Mike Berard - eSecurityOnline
A Vulnerability Management Maturity Mode
Apr 17, 2002
AbstractThe Vulnerability Management Maturity Model (VM3) reviews security knowledge, deployment and accountability, and the fact that vulnerabilities are not just technical in nature. Vulnerabilities also include people and process failures. While most security professionals understand technical vulnerabilities (i.e., operating systems exposures, Trojan horses, etc.) and develop a security strategy and methods to address them. This is just the first step to a mature security. The people and process aspect of vulnerabilities is just as important.
This first stage of the Vulnerability Management Maturity Model deals with how effectively companies can obtain the security information they need. In most cases, security knowledge is obtained from very diverse sources. Hacker alerts, in particular, are a common part of many publicly and commercially available Internet list services. Knowledge that is available for general distribution is not in a form that can be deployed in an enterprise environment. In addition to technical vulnerability information, proper configuration standards need to be addressed and developed. Most companies have adequate technical resources to manage their protecting systems (i.e., firewalls, IDs, etc.), but how do you extend that knowledge to the serving systems (mail servers, Web servers, etc.) with multiple operating systems and complex architectures that support business critical applications?
Good knowledge is a great starting point for managing risks exposed by misconfiguration of systems, the existence of inappropriate code or absence of policies that govern people and their behavior. However, without a responsive, repeatable deployment process, getting adequate coverage by having good knowledge becomes infeasible. The VM3 contends that good knowledge without execution is only slightly better than no knowledge at all.
The ability to track what changes have been made to computer systems and determine if an employee has read and acknowledged a policy is step one in the accountability stage. The extension of governance to include an entire critical infrastructure, made possible by the feasibility of an automated engine, is step two. The final step involves measuring compliance to the process by conducting reviews of actual systems to ensure a correlation of the results of discovery process with the actual system inventory.