How to run an incident management process

The primary purpose of an incident management process in the IT operations or security fields is to quickly restore normal service operations to minimize the impact on normal business operations. Here is a rundown of a typical incident response situation:

1. Operations business critical or security related incident is reported to the help desk by an end user or automated monitoring system. It is important for the help desk to get detailed information about the exact nature of the problem including a detailed problem statement of what is not working. The help desk should document the specifics into the problem log for documentation purposes.

2. Help desk reviews issue and support scripts and determines the business impact of the issue and if the issue should be escalated as a high priority item

3. Help desk follows documented escalation process and begins to form a system restoration team (as detailed by the application/system support script)

4. System restoration team assembles on a designated global phone bridge with intent of getting all people necessary for system restoration.

5. For a high priority application type problem without a clearly defined problem it is typical to get the end to end support team on the line. Typical system restoration participants are

  • Application support team member
  • Server support team member
  • Database support team member
  • Network/Firewall team member
  • Someone who can test functionality/items as needed (often a business user)
  • Facilitator of the incident response call

6. Facts surrounding the event are discussed with the combined team so everyone is aligned on the problem that needs to be solved. The incident response facilitator should be the primary voice of the system response team and keep the team on track with the primary goal to restore normal business operations

7. Depending on the severity of the problem it is important to keep relevant stakeholders updated to the progress and expected duration of the problem (if known). Communicating effectively is one of the most important things that needs to be done during an incident to set proper expectations and keep those affected informed. Effective communication is one of the key things that can be done to help minimize the likelihood of unneeded political escalation of the event.

8. It is best practice to keep the phone bridge open until the problem is resolved to maintain problem solving momentum. If the problem is expected to run too long to make that practical it is good to define the needed update times and schedule the sessions as needed.

9. It is important to validate that the service has been restored to normal prior to disbanding the system restoration team. This is best done by validating with an end user on the bridge.

10. Before terminating the call the team should make sure the incident diary is updated with information about what was done to resolve the problem. In addition, any information needed for the RCCA should be assembled while the incident is still fresh in everyone’s mind.

Important points about the Incident Management process

  • There is sometimes a tradeoff between quicker restoration vs. collecting system log and other information in event to find a root cause of the problem. This conflict should be managed appropriately depending on the likelihood of finding a true root cause (which is very desirable to prevent future problems) vs. faster restoration of the affected service.
  • It is important that the system restoration team facilitator be in charge of leading the assembled resources to maintain an orderly process. Too many chefs in the kitchen will not help restore service in a more timely manner.
  • Documenting the problem ticket regularly through the process is important for tracking status, communicating updates, and as a source of data for the future root cause analysis.
  • Opening a group chat room for the system restoration team is a good way to share technical information without sidetracking the phone bridge directing resolution of the problem. It also serves as a nice log for the problem diary and a potential source of information for the root cause analysis.

How to update PHP to support WordPress version 3.2.1

When a new WordPress version comes out I always like to wait 3-4 weeks to allow for sufficient burn in with the assumption that any major bugs will be corrected by the time I upgrade. One of my cardinal rules of upgrades is to have a working backup and to make sure I have sufficient time to troubleshoot and quickly correct if something goes wrong. I delayed upgrading to the latest version of WordPress longer than my typical 3-4 week burn in time because it required me to be operating at a higher level of PHP configuration vs. what I was currently operating at and I thought it would be a bigger deal to change.

Since this site is dedicated to security I did not want to get more than one version behind the WordPress current version level (got to keep practicing what I preach here). I logged into my hosting account and was pleasantly surprised to learn that upgrading my PHP version was a point and click painless upgrade.

To upgrade my PHP I performed the following:

Logged into my hosting account

Go to cpanel

Software/Services

PHP Configuration

Changed from PHP 4 to PHP 5 and clicked Update

I then checked back in my WordPress site and was now able to upgrade to WordPress version 3.2.1 when previously a not compatible with your version of PHP was previously displayed. I was then easily able to auto update to the latest version like all previous updates.

 

How to perform a root cause analysis?

