_gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); Security Ever After: Control 10: Continuous Vulnerability Assessment and Remediation var _gaq = _gaq || []; (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();

Tuesday, August 9, 2011

Control 10: Continuous Vulnerability Assessment and Remediation

Is it possible to have a vulnerability assessment program that truly can be considered continuous? I believe the answer is a resounding yes you can.

Configure a network scanner to perform daily discovery scans on the internal and external networks. Review the output for new hosts and unexpected services. Make certain that these scans are detected by your security controls, such as Network Intrusion Detection (NIDS) and file monitoring tools. This technique is very valuable and will help assess the maturity of the continuous monitoring program.

The free Microsoft Windows Server Update Services (WSUS) provides automated patching of Microsoft products. The administrator can schedule categories of patches and schedule their installation. Also included is a reporting capability. WSUS can send daily reports via email to administrators notifying them of new patch releases and the status of their installation.

Ensure that after patches are applied that you verify outside the patching tool that the patch has actually been applied. Look for clues such as registry values, installed programs and the last system reboot to help measure this control.

Even if in a simple spreadsheet format, track all open vulnerabilities across each system type. If you get to the point where you do not know what task to work on next, this will serve as an excellent guide to direct your attention.  This will help move your security program to a more mature state.

No comments:

Post a Comment