“So You Like Pain and Vulnerability Management?”

Executive Summary:

You will never catch up when you try to do security through patch management. The unknown vulnerabilities are, by their nature, unknown. And the zero-day vulnerabilities will always be irritatingly one day ahead of your malware detection.

Instead, understand and implement proper operational controls.

See the full article at
http://www.tripwire.com/state-of-security/vulnerability-management/
so-you-like-pain-and-vulnerability-management/

Discussion:

Substantial changes usually have to happen in the context of paradigm shifts. That’s just a fancy way of saying that we do things differently when we change the way we think about them.

Consider, for instance, the SANS list of Critical Security Controls. Find it at
https://www.sans.org/critical-security-controls/

It’s a long list of directly applicable areas of operation. They’re talking about controlling things like boundaries, and data protection, and inventories of systems and software. Okay, but this is the starting point of hamster-wheel madness. You will never patch your way to security, for one example. You will ALWAYS be a day behind the zero-day vulnerabilities.

Consider, in contrast, the OSSTMM controls. There’s a good outline at
http://midnightresearch.com/wiki/index.php?title=OSSTMM&redirect=no

This is a very different list of controls: Authentication, Indemnification, Subjugation…. Hey, wait, this is totally different stuff!

Exactly. The OSSTMM, which is described in some good detail at the link above, is about a whole different way of thinking. There is a good example of its application at
http://www.infosecisland.com/blogview/17011-Broken-Trust-Part-2-Applying-the-Approach-to-Dropbox.html

You cannot patch Dropbox to security, is the gist; and if you apply the right analytics to it, it may not look attractive for doing much more than sharing recipes. But that’s another story.

Let me simply suggest to my friends and security practitioners that it’s going to be worth your while to study this in more depth. Because the OSSTMM is about an entirely different vision of security, one that costs less, works better and doesn’t put you in the hamster wheel. Those are good things.

* * *