The purpose of a root cause analysis in either the IT operations or information security fields is to gain insight into the source(s) of a problem with the goal of preventing recurrence. A root cause analysis should be performed after an incident has been responded to and not during. During the incident individuals should not be distracted and the primary focus of all involved should be on the restoration of service and the elimination of business impact. Once business operations have returned to normal the next steps should be to collect any relevant information and do a debrief in preparation for a formal root cause analysis.

Organizations often make use of the 5 Why method to determine how an incident occurred. Asking the question why several times helps to effectively drill down to what caused a problem vs. simply stating the problem itself.

Example of the 5 Why’s Method:

The company file and print server was infected with a worm <- Why?

The server was not patched with the latest Microsoft patches <- Why?

The automated server to deploy the patches has been broken a month and is not operational < – Why?

The change to upgrade it 5 weeks ago was unsuccessful and no additional action was performed to correct < –Why?

The change to the server was not properly planned or documented and the engineers were unaware that the upgrade activity had occurred. <-Why

Proper change control processes were not followed

The only time you are likely to hear more whys is in a car with several small children who you are trying to explain something to.

Tips for conducting an effective root cause analysis

  • A root cause analysis should be performed as soon after an incident as is practical to allow for the needed prework and attendees to be scheduled. Extended delays increase the likelihood and incident will not be well remembered and the momentum to correct may be lost.
  • Conduct sufficient prework to document the incident and actions taken during the event. Review the documentation with those involved for factual accuracy.
  • Schedule the root cause analysis so that key individuals are available to attend
  • A standardized form should be utilized when conducting a root cause analysis. Ideally this information will be stored in an application or database so that metrics are easily generated to allow for long term improvement tracking.

Common errors that occur in the root cause analysis process

  • Failing to properly document the facts around the incident in a timely manner
  • Failing to understand the difference between correlated facts and causation
  • Not driving to a deep enough level and simply recording what happened vs. why it happened and how it can be prevented.
  • Not tracking improvement tasks to make sure they have been completed as expected
  • Not auditing the root cause analysis process for quality

Tips if root cause can not be determined

  • Determine what additional information should be collected next time and develop a process for collecting the needed information in case  the event reoccurs. 
  • Do not just assign a root cause if it is not correct for the false sense of completeness. Recognize that not all incidents can be attributed to a root cause first pass go around and make a plan to be effective if the issue recurs.

Sample Root Cause Analysis Form

Statement of issue: Describe the problem that occurred

Chronology of events: Detail events that occurred with specific timelines and actions taken during the incident

Business Impact: Define and quantify the problem from a business perspective

Participants: Document individuals that participated in the root cause analysis

Corrective Actions with individuals name responsible for completing and date completed:

Lessons Learned: Document to enable future improvements

Other areas with similar exposure: Document so same incident does not have to be experienced multiple times in different operating areas

Contributing Causes: Items may not be root cause but were contributing factors that need correction

Was the incident a repeat event?

Final thoughts on root cause analysis

If you are capturing your root cause analysis in a database it may be useful to track many other items for reporting and improvement metrics. Some of these items might include:

  • Incident # (to link back to your problem management system)
  • Incident Status
  • Incident Start and End Time
  • Location/Country/Region of incident
  • Incident category (application/server/etc.)
  • Service affected
  • Organization owner of incident
  • Type of problem

Effectively performing a root cause analysis is one of the most important things you can do to improve operations and drive a continuous operations improvement mindset.

iPad, iPad 2 and iphone screen privacy – Options to protect your screen and keep busy bodies at bay

photo by: http://www.flickr.com/photos/adamjackson/

 

 

 

 

 

 

 

 

 

 

Are you tired of trying constantly repositioning the angle of your ipad, ipad 2 or iphone to prevent busy bodies from seeing what you are doing? Traveling in tight quarters like a car or airplane and don’t want casual snoops eying your activities? If you answered yes to either of these questions you are in the market for screen privacy protection options.

