The Need for Continuous Vulnerability Management - National Information Solutions Cooperative (NISC)

The Need for Continuous Vulnerability Management

Let’s face it, vulnerabilities happen. Vendors find bugs in their software which, for the most part, need to be fixed. We refer to the process of updating software to fix these vulnerabilities as “software patching.”

Applying updates to software, whether it be located on workstations or servers, is never a fun process but a necessary evil. By not applying a patch, you might be leaving the door open for malware to enter. Not all of the vulnerabilities that exist in products or technologies will affect you; however, any software you use is a potential source of vulnerabilities that could lead to a compromise of security or identity. If the program is commonly used, it will be a bigger target for criminals – and more likely a vulnerability will be exploited.

You will need to identify all software in your environment and create a software inventory list. With this list, you will know what to patch. There are a lot of software management tools out there to help facilitate this task. Microsoft’s WSUS service has come a long way and does a nice job on updating Windows based servers and workstations. To keep up-to-date on non-Microsoft-based applications, we have found SolarWinds Patch Manager to be one of the better tools available.

Once you have this patch management solution in place, you need to scan the systems for vulnerabilities. Traditionally this has come in the form of annual (or longer) security assessments or vulnerability scans being leveraged against your environment. The trend that I have been seeing calls for continuous vulnerability management. What this means is that we are scanning our systems more regularly to check up on our patch management process, eliminating the gaps from when we do our patching to when we do our vulnerability scanning. Far too often, we are reliant on our patch management software and just simply trusting that it was completed.

Validating your patch management software and making sure that your systems are being updated is not an overnight or cheap process. Vulnerability scanning solutions do exist, but they can cost a fair amount and can be cumbersome to use in an automated fashion. We are actively working on a distributed scanning solution that will help facilitate this for you, allowing us to run scans on your environments to verify your patch management process is performing effectively. In the coming months, we will send out information about this cost effective and simple to use service. If you are interested, please contact me. I would love to know what kind of response this generates.

If you would like to discuss further or have questions, don’t hesitate to contact the NISC Information Security Team at infosec@nisc.coop.