For the first part of this multi-part series on vulnerability management we’re going to take a trip down memory lane. There was a time when I worked retail, and was somewhat decent at it. The one part I hated more than anything was managing the inventory, and the monthly checklists of going through the stock to discover there was an item that was a whopping 95 cents that I had to adjust for. At that point in my life, I knew that retail job was going to be a stepping stone into computers, and I was able to escape.
What the hell?!? The first thing they wanted me to do when I got onto the help desk was to take an inventory of all systems and compare the serial numbers and locations to what we had on site. I thought I was escaping this life, but here I am again with a checklist working a swing shift trying to account for the inventory and making sure no one had walked off with it, or it wasn’t replaced with a different system not accounted for.
Now for the fun fact for the people out there like me that hate doing inventory tasks. It’s really really super duper important when managing enterprise vulnerabilities. If it’s not accurate, the group in charge of managing vulnerabilities is going to have a ton of difficulties, and nothing is ever going to get accomplished in a reasonable amount of time. After having built vulnerability management programs, I have come to respect that inventory management process.
Vulnerability management is a passion of mine, and something that will be a constant topic on this site moving forward. Without properly managing vulnerabilities on the network, Infosec and IT teams (where Infosec is not readily available) end up running in circles, and often have difficulties getting the buy in necessary to build security functions into their daily operations. They can also end up being seen as crying wolf every time a new major vulnerability drops, and they need to stop everything to run out to get it patched with no metrics on impact and success rates. We’ll get to the tracking part later, we gotta start small…
The upcoming part one of vulnerability management will be to look at ways to fingerprint the devices on your networks when you need to, even if you can’t get to the physical location where the equipment is stored using some scripts and network tools. Once we know what we have, we can start looking for ways to keep tabs on them.