You don’t have to look hard to find organizations utilizing a small fraction of the capabilities of a vulnerability management tool. Often, that’s because the focus is on meeting a compliance obligation. For example, PCI DSS 3.2.1 says, “11.2.1 – Perform quarterly internal vulnerability scans.” It’s difficult to learn the capabilities of a tool running quarterly.

At the same time, the importance of an effective vulnerability management program is made clear by the weight placed upon it by the CIS Controls (and virtually every other security framework). CIS Control 3.1 calls out the best practice of running a vulnerability scanning tool to automatically scan all systems on the network on a weekly or more frequent basis to identify all potential vulnerabilities on the organization’s systems. Learn more here about version 7 of the CIS Controls.

Recent disclosures remind us how important it is to have a top-notch vulnerability management strategy in place. For example, (CVE-2018-10933) libssh has an authentication bypass vulnerability in the server code. Effectively, this allows a remote attacker to authenticate without any credentials. The vulnerability was introduced in version 0.6, released in 2014 and survived until October 16th, 2018 whereupon it was fixed in versions 0.8.4 and 0.7.6. The bug was discovered by Peter Winter-Smith of NCC Group (@peterwintrsmith). Tripwire IP360 can remotely detect this vulnerability, and Tripwire VERT placed it at the top of the Patch Priority Index in October.

Here are three ideas that may help you get more from your vulnerability management tool.

1. Create an incentive plan for system owners based on the vulnerability score of the assets they manage. Let’s face it, people are often motivated by carrots, and there is nothing like presenting an award to an (Read more...)