Building effective defenses for your assets is a dark art. Mark my words; it
is so much more than any regulation, standard, or policy. After 20 years
in the information technology and security industry, it is easy to say
implement a vulnerability management program. It is easy to say patch
your operating systems and applications. Compliancy standards from
PCI, HIPAA, ASD, and others all say do it. They tell you how you should
measure risk and when you must comply with getting systems patched.
In reality, it is difficult as hell to do. No one technology works, and no one
vendor has a solution to cover the enterprise and all of the platforms and
applications installed. It’s a difficult task when you consider you need
to build an effective strategy to protect assets, applications, and data.
Vulnerability management is more than just running a scan, too. It is a
fundamental concept in building your strategy and the regulations tell you,
you must do it, but not how you can actually get it done. What problems,
pitfalls, and political pushback you may encounter stymies most teams.
Yes, there are team members that will actually resist doing the right thing
from vulnerability assessment scanning to deploying patches. We have
seen it many times, all over the world. It is a cyber security issue and it is
not naivety either. It is a simple fear of what you might discover, what it
will take to fix it, what will break if you do, and the resistance to change. All
human traits.
Protecting your assets is fundamental security hygiene. In a modern
enterprise, everything connected to the network from router, to printer,
and camera is a target. This is above and beyond traditional servers,
desktops, and applications. If it communicates on a LAN, WAN, or even
PAN, it can be targeted. If it’s wired or wireless, a threat actor does not care
xxii
either; it can be leveraged. Knowing if it’s brand new versus end of life and
no longer receiving patches helps evaluate the risk surface, but not even
knowing what’s on your network makes it near impossible to prioritize
and take effective action. This is completely outside of modern threats that
are still your responsibility in the cloud and on mobile devices including
BYOD.
While I have painted a picture of doom and gloom, the reality is that
you are still responsible for protecting these resources. Being on the front
page of the newspaper is not an option. The regulations, contracts, and
security best practices clearly highlight the need to do it.
This book is dedicated to this dark art. How do you actually create an
asset protection strategy through vulnerability management (and a lesser
degree patch management) and accomplish these goals? We will explore
years of experience, mistakes, threat analysis, risk measurement, and the
regulations themselves to build an effective vulnerability management
program that actually works. In addition, we will cover guidance on how
to create a vulnerability management policy that has real-world service-
level agreements that a business can actually implement. The primary goal
is to rise above the threats and make something actually work, and work
well, that team members can live with. Vulnerability management needs
to be more than a check box for compliance. It should be a foundation
block for cyber security within your organization. Together, we can figure
out how to get there and how to improve even what you are doing today.
After all, without self-improvement in cyber security, we will be doomed
to another breach. Threat actors will always target the lowest hanging fruit.
An unpatched resource is an easy target. Our goal is to make it as difficult
as possible for an intruder to hack into our environment. If somebody has
to be on the front page of the newspaper due to a breach, we would rather
it be someone else’s name and business, not ours.
—Morey J. Haber