Factors to consider when purchasing screen privacy protection

  • Privacy films help reduce unwanted glare on your device
  • Privacy films/screens will make your screen appear darker. If you prefer a very bright screen your options are more limited and you will have to sacrifice some of the privacy benefits as a result
  • If you read a lot of books you may need to turn your device brightness levels up to compensate for using the privacy screen
  • The thickness and quality of the film used in the product will be a major factor in how private your device will be to those around you.
  • 4way protection is preferred over 2way protection to provide protection at the various possible angles. 4way protection will typically be more expensive to reflect this additional privacy protection.

Note for all the products listed below, I have read through various product reviews and only included products that were noted to be of high quality and free from excessive negative reviews.

Screen privacy options for the iPad 2

GumDrop Drop Series CasesThese top rated cases are well loved and well rated by a large number of consumers. Provides protection against breakage and screen protection so is a nice all in one solution and the top choice to stylishly protect your device. Available in a lot of cool styles including:

KHOMO Privacy 4 Way Screen Protector – Purchaser’s of this protective film noted the ease of installation and the thickness of the film as overall benefits to the product.

3M Privacy Screen Protector for iPad 2 – This device is new so it does not yet have any reviews by 3M is a trusted brand known for making high quality products which makes this a top option.

Privacy Screen Cover for iPad 2 (Brookstone) – Is new so does not yet have reviews but I have always been happy with any Brookstone purchases so have no remorse in including this option on the list.

Screen privacy options for the iPad

3M Privacy Screen Protector – This device is new so it does not yet have any reviews by 3M is a trusted brand known for making high quality products which makes this a top option.

Splash 3 pack screen protector films – This 3 pack is at the very low end of the price spectrum but is well rated and is designed to be a more replaceable version of screen protection.

Screen privacy options for the iPhone

GumDrop Drop Series CasesThese top rated cases are available for the iPhone as well and come in a variety of cool styles.

Phone Devil Screen Protector -Nice well rated option that I believe is a small cut below the GumDrop line.

I will continue to keep this list up to date to reflect user experience on the newer products. I am especially eager to see how the 3M products are received since they are quite new and a leading authority in the space.

10 Information Security Lessons Everyone Should Know

Information security is an afterthought to most people left to the domain of nerds and professionals. This is a big mistake that could have major ramifications for your financial, social or emotional well being. Identity theft, financial loss, time wasted, and social/reputation stress are just a few of the potential problems awaiting if you fail to take information security seriously. Without any further buildup (as if any were possible) here are the Top 10 Information Security Lessons Everyone Should Know.

1. You are a potential victim – It isn’t just the rich and famous who are targeted for information security attacks. Everyone is a potential victim and must take adequate precautions to protect their systems and information. If you do not take the risk seriously you are more likely to become a victim.

2. Email and internet browsing are the two riskiest activities you do every day If you click on every email, open every attachment, and click on web sites of unknown quality you are at an increased risk for being compromised with malware or viruses. Once your machine has been compromised it may become unusable or worse it may be silently harvesting your important usernames and passwords.

3.  Anyone you let use your system or device can put you at risk

Anyone you let use your system can spoil all of the careful planning you have done and create problems for you later. If you allow others to use your device be sure they have good judgement and set some ground rules around email and internet usage.

4. Do not reuse username/passwords especially for important accounts

Most people reuse username and passwords for their activities even for important accounts like email and online banking. This is a big mistake and it makes you susceptible to widespread problems if only one of the sites you frequent has a security incident. It is better to use unique strong passwords for all sites and use a free password manager such as LastPass to help keep track of your passwords in a secure manner.

5. Do not go without security protection for your pc, tablet or mobile device.

Going without some type of antivirus, personal firewall software, and security updates  is just asking for problems. These are your last line of defense if you make a mistake and click on an infected attachment or website. If you do not want to pay for this there are high quality free security tools available to help.

6. It is easy to impersonate you

Anyone can create a Facebook, linkedin (insert any other social media site here), or email account pretending to be you. It is easy to find an image for most people using google or a variety of other sources to make the account look authentic. If you get reports from friends about any accounts that do not sound familiar do not dismiss them take action immediately.

