Question

The Executive Board approved your Security Program Charter.
Based on your research for Unit 2:
Draft the CISO’s threat and vulnerability control plan.
To set the stage for the document and provide the reader an understanding of its purpose, begin with an introduction that describes a recent major computer security incident.
Explain the various control strategies such as detection and prevention and explain how each will be used.
Provide insight into some of the methods and tools that will be used to address threats and reduce vulnerabilities to PCS information system assets.

Answer 1

In the information security space, a vulnerability is a weakness in which it allows an attacker to reduce a systems information assurance. It is the intersection of three elements – a system susceptibility or flow, attacker access to the flow, and attacker capability to exploit the flow. In order to exploit a vulnerability, an attacker can use various tools or techniques to connect to a system weakness and it’s also known as attack surface. A threat is a communicated intent to inflict harm or loss to the information system and it is considered an act of coercion.
Most recent attacks exploit known vulnerabilities for which a patch or mitigating control was available. This makes vulnerability management a strategic component of any advanced threat defense strategy, providing benefits at multiple layers of a defense-in-depth security architecture.
Attacks launched at the beginning of this year against organizations in North America involved a zero-day privilege escalation vulnerability affecting windows. Researchers found the attackers first compromised the targeted system and achieved remote code execution via the malicious documents attached to spear-phishing emails, and then they used the CVE-2016-0167 exploit to run the code with system privileges.
ALSO ON CSO How to respond to ransomware threats
Verizon Data Breach Q1 2016 Report shows that the threat actors exploited an easily identified vulnerability in the payment application, leading to the compromise of customer PII and payment information. Hackers are consistently looking for vulnerabilities that they can exploit to gain access to corporate networks and systems, financial data and more.
Organizations acquire capital funds and purchase the latest and greatest threat and vulnerability mitigation strategy by investing thousands of dollars; unfortunately, a strategic plan to move forward and maintain the new technology are often overlooked. This results in new technology providing a false sense of security as operating budgets do not take into account the time to support, maintain and operate the new technology – thus it becomes ineffective and leaves platform with open holes. Threat actors have the upper hand when technology is not maintained and they develop ways to circumvent how it works and its weaknesses. Cloud, mobile and IoT require an innovative and different approach to assess vulnerabilities than the traditional windows and Linux servers and workstations required.
Today, most IT managers try to find the answer to the question “We have found 500 vulnerabilities and can fix 300 of them quickly. So how to prioritize which one to fix first and then next?” Threat and vulnerability management is a tedious and time consuming manual process that most of the enterprises use, and require business context in order to implement the remediation plan. Enterprises need to design a solution to support vulnerability life cycle management providing automated workflow, reporting and collaboration capabilities.
At the same time required coordination and planning with business owners is necessary in order to minimize the impact to the service availability and downtime. Security engineering teams at times spend lot of time planning, deploying and testing the vulnerability patching in non-production environment before applying the patches to the production environment because businesses don’t want any service interruption that would impact revenue.
Threat and vulnerability management is a process of identifying, analyzing, modeling, simulating the potential impact and risk thereby planning to remediate security threats and weaknesses. The program could covered:

• Asset inventory management
• Vulnerability scanning
• Vulnerability assessment and analysis
• Vulnerability remediation and mitigation planning
• Risk and threat modeling and impact analysis
• Penetration testing

