Review of Vulnerability Management
By Aby Rao, CISSP, CISA, ITIL, Security+, ISO/IEC 20000
Imagine this: You are a Security Engineer in a medium-size company and you are invited into your bosses’ office for an important one-on-one meeting. Your boss breaks the news that you have been entrusted with the job of starting a company-wide Vulnerability Management program. You start sweating bullets; this is exactly the time to pick up a copy of this book, entitled Vulnerability Management by Park Foreman published by CRC Press. This book is a perfect union of management, technology, people and process. Other than Vulnerability Management for Dummies, there isn’t any other book which provides insight into this domain of security management.
The book starts off by offering an introductory chapter on Vulnerability Management (VM) and its role and origins. Like any other IT function, VM can have flaws, which are highlighted in the opening chapter. Usually after an introductory chapter, technical books dive right into the topic, but this book takes a different approach. The second chapter, Vulnerability Experience, is an excellent addition. It presents two well-developed case studies elaborating on failed VM programs. Every organization is different and has their own set of challenges, but these two case studies present some highly plausible situations that security professionals often encounter. I would love to see more books include “experience” stories, thereby making the topic much more relatable. The strength of any VM program lies in the ability of its operational and contributing team members to understand business needs and subsequently apply policies to safeguard their infrastructure and assets. Chapter 3 briefly talks about how VM can be a combination of science and art.
There is no doubt that a major and critical component of effective VM is a firm understanding of technology and the choices you make. Chapter 4 starts off with some of the architectural knowledge one needs to possess before making decisions. People who have been in the information security field may find this discussion too familiar, but it never hurts to have a quick re-read. For the most part, the author has kept the book independent of any vendor or product endorsements, except for his discussion of Nessus. Nessus is anopen-source scanning software used by big and small organizations alike. There is always a risk in discussing a specific product in a book, but the author took the bold step of discussing the product and its benefits. I would have liked to see a table with several products/technologies mentioned, as well as a quick introduction followed by the URL for future reference. Managers will appreciate Chapter 5 because it involves decision-making. Occasionally, the book will also impress mathematically-savvy professionals. I see this book as more of a practitioners guide, so I didn’t really care much to understand the mathematical explanation to scoring Adjusted Impact value (Chapter 4) or Risk (Chapter 5). I will leave that to the Risk Assessment professionals to savor. As reminded by the author in Chapter 6, VM is a process and not technology. I feel that many professionals get this wrong, and therefore this reminder is valuable. Although Chapter 7 is titled Process, it is more about Process and Risk Assessment. The first half of the chapter is about the standard process already practiced in the industry, such as ITIL and IAVA. I was surprised not to see any mention of ISO standards, such as the ISO/IEC 20000 or ISO 27000 series. Also, more details on risk evaluation approaches, such OCTAVE, CCTA and CRAMM etc, would have added to this section of the chapter. Chapter 7 acquaints us with the various types of Vulnerability reports. These reports enable management authorities and other personnel to not only make decisions, but also plan their strategy for a stronger and more secure environment. The last two chapters are excellent primers for planning and strategy management. Strategic VM enables risk management in an ever-changing environment. Executive management will take strategic management seriously if its connection to the financial health of the organization is shown.
Chapter 8 brings to attention the various aspects of planning and the clear communication that is expected from team members. Since the chapter is all about planning, I felt that the placement of this chapter is unclear. It should have been placed earlier in the book before we get into the nitty-gritty of the VM process. The last chapter, entitled Summary, talks about VM as a discipline and its positioning within the organization. In section 10.2, the author debates if VM should be a subset of Compliance Management or Risk Management, or perhaps Configuration Management. He then comes back in section 10.3.2 and adds that Patch Management is the best place for VM. Section 10.3.2 could have easily been fused with 10.2. In my opinion, the need to present a summary as a chapter in itself is not really justified, instead its content could have been broken into smaller pieces and merged with other chapters.
The value of VM is hard to measure until a major breach takes place and ultimately puts the organization in a compromised state. A strong VM program needs a tremendous amount of foresight, planning, management and collaboration between the groups within an organization. The next time anyone debates or questions the need for a VM program, just give them a copy of this book as a gift.