7. Backup your important information

Always have a back up plan to restore documents, photos or other items you can not stand losing. If you do not have a backup your putting too much faith in never losing your device or having it become inoperable. Use a dvd, a backup system, or online available storage but use something.

8. Protect your mobile devices while out and about

Electronic equipment is most vulnerable to loss or theft when you are on the go. Take it with you but always keep an eye on it and make sure not to leave it unattended and visible or you may regret it later. Assume if you like it someone else might too.

9. Secure your wireless access point

Using WEP encryption is better than nothing but not totally sufficient since it is easily crackable with online tools. You should be using WPA encryption to make sure others can not cause trouble with your connection. Read this horror story of what normal people went through with their neighbor from hell if you are not convinced.

10. Anything you do electronically is forever

Many people post things in the spur of the moment thinking they can go back and delete it later. This is usually not the case since nearly everything is indexed, archived, and kept for posterity. Think twice before posting something (pictures, emails, social media posts) because it will endure and might be used against you in unexpected ways later on.

Some of these recommendations may sound a bit alarmist but awareness is most of the battle. Compute safely my friends

The Most Interesting Security Man in the World

Free Security Software – 5 free must use security tools

Need security for your computers but on a budget of $0? Free security software is available to assist with your dilemma. A few years ago acquiring free security software often carried a risk of picking up unwanted malware or an annoying every other second registered version offering. Luckily for you, the quality of free security software has risen dramatically and it no longer carries the stigma of being inferior products.

Top 5 Free Security Software Tools

1. Avast Free Antivirus – Previously, I was always skeptical of free anti-virus products and considered them a novelty. My Norton subscription for my new pc recently expired and I decided to give this software a legitimate chance since I had heard good things. I am very glad that I did this is a first rate freely available software package with signature updates that rival it’s subscription based rivals. If you are not already getting AV via your broadband provider be bold and save 30-50$ a year per machine by using Avast.

2. LastPass -Despite well publicized security events that happened awhile ago, LastPass is a first rate company that makes a high quality freely available password manager that should be in your free security tool arsenal. LastPass is a life saver for managing the essential process of creating unique user ids and passwords across the web to help minimize the risk of reusing accounts or passwords. LastPass also helps me save my brain cells and avoid wasted time of resetting forgotten passwords which is bound to happen to anyone creating unique passwords for each site. LastPass is more secure then using either browser saved credentials or managing your credentials via another unencrypted document like word or excel. To help minimize your risk of a LastPass credential compromise I recommend changing your master password every 90 days or if you receive a notice from the company about potential security issues (which hopefully was a one time occurrence).

3. TrueCrypt – Freely available encryption software for your computer or USB related drives and works on multiple OS’s including Windows, Mac, and various Linux distributions. Disk encryption is an essential security control to prevent your data from falling into the wrong hands if your pc or portable storage device are lost or stolen. I have just recently started using this software but like what I see so far.

4. Qualys BrowserCheck – Your internet browser is one of the most attractive targets for attackers to infect your system so keeping your browser and installed browser plugins up to date is mandatory to maintain optimum system health. Qualys has developed a useful browser plugin that helps validate you are operating at a fully patched and protected level. Qualys is a trusted high end security company and they have made a valuable contribution to your free security tool bench.

5. Microsoft Security Essentials – Security vendors often advise not to run multiple malware/anti-virus packages at the same time due to incompatibilities. I have had no problems running MSE with either Norton (previously) or Avast so I will continue using the Microsoft Security Essentials package. I was uncomfortable relying on it as my sole protection but it is an excellent secondary control for the Avast package I am using as the primary. If you are looking for personal firewall protection I recommend the Microsoft supplied option as well.

I am actively using or have in the past used all of these free products so feel free to ask a question if you are having problems or provide other recommendations if you have other free security tools that are working well for you.

