Vulnerability Management – Risks, Horror Stories, and How To Avoid Them

Criterion Cybersecurity Event | Las Vegas

Vulnerability Management – Risks, Horror Stories, and How To Avoid Them


Bob Heckman, CIO of Criterion Systems, spoke on a panel at the Nevada IT Symposium in April. Their topic was “Vulnerability Management – Risks, Horror Stories, and How to Avoid Them.” According to the National Vulnerability Database, there are more than 7,000 known high-risk vulnerabilities in the world. While, realistically, we’ll never be invulnerable, there are steps you can take to mitigate your exposure to risk.

The panel session participants included a diverse group of IT Security professionals covering multiple areas, each with their own worst-case scenarios, success stories, and lessons learned. The session provided a unique twist in that panelists didn’t discuss what worked or what they are doing, but rather what happened when their vulnerability management strategy DIDN’T work and how they handled it.

What Happens When the Plan Doesn’t Work?

The session began with each panelist discussing a horror story where – despite the best of planning – they missed a risk they didn’t see coming and how they handled that particular problem in flight. Participants then provided insights into the risks of not having a good vulnerability management strategy, how they look at the threat model for their “previously well-though out plan” and changed their methods to accommodate it, and the different tools and techniques used to avoid future problems.

Currently, the sheer volume and evolution of cyber-attacks is daunting for even the most security-conscious IT teams. This requires an in-depth understanding of organizational risks and vulnerabilities, as well as current threats and the most effective policies and technologies for addressing them. Only by understanding their risks can organizations target limited security dollars to the technologies and strategies that matter most.

A Layered Approach to Vulnerability Management

Part of avoiding risks is knowing what to expect from the business, but not every potential problem is going to be solved by a “direct tech solution”. Panel participants discussed how they are deploying their vulnerability management solution in a layered approach to provide defense-in-depth. For example, how centralized Vulnerability Management must work collaboratively with Centralized Patching and Configuration Management. Heckman discussed how most organizations aren’t structured so that all aspects of a successful vulnerability management program are within their area of operation or control. He went on to describe how many cyberattacks still take advantage of basic, often unnoticed security vulnerabilities, such as poor patch management procedures and weak passwords.

Attendees heard several lessons learned and recommendations from the panel, including:

  • Develop and maintain standard desktop and server configurations
  • Frequently scan and audit the infrastructure
  • Test network devices as part of your vulnerability management program

A successful vulnerability management program is a team effort. Panelists provided insight into how you must have buy-in and commitment from operations, visibility and regular meetings to get this done.

Link Business Strategy to Vulnerability Assessment

The session concluded with panelists describing what they see as the key features that will enhance their vulnerability management plans in the next 6 -12 months. Heckman discussed how enhancing vulnerability management capabilities has very little to do with technology and went on to describe how vulnerability scanners typically identify thousands of granular vulnerabilities and rate them according to technical severity, rather than taking into account the affected business and its mission-critical processes. He went on to describe how scanners can identify a single vulnerability several times, recommending multiple patches and upgrades, when in reality a single security solution could address all of them.

“Ideally, a sound security strategy should tie business impact and an organization’s overall security strategy to the results of a vulnerability assessment, enabling an understanding not only of where true business risks lie, but also of which vulnerabilities should be addressed first and how to address them effectively.” Said Heckman. “Getting maximum benefit from a vulnerability scanning infrastructure requires an understanding of your organization’s mission-critical processes and underlying infrastructure and applying that understanding to the results.”

How to Implement a Successful Vulnerability Management Program

The panel left participants with the following recommendations regarding how to implement a successful vulnerability management program:

  • Take an active role
  • Identify and understand your business processes
  • Pinpoint the applications and data that underlie business processes
  • Find hidden data sources
  • Determine what hardware underlies applications and data
  • Map the network infrastructure that connects the hardware
  • Identify which controls are already in place
  • Run vulnerability scans
  • Apply business and technology context to scanner results