
  • Apply an individual approach for each specific system.
  • Monitor and identify violations of established deadlines (SLA) for the elimination of vulnerabilities.