How to secure your iPad/iPad 2 at a conference or trade show

ipad security for trade shows and conferences

Photo credit: http://www.flickr.com/photos/schargis/

Are you responsible for delivering an important conference or trade show for your company? If so, I know you have a thousand things going through your mind to prepare for the big event but please remember to make information security part of the plan. Failing to account for security could be the difference between a successful event and a disaster. Remember to physically secure your ipads, portable electronic devices, and tv/display units because some attendees think more then the pens and stress reducing squeezy balls are fair game as giveaways.

General Information Security tips for trade shows and conferences

  • Mount/lock all electronic assets down to prevent loss or theft. Choosing one of the attractive options below will allow you to have security and an attractive setup
  • Be careful with the equipment while it is transit in your car or van. If you stop to eat or rest make sure someone has their eyes on the equipment at all times. If you are stopping for the night I advise unloading it into your hotel room.
  • Have a trusted person watch your electronic equipment while it is being moved from your car to the trade show (and vice versa). The equipment is most exposed while in transit
  • If you are capturing attendee’s contact information make sure you are treating the collected information as confidential and ensure the appropriate controls are in place. If you are capturing leads with electronic methods physical security controls recommended below should be used. If you are using business cards or other ways to capture leads also secure the box or container that you are using to collect the information.
  • Inquire with the organizers of the event about the security of the location to help ensure the equipment will be secure when you can not have your eyes on it. (likely thieves would target those without the security controls mentioned below so you will be a less attractive target overall)
  • Do not use USB/storage devices of unknown origin on your electronic devices you bring with you. This is a common way an attacker may seek to infect your systems.

iPad Physical Security Options for Trade Shows/Industrial Users

iPads are beautiful devices to show off your products and company’s electronic presence at a conference or trade show. Prospective customers love the latest technology and gravitate to displays that feature high tech displays. iPads and other portable devices should be attractively mounted as part of your display to prevent theft while at the same time retaining the beauty and usefulness of your showcase.

RAM Mounting System for iPad/iPad2 -Mounting device looks a lot like your typical tv bracket and is a top choice for securing an iPad/iPad2 in a semi-permanent  fashion when the device needs to be featured securely in your display. This high security mount/lock will give you the confidence that your device will not be lost or stolen during your next trade show or conference.

 

Arktis iPad Security Mount Lock. Another option for you to securely feature your ipad or iPad2 device for signature events. The Artkis is a bit more minimalistic then the RAM system listed above but another good option for security on the go.

General Laptop/Desktop Cable locks

Kensington is the most trusted name around for laptop/notebook/desktop cables so I recommend sticking with one of their basic offerings. Two options are either the combination or key lock depending on your preference.

Kensington Key Lock

Kensington Key Lock

 

 

 

 

 

Kensington Notebook Combination Lock

 

 

 

 

 

Other Trade Show/Conference Security Items

Mobile security mount for TVs/Displays – Top rated mobile security cart should be assembled prior to attending the trade show or conference. You can then roll it in easily and mount your tv unit once you arrive simplifying the process. This mount works for tvs/displays between 32-60 inches.

Rolling Trade show tv security mount

 

 

 

 

 

 

 

Security mount for TVs/Displays – If you are looking for a way to secure your tv screens/monitors for your exhibits this stand is a good choice for models between 23-42 inches.

 


 

 

 

 

 

Follow these tips to ensure your next conference or trade show is pulled off without an information security hitch.

Be sure to check out our recommended iPad and iPad 2 screen privacy recommendations


 

 

 

WordPress Plugin Security – Your Sites worst security nightmare?

The WordPress security team recently announced some serious wordpress plugin security vulnerabilities with three popular plugins WPtouch, AddThis, and W3 Total Cache. If you are one of the WordPress site owners using the mentioned plugins who updates plugins as soon as they are available you need to take prompt action to avoid potential information security problems with your site. If you have updated within the last few days you need to quickly update again to avoid problems from potentially malicious wordpress plugins.

