We always look forward to the vulnerability assessment group because there is usually something new. This year was no exception, and certainly no disappointment. SC Lab Manager Mike Stephenson took the lead on this month's reviews, but I got the opportunity to have a look as well.
The big, new trend is the move toward vulnerability management as opposed to simple vulnerability assessment. Vulnerability management includes several functions beyond scanning for vulnerabilities. These functions provide the means to analyze and remediate, as well as assess the vulnerabilities in the enterprise.
There are few pure play vulnerability assessment tools left in the market, and those are the old, reliable mainstays of the genre. What is much more difficult to automate, though, is penetration testing, and we did not see pen testing tools participating in the trend toward vulnerability management.
The question often arises as to why one would select a pen testing tool over a vulnerability assessment tool. Now we can add in the vulnerability management tools. The fact is that one would not make that choice. Pen testing is a separate function from vulnerability assessment or management. In vulnerability assessment - and by extension, vulnerability management - we are interested in identifying all possible flaws in the enterprise. Of course, at any particular time, we cannot do that. We can only find those that have been defined up to the time we conduct our tests - so that, as we would expect, is a moving target.
Pen testing has a similar limitation, but it's how we do pen testing that differs from how we do vulnerability assessment. Once we have completed a vulnerability assessment, we are faced with hundreds of vulnerabilities of varying severity.
And, please, vendors, stop referring to vulnerabilities as risks. They are not. A risk requires a threat plus a vulnerability, together. Without one or the other, we have no risk. In fact, if the threat is not capable of exploiting the vulnerability, there is no risk. This is Information Security 101, and we need to look at the big picture. We can limit risk by managing threats, vulnerabilities or both.
Once we have discovered the vulnerabilities in the enterprise, we need to supply the threats to see if these vulnerabilities are exploitable. That is exactly what penetration testing is doing: supplying the threats. There are lots of reasons that a vulnerability does not pose a risk. One is exploitability. For example, the SQL Slammer worm cannot exploit a Linux box because it exploits Microsoft SQL Server, which does not run in Linux.
Another limitation is reachability. If the threat cannot reach the vulnerability, due to a firewall or other impediment, the risk is eliminated, or at least greatly reduced. Thus, pen testing should be used with vulnerability assessment to enhance vulnerability management.
Once one has decided what vulnerabilities actually need to be addressed - due to the existence of the vulnerability and the existence of a threat that can exploit it - one needs to decide how to address it. The usual way is to apply some identifiable form of remediation.
That, it turns out, is pretty straightforward. The usual form of remediation is patching, and just about all major operating systems and application suites offer patching recommendations. These range from the Patch Tuesday mandates of Microsoft to far less formal schemes. Many of our products this month have twigged to this in a big way. They provide direct connectivity to patching sites and they perform automatic updates.
Be careful of these, though. Make certain they are not introducing patches that break something in a particular enterprise. This is a real problem and it poses a real challenge. Can one afford to test every patch in a sandbox? Probably not. That means one pays good money and takes a chance. Again, that is what this month is all about. Have a look and see what makes sense in your enterprise. The tools are here, and we are getting close to maturity in this product space.