I hope everyone that had a chance to read my part one blog enjoyed it and gained a little extra knowledge. As I mentioned, part two is going to be focused on the difference between projects and programs. When I say projects and programs I want to talk about Vulnerability Management and Penetration Testing. I know a lot of people may just blend the two terms together but there are slight differences because a program is a long-term commitment to keep milestones and projects have milestones too but they tend to be much shorter.
The first thing you need to evaluate is your staff. I am saying this because you need to understand the skills everyone on your security team (if you have a security team) may have and how you can utilize those set of skills. Once you know the extent of everyone’s capabilities you should agree on the direction the organization should move into to start building your security posture. I know there is a hierarchy system and that is how decisions are made but I am a huge supporter of making decisions based on the team’s opinion. You are only going to keep moving forward if everyone is on the same page.
A perfect example of a project is a penetration test. I want to start with this one basically because I want to get it out of the way because it seems to be the biggest attractions for a lot of companies I speak with. I get it you, you want to see what information can be stolen from you if you experienced a breach. That is a scary thought huh? You want to see what your business is going to lose in a controlled environment. A lot of people have zero desire to know that information because they already know it is going to be a disaster. If you have no security practices in your organization, it will absolutely be a disaster. You are asking a vendor to break into your house and you do not even have a backdoor on your house. I am going to say this one-time IT IS OK TO GET PWNED DURING A TESTING PROJECT. Your whole goal is to start making yourself more secure, right? Well the only way you are going to do that is by taking some punches. With that being said, I suggest this goes a little lower on your to-do list until you have other layers of defense inside your environment.
Que the program! Are you doing patching? If you said no, you need to make this a top priority on your list right now. Those open holes are the locks you are putting on your doors and windows with your patching program. But Jasper, doesn’t patch Tuesday take care of all that for me? It does not take care of everything for you. A Vulnerability Management program is a comprehensive approach to the development of a system of practices and processes designed to identify, analyze and address flaws in hardware or software that could serve as attack vectors. There are multiple tools that can help you, a couple of those tool are Qualys and Tenable. I am not going to get into the differences between them but they are both great options. For starts, for starters you need to understand the functionality and if your team can properly identify the critical vulnerabilities.
Circling back to the second paragraph when I mentioned knowing your team’s skill set. It is not unordinary that y
our team is going to struggle with identify which patches to go after first. Everyone struggles with this task because you are going to have a HUGE report once the scan is done. Bringing in an expert team is recommended, I do not mean hire a handful of people directly, unless you have that capability then do it! Bring in an MSSP that has the experience in that specific practice and can work side by side with your current team. The knowledge and value you are going to gain by working with a team that does VM all day is going to grow your internal team’s experience level significantly.
As budgets become tighter and tighter for organizations I know you are seeing dollar signs right now because these two additions are not going to be free. Saving money is important, I think about the sce
ne is Tommy Boy when he is smashing the cars together and the new guy is in the corner puking his guts out, all because the customer wanted to save a couple bucks on brake pads. I cannot stress this enough, bring in the professionals, your vendor knows it may not be a lifelong relationship. If your team can do the job after 2-3 years then your vendor did the job they should be doing, educating their clients and helping their organization grow and helping secure your critical assets.