Bad versions of each plugin:

Wptouch: versions 1.9.27 or 1.9.28

AddThis: version 2.1.3

W3 Total Cache: Unclear latest version is recommended

Good versions of each plugin:

WPtouch: 1.9.26 or older or the latest version 1.9.29

AddThis: 2.1.2 or older or the latest version 2.2.0

W3 Total Cache: version 0.9.2.3

WordPress security lessons learned/validated

  • WordPress plugins are of unknown security levels and must be treated as such by sites requiring a high level of security
  • WordPress updates and plugin updates should be given a 2-3 week burn in process before applying to avoid defects and issues such as this. This would have helped prevent exposure to the situation described by WordPress and the only caveat would be if failing to update exposes to your site you known exploits that are circulating in the wild.
  • Disable or preferably delete any WordPress plugins that you are no longer utilizing for your site.
  • Make sure your WordPress site administrator is staying in the loop with WordPress security updates, awareness is half the battle.
  • Keep multiple copies of your sites backups so you have your choice of restore points if the worst
  • Security issues can happen even with trusted plugins. WPTouch is probably the most widely used plugin to assist with mobile device compatibility and if it can happen to them it can happen to anyone.

Be sure to understand the risk of installing WordPress plugins prior to doing so and be sure to stay on top of WordPress plugin security news to help your site stay secure.

 

Penetration Test – Does your business need one?

A penetration test is a method of evaluating the robustness of your IT security level by simulating an actual attack on your own systems.  Penetration testing can be a very valuable tool to help identify the path of least resistance into your company’s critical systems and is often an eye opening experience for management. If your company has not yet embraced the need for effective information security controls and penetration test might be just what the doctor ordered to raise awareness and build support.

Is your business ready for a penetration test?

The answer to this question depends a lot on the maturity of your information security program. If your business is still developing your information security program a skilled penetration tester may quickly gain access to all of your systems without much effort and you might only learn that you are highly vulnerable to attack and little else. My recommendation is to ensure you have conducted internal vulnerability assessments prior to conducting a penetration test unless you are using the exercise as a means to communicate your company’s exposure to attack. Unfortunately, sometimes information security is not taken seriously until there is a smoking gun and a targeted pen test can provide that.

Important items to keep in mind before signing up for a penetration test

  • Choose the company/individual that will perform the penetration test wisely. A lot of sensitive company data will be exposed so it is important to only deal with reputable people.
  • Make a confidentiality agreement part of the contract.
  • Scope the penetration test as desired to achieve your intended results. Possible penetration test scope includes: Full review, External Review Only, Internal Review Only.
  • The cost of a penetration test can be quite high so make sure your organization is ready to benefit from the results otherwise a full security audit may be a better choice.
  • Define objectives for the penetration testers to aim for. These objectives should be targeted at the highest risk business processes especially if you are performing the pen test to build support for expanding your information security program
  • Make sure senior management has signed off on the penetration test. Things can go wrong during a penetration test even under controlled conditions so it is an important CYA step to ensure your career does not go down the tubes.

Other Frequently Asked Questions about penetration tests

Should the penetration test be announced to your technical staff?

Usually it is a good idea to announce the impending penetration test to your technical staff so they will know it is occurring, be on hand to support if there are problems, and not escalate detected items to a higher level. A counter case of not notifying the technical staff can be made if you desire to assess the effectiveness of monitoring controls and wish to avoid having the staff on red alert.

How much information should be provided to the penetration testing team?

Penetration tests differ on how much information is provided to the testing teams. Some penetration tests are basically a blank slate where the technical team must discover everything without any inside information (black box testing) vs. other tests where significant network and system information may be provided (white box testing). Hybrid approaches are also possible where some generalized information is provided but the pen test team must figure out the rest. For external assessments I recommend providing in scope external IP addresses and phone numbers (if analog lines are being assessed) to avoid the problems that could come if the wrong targets are identified.

Can the penetration test have an adverse effect on my systems?

The answer is most definitely yes if the pen testing team does not take steps to minimize the risks to your operations. There is an inherent risk that comes with performing an activity like this but choosing experience testers and setting solid engagement rules can help minimize your exposure.

Are there any established frameworks for conducting a penetration test?

