These principles and checklist are intended to be used as a high-level self assessment to determine the capability and maturity of a vulnerability management (including patching) function for organisations connected to the WA SOC. Note this excludes the Governance, Risk and Compliance (GRC) roles and is focused primarily on undertaking operational Identify and Protect capabilities under the WA Cyber Security Policy (and takes into consideration the oversight capabilities available entities in scope of the WA SOC).
The UK NCSC's excellent Vulnerability management guidance lays out five principles intended to help organisations establish an effective vulnerability management process:
- Put in place a policy to update by default: Apply updates as soon as possible, and ideally automatically, in line with our best-practice timescales.
- Identify your assets: Understanding what systems and software you have on your technical estate, who is responsible for what, and which vulnerabilities are present.
- Carry out assessments by triaging and prioritising: If updating to the latest version of the affected software doesn’t fix the reported vulnerability or misconfiguration, or there isn’t an update to address the issue yet, you will need a process to triage and prioritise.
- The organisation must own the risks of not updating: There may sometimes be legitimate reasons not to update. The decision not to is a senior-level risk decision, and should be considered in the wider context of organisational risk management policy and practice.
- Verify and regularly review your vulnerability management process: Your vulnerability management process should always be evolving to keep pace with changes in your organisation’s estate, new threats or new vulnerabilities.
The links embedded in the checklist below are to recommended approaches that can be used for implementation, however any equivalent capability is suitable as long as the organisation is able to maintain an up to date asset database with a full inventory of devices, resources (compute, storage, network), software and code repositories in use.
<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/PzX8NLPaxNk?si=rNT0sT5Hj4E_3cJS" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe>- Automate asset discovery
- Validate internet-facing asset ownership and daily discovery with the WA SOC.
- Implement fortnightly asset fingerprinting and discovery across all network connected devices. Use an approach like fragile device scans for scanning Operational Technology (OT) or across fragile networks.
- IVRE (GPL-3.0 license, self-hosted) and runZero (commercial) are high performance asset discovery and fingerprinting platforms that can scan the full IPv4 address space on a weekly basis.
- The WA Government Vulnerability Scanning Platform has Discovery Scans available however these need scoping to subnets for performance.
- IT Asset Management tools like LANsweeper, Virima, and Device42 are capable of automating regular discovery actions, though have limitations when inventorying unmanaged devices.
- Implement daily active Web & Basic Network Scans across internet-facing assets
- Implement Cloud Security Posture Management (CSPM) to inventory and assess all public cloud resources.
- Implement weekly active Basic Network Scans and Basic Agent Scans towards all assets on enterprise IT networks.
- Ensure all excluded devices and networks have effective compensating controls as per ACSC's Guidance for Managing the Risks of Legacy ICT.
- Assign all discovered assets to Maintenance Groups as outlined in NIST Special Publication 800-40r4 (Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology)
- Implement Patch Management following Assessing Security Vulnerabilities and Applying Patches
- internet-facing services: within two weeks, or within 48 hours if an exploit exists
- workstations, servers, network devices and other network-connected devices: within one month
The WA SOC makes available a Tenable based vulnerability scanning platform as a straightforward way to implement ongoing posture scanning and maintenance in a coordinated manner. Usage of this platform also improves threat monitoring and remediation assistance available to the sector.