Just as you would map a hike or climb by creating waypoints you plan to hit each day, you must plan your vulnerability management process by creating similar goals. We call these goals Maturity Levels, from ML0 to ML5, as we defined them in the last blog.

You have your asset inventory from an open-source tool, asset tracking database or maybe your preferred vulnerability assessment tool. Now it is time to climb to the first waypoint ML0

ML0 may be the hardest waypoint to hit because to get here you are starting from pretty much nothing and doing a lot of manual work. As a climber progresses up a mountain, they will get used to the environment and rigor, thereby becoming faster and stronger. The same is true when climbing the Vulnerably Mountain; speed and strength will come in the form of automation, integration and well-defined processes.

Look at the asset inventory. How do you decide which systems to focus on first? Is it the DMZ, code repositories or even the CEO’s laptop? The urge here is to try to assess everything, but if you are using a vulnerability assessment tool or a pentesting team, you will likely get way too much information to be actionable, and the cost can be quite high to pentest of this large scope.

Pick your targets wisely thinking of:

  • Company value
  • Ease of remediation
  • Staffing and owners
  • Change control windows
  • Can the asset be restored from a backup if compromised?
  • Is the asset under a maintenance contract so that I can get patches?
  • Are there any mitigations in place (IPS, network/host configurations, etc.)

This is a balance of business and security goals. For instance, if the next change control window for servers in the DMZ in three months away, it is probably not (Read more...)