The Open Source Security Testing Methodology Manual (OSSTMM) is the best current framework to help guide a penetration test (including helping a client define the scope of engagement)

Should I have a member of my team witness the penetration test as a member of the technical team?

If you can negotiate this into the contract terms and plan to build your own internal capability to some extent this would be a great way to acquire on the job training at the same time the pen test is delivered.

Now that you have more information about penetration testing you can determine if your business is a good candidate to consider one vs. a standard information security audit.

10 Commandments of Vulnerability Scanning – Tips for conducting an effective vulnerability scan

Photo credits: hernandezmarzal

 

 

 

 

 

 

 

 

 

 

 

 

 

Vulnerability scanning is a critical business security control for identifying system vulnerabilities that puts information at risk. Vulnerabilities can exist at the network, operating system, database, and application levels so it is important that your vulnerability scanning tool(s) check as many of these layers as possible.

Ten Vulnerability Scanning Commandments

#1 – You shall not assume an accurate system inventory

Maintaining an accurate system inventory is a challenge even for disciplined IT shops. During the introductory phases of implementing vulnerability scans into your environment you should perform a scan of all of your internal, external, and RFC 1918 private addresses. By scanning all of your possible ranges you minimize your chances of missing systems that have not been recorded in your asset inventory or systems that have been added without authorization.

#2 – Remember the change control procedures

Vulnerability scanning is important but so is proper change control. It is important to follow disciplined change control processes for every scan so that the activity is properly documented and approved. Following proper change control procedures also helps pinpoint potential negative impact related to a vulnerability scan to a more precise time frame. For the vulnerability scanner personally not following established change control procedures could be a legitimate reason for termination.

#3 – You shall attempt to do no harm to thy own network

Performing a vulnerability scan is an inherently risky process. Until you have performed baseline scans and determined the robustness of your systems stability a cautious approach should be taken. This involves scaling up the level of the scans in addition to monitoring the systems being scanned for negative impact. Systems experiencing negative impact likely need to be upgraded or added to a scanning exclude list.

#4 – You shall configure your vulnerability scans with proper system credentials

The vulnerability scanning tool must be configured to have adequate system credentials to get the full benefit of the scan. Consult the scan setup documentation provided by your vendor to get help on the needed permissions configuration. If you fail to set up your scans with proper credentials you will get a false sense of security and only be scratching the surface of your potential vulnerabilities.

#5 – Remember thy scan frequency and make it at least monthly

New vulnerabilities are discovered on a daily basis so it is essential to schedule your scans on a recurring basis. It is good practice to define a consistent time period to perform your weekly/monthly scans to simplify change control and troubleshooting if problems occur. Regular scans are also required to validate that needed improvements have been put in place to lower the number of system vulnerabilities.

#6 -You shall not be careless with vulnerability scan information

Reports produced from vulnerability scans should be classified as high risk and access to them should be granted on a need to know basis. These reports contain the detailed information that would be attackers would love to have to compromise your systems. Do not make their job any easier.

#7 -Do not  falsely accuse your system administrators

System administrators need to be partners in the vulnerability remediation process and are essential for validating potential false positives. Stay on friendly terms with them and do not assume the vulnerability scan detail is 100% accurate.

#8 – You shall document your vulnerability scan exclusion list

When a system experiences negative impact from a vulnerability scan you will often times need to add the IP address to a scan exclusion list. The decision to exclude a system from the regular scan process should not be taken lightly and should be made visible so management understands the potential risk. Creating an exception process to document these situations and keeping it up to date is a best practice.

#9 – You shall decide what vulnerability severity level to focus and report on

Many of the items detected by vulnerability scanners are more informational in nature and may not require remediation. Decide ahead of time which level of vulnerabilities you will focus and report on. I recommend starting with severe/high level vulnerabilities only and only move down once those riskier items are under control.

#10 – Do not get frustrated at lack of progress

Implementing a strong vulnerability management process takes time. Do not get discouraged if improvement results are slow to come in the beginning. Stay focused on running a disciplined vulnerability management program and build the needed connections in the IT organization to make the process sustainable.

Have you started your vulnerability management program?