Initial Stage - Lack of Formalized Vulnerability Management:
In its early years, CW&L had a minimal focus on vulnerability management. Security tasks were performed reactively rather than proactively. There was no regular schedule for performing vulnerability scans or patch management. When a security incident occurred, they would resolve the specific issue without considering the broader implications for their security infrastructure. This approach left their systems open to exploitation and eventually led to the devastating data breach in 2018.
Post-Breach - Acknowledging the Importance of Vulnerability Management:
The data breach acted as a catalyst for change. CW&L’s new CISO recognized the importance of a proactive approach to security and initiated the development of a comprehensive vulnerability management program. The program aimed to identify, classify, remediate, and mitigate vulnerabilities.
Development Stage - Building the Program:
The first step in developing the vulnerability management program was to take an inventory of all systems within CW&L’s network. Understanding what was on the network was crucial to identifying potential vulnerabilities. Once the inventory was complete, they introduced regular vulnerability scans across all the systems.
These scans were scheduled on a bi-weekly basis, and any high-risk vulnerabilities identified were prioritized for immediate remediation. Low to medium risk vulnerabilities were tracked and remediated based on their severity and the potential impact on the business.
In addition to scanning, they established a formal patch management process. Patches were evaluated and tested in a controlled environment before being deployed to production systems. The patch deployment schedule was determined based on the severity of the vulnerabilities they addressed - critical patches were applied immediately, while less critical patches were scheduled for deployment during maintenance windows.
Continual Improvement - Enhancing the Program:
To further strengthen their vulnerability management program, CW&L started conducting penetration tests annually and after any significant changes to their network or applications. These tests simulated an attack on their systems and helped them understand potential exploitable vulnerabilities from an attacker’s perspective.
Moreover, they implemented a security awareness training program. Employees were trained on the importance of security, common threats, and best practices to prevent security incidents. The training included sections on reporting potential security issues, making everyone at CW&L a part of the vulnerability management program.
Current Status - A Robust Vulnerability Management Program:
Today, CW&L’s vulnerability management program is an integral part of their overall security strategy. Regular vulnerability scans, systematic patch management, penetration testing, and continuous security awareness training have created a proactive security culture within the organization. The journey was not easy, but it was crucial in transforming their approach to security and achieving PCI DSS v4.0 compliance.