Exposing the Roles: How the Vulnerability Lifecycle Impacts You

Vulnerabilities can affect an organization in numerous ways throughout their lifecycle. An IT department can be touched from top to bottom by a vulnerability, affecting all levels of responsibility in different ways.

Your IT organization can benefit in all of its core efforts by better understanding how a vulnerability emerges, which systems a vulnerability can affect, and what steps are necessary to remediate each type of vulnerability. It can affect your planning, budgeting, architecting, and even help desk operations to know which vulnerabilities put your organization the most at risk and how they impact your efforts to remediate them.

To further examine how the vulnerability lifecycle affects various roles in an IT infrastructure, below is a description of various positions and their relationship to the vulnerability lifecycle.

CIO/CSO/Director of IT
As the top position in an IT department, persons in this role are in charge of vision and direction. They coordinate planning and budgeting, and are the ones the entire organization looks to for information on how IT affects business processes.

Over the past few years, vulnerabilities have become an increasingly important topic in relation to business operations. Business continuity planning, remediation management, and vulnerability risk management have all become high priority IT projects of late, and the vulnerability lifecycle affects all of them. Determining overall costs of implementing a proactive security plan in relation to the cost of being caught without a plan is a common priority.

For the CIO or IT director, the actual technical details of a vulnerability will usually take second chair to the process of risk management. Finding out as soon as possible when new vulnerabilities surface gives a director more time to plan a targeted remediation. Knowing which systems are affected, and which are the most exposed, allows him to prioritize resources to remediate the most important business assets first, reducing the overall risk exposure.

Network and Systems Architects
As the person who designs the systems and networks a company uses to do business, knowledge of the vulnerability lifecycle can help a person in this position to plan redundancies and provision systems and networks to be more resilient in the face of an attack.

Proactively designing a network that can be segmented in the event of a vulnerability outbreak, or configuring a server that can defend itself against attacks, can greatly reduce the affect of an attack on any network. Incorporating security into all system architecture tasks prevents having to play catch-up when threats are at their worst.

Technical details mean much more at this level of responsibility, as these are the engineers designated to create the plans for remediation and keep upper management advised of security developments. Obtaining relevant technical information significantly helps in the remediation planning phase. The higher the quality of information received, about both the current state of the organization's systems and the overall exposure risk, the more effective a plan can be. Whether an architect is updating an IDS system, or working with a remediation management suite, accurate technical details at this level are of the utmost importance.

Network and Server Administrators
Persons in this role maintain the day-to-day operations of an organization’s network and core business servers. They deal with monitoring capacity, backups, and normal operations of the servers. These are the employees called when something goes down, and they have a Swiss Army knife of skills and tools to help get things done efficiently.

The vulnerability lifecycle affects this position perhaps most of all. Administrators are the ones who will be called if a server goes down due to a vulnerability, or if a network gets very slow due to a worm attack. They are in a position to gather actual details from servers and networks, and to feed that information up the chain. Often, because they are so close to the networks and systems, they are the first to know when something goes awry.

Although network administrators may not be the one making the plans, it typically falls on them to implement them. Clear, concise information and effective tools are vital to their success.

------

As you can see, each role in an IT infrastructure should have an understanding of their role in vulnerability management, and how it affects the organization's business. Knowledge about an organization's IT infrastructure and information about how vulnerabilities can, and sometimes are, affecting its networks is critical for approving, designing, and implementing a plan for securing the enterprise. Tools that provide accurate information, and that play an integral role in a well-planned vulnerability management process, help maintain overall security.

Next month, we will examine some technologies that can help an organization manage risk across the lifecycle of vulnerabilities.

Westwood Press: Why Do Hackers Hack?
"Suppose for a moment that a complete stranger walks up to you, stares you right in the eye, and says, "I'm taking your name and everything you have;" then turns and walks away without another word. What would you do? The person has gone. The threat has been made. It couldn't have been serious. Maybe you just imagined it. Maybe you didn't." Full Article

Network World: IPS Gaining Ground Over IDS
"IT security managers say the dangers posed by computer worms and hacker attacks have compelled them to shift defenses from passively monitoring their networks to actively blocking attacks, even though legitimate traffic sometimes gets blocked." Full Article

News.com: Payroll Firm Pulls Web Services, Citing Data Leak
"Service provider PayMaxx shuttered additional parts of its online payroll site this week, after a Web programmer continued to find holes in the system." Full Article

Q: What is "promiscuous mode" and what does it mean to security?

A: When a network interface card (NIC) reads all network traffic, rather than just the one destined for its machine, then it is said that the NIC is in promiscuous mode. Most network cards will never require being in promiscuous mode, however some tools do require it. A network sniffer uses this mode on the NIC so that it can see and capture all network traffic going through. Often, network security related tools use this feature as well.

Non-promiscuous mode, in contrast, means that the network card will not read any network traffic that does not concern itself. This is the normal mode of operation for most NICS. This also means that the sniffer will not be able to capture network traffic in its entirety.

This affects security, as hosts in promiscuous mode could be used to gather information destined for other machines on the network. This includes passwords and other sensitive data.

To reduce your risk, your network should be designed to be "switched", which limits the traffic sent to each machine to only the traffic it is supposed to have. In addition, your network switches should support MAC layer security, to prevent common attacks against switches. Finally, you may want to try a tool such as Antisniff, which uses detection methods to attempt to locate unauthorized sniffers on your network.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

eEye Alerts Enterprises of Microsoft NT 4.0 Vulnerability
eEye alerted its customers and security administrators worldwide of a vulnerability within Microsoft's NT 4.0 Operating System (OS). Full Article

eEye Announces Retina 5.2 with Advanced Audits for Linux, UNIX and More
eEye announced the latest version of its industry-leading Retina Network Security Scanner – Retina 5.2. Available as a standalone solution or as part of the Retina Enterprise Suite, Retina 5.2 is one of the first in the industry to provide security and IT professionals with a more in-depth view of the Linux, UNIX and other non-Windows devices on their network. Full Article

eEye Announces Availability of Free Vulnerability Scanner Following Discovery of Exploit Code for Critical CA Vulnerabilities
This free vulnerability scanner, which is based on eEye's industry-leading Retina Network Security Scanner, is designed to identify machines vulnerable to attack due to the critical security flaws discovered within Computer Associates' (NYSE:CA) License Management software Wednesday, March 2, 2005. Since that announcement, verified exploit code has been discovered, providing a point of entry for any worm and/or virus designed to take advantage of CA's vulnerabilities. Full Article

Core Security Technologies and eEye Work Together to Eliminate Security Threats
Core Security Technologies, provider of CORE IMPACT, the first-to-market penetration testing product for assessing specific information security risks, and eEye today announced the integration of their products, CORE IMPACT and Retina® Network Security Scanner. This effort will help customers better secure their networks by enabling them to seamlessly integrate their vulnerability scanning and penetration testing activities. Full Article

Washington Post: Creaky Operating Systems Show Their Age
A program can't ever really die, but it can get old. Very old. This is a paradox millions of computer users are living with. More

Associated Press: Auditors Find IRS Workers Prone to Hackers
More than one-third of Internal Revenue Service employees and managers who were contacted by Treasury Department inspectors posing as computer technicians provided their computer login and changed their password. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.