The article I read was title Vulnerability Management Technique: Managing Asset Exclusion to Avoid Blind Spots. The article can be viewed at:
The author opens the article by discussing recent advances in the maturity of vulnerability management programs, but suggests that one area that needs further development is avoiding asset risk blind spots. One way to do this is to manage excluded assets better. Some assets are excluded from vulnerability scan for various reasons (an example being, the asset has a known vulnerability and vulnerability scanning will cause damage to the system) and as a result, organizations neglect to manage the risks associated with these assets. In fact, many times organizations will put an asset on an exclusion list and practice ‘set it and forget it.’ However, vulnerability management is meant to be a cyclical process. In order to eliminate the blind spot associated with forgotten excluded assets, the author suggests a four step process:
1. Assessment – identify assets to be excluded
2. Reporting – run periodic reports on excluded assets
3. Remediation/mitigation – Try to find a solution to the problem that prompted an asset to be excluded.
4. Verification – Reassess assets to determine if they still need to be excluded
I found this article interesting as it explores an important niche of vulnerability scanning. While programs/sites that need to be excluded from vulnerability scanning are the minority, it is still important to have a means of managing those assets rather than taking the set it and forget it approach. Moreover, the cyclical process the author suggests doesn’t just accept that an asset has to be excluded from vulnerability scanning, but rather attempts to find a solution to the root problem necessitating the exclusion. Even if a solution can’t be found, the author’s process will revisit the asset in case new technology or a new approach can lead to a solution. This article takes a valuable approach to vulnerability scanning by advocating the development of the process to be adaptive and as inclusive as possible.
The way I’ve seen this handled is by creating a “finding” or “issue” in whatever system the organization uses to track open deficiencies and keeping it open until the issue is resolved. They rapidly become the oldest issues on the management report which gets them the needed attention.
Wade