Threat and vulnerability management program managers need to deliver effective vulnerability management for traditional and emerging technologies in growing, perimeter-less IT environments including mobility, cloud and IoT. To ensure a successful vulnerability management program, security leaders need to verify the effectiveness of their threat and vulnerability management efforts and align these with business context and objectives. Assessing the impact of potential threats to evaluate their risk will become a primary tool in managing the large volume of vulnerabilities that enterprises need to detect and remediate on an ongoing basis in order to prevent the cyber advisories and data breaches.
Vulnerability management is critical within any organization to identify, classify, re-mediate, and mitigate any vulnerabilities. Organizations that set up effective vulnerability management programs take a proactive and preemptive approach for the safety of their applications, software and networks and are significantly safer from data breaches and theft.
Technical blind spots certainly present major information security challenges to CISOs and their teams, as the complexities of monitoring encrypted traffic and updating SAP software and other legacy applications can be daunting tasks. But there are other cybersecurity blind spots that involve more amorphous and less technical concepts such as enterprise risks. Several cybersecurity experts and CISOs offered insight into some of the hidden risks and vulnerabilities they've discovered, as well as some of the more persistent and growing threats to enterprise security.
For CISOs now wondering what they might be missing, experts suggest focusing on the fact that the CEO and board of directors will want to know where and how the company is positioned in comparison to leading standards, such as NIST or ISO, and what the company's level of security maturity is. They will also want to see that CISOs have developed a roadmap to address any security gaps uncovered.
In order for the above objectives to be met by the Vulnerability Management Program, a CISO needs to ensure that it meets the following Top 10 requirements:
1. Maintain an Updated IT Assets Inventory and Categorize it by Business Risks
Most companies lack sufficient insight into the number of information assets that are critical to running their business. It is imperative that an organization’s IT assets are enrolled into the Vulnerability Management Program. IT assets can include in-house managed assets, third-party assets used for business processes, and assets on the private/public cloud used to conduct businesses. Business owners, along with their security team, should assign risk to these IT assets depending on the critical areas they support in the business value chain. The risk value can be determined on the basis of business value, sensitive information or the transactions that are supported or handled by the IT asset.
2. Prioritize Security Assessments on the Basis of Risk
Once IT assets have been enrolled and assigned risk values, it becomes easier to prioritize security assessments. Make effective use of automated and manual assessments on your IT assets depending on the risk value assigned to them. For example, for a high risk asset, a more detailed assessment with manual expert security testing can be designated, whereas for a low risk asset, a general vulnerability scan for compliance can be carried out. This type of approach towards security assessments can help while collaborating with business owners to schedule security assessments. Critical assets can undergo continuous assessments on a weekly or monthly basis, whereas others can follow a less periodic schedule of assessments.
3. Engage IT Teams in a Continuous Security Assessment Plan
IT teams need to be sensitized about the need for integrating security assessments to their build–deploy cycles. Once the schedule of assessments is decided, the engaging IT teams have to ensure that all of the necessary assets are ready and configured for assessments. This is a key requirement for the success of a vulnerability management program.
4. Maintain Updated Security Baselines
In order to improve the overall IT security posture, the vulnerability management program should be guided by secure baselines/standards against which assessments should be carried out. These baselines should be created for different asset types and can be further categorized into mandatory, important and optional standards.
5. Map Baselines with Compliance Requirements
Ensure that baselines map to compliance requirements of the business, for example, PCI for payment card data handling. This will help ensure that adhering to security baselines or standards automatically helps in compliance with global standards.
6. Empower IT Teams with Security Training
Once the vulnerabilities have been identified, the IT team needs to mitigate the risks on the IT assets. Training IT teams in secure baselines and secure-coding guidelines goes a long way in ensuring that vulnerabilities are mitigated faster.
7. Adopt a Risk-Based Mitigation Strategy
The derived risk values of the IT assets will help in determining the controls that have to be applied for mitigating the risks on the IT assets. Do you use advanced two-factor authentication systems or complex passwords? This will be determined by the type of asset that has to be protected.
8. Integrate Mitigation Tracking into the VM Program
Maintain a system, such as an MIS system, to track the mitigation of vulnerability classes and asset types. This system can help you determine the progress of mitigations, how classes of vulnerabilities are being mitigated and how soon. Assigning mitigation tasks to specific teams or IT owners and integrating them with bug-tracking systems is also something that proves beneficial to the success of a vulnerability management program.
9. Define, Measure and Review the Metrics for the VM Program
Determine whether the program is on track to assess all the enrolled IT assets. Determine whether your vulnerabilities are being addressed or risks are being mitigated with the progress of time. Measure the time taken to acquire new assets or asset components. Measure the time taken to go live for critical business applications. These metrics would give you better visibility of the security issues affecting your IT assets. Intelligence gained can be used to further fine-tune your vulnerability management program, drive specific trainings, and develop better IT security standards.
10. Centralized Visibility of the Entire Vulnerability Management Program
Finally, all stakeholders of the vulnerability management program should have a unified view of the current status of the vulnerability management program. A centralized dashboard can serve this purpose by providing views of the assessment schedule across all assets, the most critical vulnerabilities that need immediate attention, and the departments with the highest/lowest number of vulnerable assets.

Technical blind spots certainly present major information security challenges to CISOs and their teams, as the complexities of monitoring encrypted traffic and updating SAP software and other legacy applications can be daunting tasks. But there are other cybersecurity blind spots that involve more amorphous and less technical concepts such as enterprise risks. Several cybersecurity experts and CISOs offered insight into some of the hidden risks and vulnerabilities they've discovered, as well as some of the more persistent and growing threats to enterprise security.
For CISOs now wondering what they might be missing, experts suggest focusing on the fact that the CEO and board of directors will want to know where and how the company is positioned in comparison to leading standards, such as NIST or ISO, and what the company's level of security maturity is. They will also want to see that CISOs have developed a roadmap to address any security gaps uncovered.