One of the greatest challenges in security is getting the right information so that educated decisions can be made. It happens across many facets of security such as network monitoring, incident response, and user training. However, there's one (big) exception: security assessments. Assuming you're using the proper tools and reasonable methodologies to uncover your network security weaknesses, you have everything you need at your disposal. You have the vulnerabilities, the attack vectors, the systems affected, and even what's required to resolve the issues.
Yet, still, time after time we hear of vulnerabilities that go unresolved. It's discouraging to me, as a consultant, to see this. You know, the vulnerabilities that were in last quarter's – or last year's – assessment that are showing up today. I see this issue all the time. Unless management is willing to defend why known vulnerabilities remain unresolved, you have to have a plan of action after each assessment. Second only to actually mitigating the flaws, developing a specific plan should be a top priority.
Everyone's approach and needs are unique, but there are certain aspects to getting things done that apply across the board including:
- What has been uncovered?
- How does each finding affect the business?
- Where do we truly need to focus our efforts? (tip: it should be on the most urgent flaws on your most important systems)
- Are there certain findings that we can take off the table completely?
- Who can resolve each issue in the short term?
- Who – or what – else needs to be involved to help prevent this issue from reoccurring?
Once you have this information, ask yourself: What's next? What's after that? And, what do we need to do now? Keep repeating this over and over until you get done what needs to be done.
Well-respected business executive, Jack Welch of GE, once said An organization's ability to learn, and translate that learning into action rapidly, is the ultimate competitive business advantage. You can't un-acknowledge security vulnerabilities. They're there. They've called attention to themselves. You know what needs to be done.
Don't try to solve the security issues you uncover at a mere technical level, on your own. Go up a few steps and look at security management, business operations, and related issues that are the root causes. Then vow to do what it takes to make changes. Many people will try to wish such security issues away. Others will find every excuse in the book as to why it's not possible to fix them. Don't take those paths. We've seen where they end up. Let discipline and common sense lead the way instead.