Security and vulnerability assessment: 4 common mistakes

Uncovering problems and fixing gaps can go awry with these blunders. Here are examples of where vulnerabilities assessments go wrong

If you're running a robust security program, you're regularly conducting security and vulnerability assessments of your both your network and physical environments. But in the quest to uncover security gaps and vulnerabilities, slip-ups are often made, too, that make these efforts less effective at having a positive impact.

At this month's CSO40 Security Confab and Awards event in Atlanta, attendees heard from two expert security veterans about best practices for vulnerability assessment.

Roger Johnston is the leader of the Vulnerability Assessment Team at Argonne National Laboratory. He and his team are often charged with finding the vulnerabilities with physical security systems. Jerry Walters is Director of Information Security with OhioHealth, a regional not-for-profit hospital network headquartered in Columbus, OH. Walters and his team are responsible for the overall information security program including risk management, vulnerability management, incident response, governance and compliance for the organization.

Both Johnston and Walters come at the topic of vulnerability assessment with different ideas and outline these four common mistakes that security teams make in the assessment process.

Lack of vision

When a team sets out to create a plan for vulnerability testing, no idea, even the most far-fetched, should be off the table, said Johnston.

"I think a big mistake people make is shutting down ideas too early," he said.

That means during brainstorming and planning sessions, even the wildest, far-fetched scenarios should be considered.

[9 1/2 signs your vulnerability management program is failing]

Johnston said he's observed that creativity seems stifled by the presence of a manager in the room and the perception that security is too serious to float wild ideas for testing.

That's a mistake.

"The best ideas come late," said Johnston. "You're doing yourself a disservice if you shut down ideas too early."

Johnston also encourages all security practitioners to "think like the bad guys" if they want to really get at the most serious problems.

Letting compliance get in the way

As a security manager in the health care industry, Walter's work is obviously intricately tied to HIPAA.

"HIPAA is very non prescriptive. With HIPPAA the intent is go and do good. It's left open to interpretation."

Walters said as a result, there is a lot of speculation in the healthcare industry about HIPAA, as well as attempts to put more definition around how to apply it.

Johnston noted compliance laws often wreak more havoc and damage than good. He believes security teams need to give a certain amount of push back to be effective in vulnerability assessments. At least 30 percent of compliance requirements are bad news, he said.

"For example, there are requirements that guards have to go to their stations at set times during the day -- therefore making it completely predictable when they will be there."

This is the kind of requirement Johnston thinks a team should push back on --because it only sets the organization up for more vulnerability, rather than less.

"As a security professional you have two jobs: compliance and security," said Johnston. "Sometimes they overlap. You have to do what you can to make the overlap. A compliance auditor might be suspicious. If they are, push back. On the other hand, some parts of compliance are worthwhile. Take what you can from the good parts of compliance and run with it. Go above and beyond in the parts you agree with."

Bad reporting

Walters said after many assessments, he's had outside consultancies simply "drop off a three-ring binder full of problems and leave."

This is a perfect example of bad, ineffective reporting.

"We want people to shake the trees," said Walters. "But if the reporting just focuses on the problems, they are not providing answers."

Johnston thinks mistakes in reporting come when teams are too critical of mistakes they find in assessments.

You likely may find a lot of mistakes being made. That's OK. Security is hard. But you don's have to fire anyone. Instead of finding people to blame, focus on fixing the mistakes. Also, keep in mind that all risk management is ultimately subjective -- even when you're using numbers. I'm not opposed to assigning numbers, but don't go overboard with assigning them."

[IT risk assessment frameworks: real-world experience]

Failing to bring what you've learned into the corporate culture

You know what vulnerabilities the assessment uncovered, but do the employees in your organization?

Of course, there may be many things you can't disclose to them. But what can you share that brings the issue of security to the forefront for everyone? How can you invest them in being part of the solution to the problems?

"Most regular employees see security as compliance thing," said Johnston. "They don't see it as something relevant to them. We need to motivate regular employees and answer the question of 'What's in it for me?'"

Johnston suggests a conversation that includes not only lessons learned from the vulnerability assessments, but that also includes examples of headline-making security incidents in other organizations.

"You're trying to build a culture, not a department," he said. "Security is everybody's job. It sounds cliché, but I don't think that resonates in many organizations."

Join the CSO newsletter!

Error: Please check your email address.

Tags securityArgonne National LaboratoryExploits / vulnerabilities

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Joan Goodchild

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place