Provincie Groningen - Introduction
Information is one of the most important assets that any organization possesses. Without information, or with information that is unreliable or of poor quality, an organization cannot function to its potential.
Nowadays, most organizations store their information in digital systems. This allows users to access information anywhere, anytime - but brings with it a unique set of challenges.
Vulnerabilities
Digital information systems consist of various hard- and software components, each with its own builtin security systems, such as username/password, time-out, etc. In addition, there are several dedicated security systems installed to insure the quality and continuity of information within the ICT environment.
Nevertheless there are serious vulnerabilities in digital information systems that can be exploited by viruses, spy ware, bots and other threats. Adequate measures to mitigate these vulnerabilities are an absolute necessity. Unfortunately, many organisations do not have the information they need to take the required action.
A complete picture regarding these vulnerabilities was not available within Provincie Groningen. As is the case with most organizations, Provincie Groningen does receive information from vendors regarding security patches but information about un-patched vulnerabilities is not always available.
"Secunia Security Manager"
To gain the necessary insight into its vulnerabilities Provincie Groningen began surveying the market in 2006 for a possible solution to this problem. After some initial discussion with Secunia a pilot was initiated, using their product "Secunia Security Manager". The pilot demonstrated that, at least from a technical view, "Secunia Security Manager" could provide Provincie Groningen with the necessary information. It can be configured to meet Provincie Groningen's own unique requirements, and it supports SMS and e-mail messaging. So, technically speaking, it is a good product but ….!
A "Secunia Security Manager" license is only worthwhile when implemented within a sensible internal process that manages the information the product delivers. Without a process, follow- up is not guaranteed and the benefits are limited.
Security Management & Problem Management
IT management processes at Provincie Groningen are based on ITIL. It is thus crucial for security management to insure that information is managed within existing ITIL service support processes.
After internal consultation, the security manager suggested that all information from "Secunia Security Manager" be handled within the problem management process. The reasons for this choice are as follows:
- Information from "Secunia Security Manager" has no immediate impact on the service level;
- Not all information will cause a change in the ICT environment;
- For evaluation each follow-up must be registered.
Nowadays problem management receives and uses information from "Secunia Security Manager" to identify and address vulnerabilities in the ICT environment. Measures to address possible vulnerabilities vary in scope and complexity, depending on the probability and impact of the threat.
Process Provincie Groningen
1. "Secunia Security Manager" sends information via e-mail to security management & problem management;
2. Problem management registers the information as a call in the Provincie Groningen support tool database;
3. Operations examines the call, registers possible actions in the call and, if necessary starts a change to implement a patch;
4. Problem management reports from the Provincie Groningen support tool database to security management. Included in these reports is a list of IT components. Provincie Groningen wants to receive information about these IT components from "Secunia Security manager";
5. Through a web interface, Security management effects changes in the configuration of "Secunia Security Manager".
Lelystad
Vulnerability management today is evolving from an occasional search on the Internet and general vulnerability reporting to the development of security infrastructures containing continuous scanning and reporting of IT security operations.
Not too long ago the municipality of Lelystad was facing the same problem. Lelystad is a municipality located at the northern part of Holland, serving 70,000 inhabitants and currently employing 1,000 people.
”In the beginning I subscribed to the free Secunia notifications,” says Lelystad's system administrator. ”In that case I received all the messages on vulnerabilities. But not only did I receive the information from Secunia, I also searched the Internet and subscribed to other suppliers. To go through all this information caused a lot of extra work.
With the Secunia Security Manager solution I no longer need to search the Internet to find out if our products are vulnerable. I only receive a mail when a vulnerability is detected in our systems.
The Secunia solution offers multiple options. We have registered several products, so besides the software being monitored by Secunia, the hardware is being monitored as well. When a vulnerability is detected for instance in our switches, we are notified instantly by Secunia about impact and risk, so that we can take action immediately.
The Secunia solution gave me a single point of input for vulnerabilities and now I can generate reports about the status of our infrastructure in a minute. Having the solution certainly increased the awareness on security issues. And in the end developing the vulnerability management in Lelystad by enabling us to easily inform our management and take action faster”.
About the Secunia Security Manager solution
The Security Manager is the most effective solution when it comes to vulnerability management. The solution allows you to define a setup according to your specific IT infrastructure thereby providing you with a complete and customized overview of possible vulnerabilities in your systems.
About Secunia
Secunia assists companies in their vulnerability management process, including vulnerability assessment and security configuration baseline. Mitigation activities are prioritised based on the severity of the vulnerability, the current threat environment, and the business use of the vulnerable asset. We assist companies protecting and shielding vulnerable assets until a permanent solution is completed as well as identify the root cause for the vulnerability, enabling the company to eliminate the threat through changes in the network, server, and pc configuration policies.
Innova
Innova is part of a group of companies that belongs to Reus' municipality. Its main objective is to keep economic control and strategic alignment among the different companies that belong to the municipality of Reus. 19 different companies are part of Innova Group, all together having a turnover of €116 million. The city of Reus has 100,000 inhabitants and is located in the province of Tarragona, between Barcelona and Valencia. Innova, having a linking role between all the other companies that work for the municipality, has a small infrastructure since most of its services have been outsourced.
The Head of IT in Innova coordinates with 10 other people that, through outsourcing, work in different IT areas, such as SAP, Oracle, networks, firewall, and helpdesk. His basic clients are 15 users that work with Innova's network, plus more than a 100 users working with the infrastructure in the rest of the company group.
”As any IT department, tight budgets and lack of available IT personnel is an everyday thing” the Head of IT says. ”This situation results in an ignorance of projects that are important for business continuity.
Our main challenge is that our IT department manages various systems and platforms, for instance Windows, Linux, Oracle, SAP R/3, NetScreen firewalls, and Cisco routers and this makes it difficult to track vulnerabilities in each and every one of the platforms, mostly because each system has its own web distribution list with different formats and criticality criteria which makes it very difficult to gather all the information and process it”.
Consequently Innova had a need for vulnerability management and so three months ago Innova started using the Secunia solution. ”The implementation process was quite fast since we were able to quickly separate potential incidents according to the system for instance SAP with Windows, Sendmail with Linux and the like.
The Secunia Solution provides us with a standard interface in which we receive, analyse and apply security patches to our entire IT infrastructure. Thanks to this system, we can establish an incident management process with the certainty that we can immediately identify critical issues within our infrastructure and be able to prioritise the patching process.
As an advanced management method, we are currently coordinating the Secunia Solution with our incident management system for the purpose of automatically having our staff addressing each of Secunia's vulnerability alerts.
Previously, we used to work differently depending on the vendor” says the Head of IT. ”For Microsoft patches for instance, we used to roll them over to the clients once every couple of months, picking the ones that were considered critical. Regarding the servers, we were reluctant to patch, for instance were the ones for SAP applied once a year, while other systems such as databases never were patched. Concerning the rest of the network, we used to update the applications every couple of months, but that usually coincided with new acquisitions or real security breaches that forced us to prioritise our efforts in repairing already exploited flaws”.
The benefits according to the Head of IT are that ”Secunia offers a very standard service for those IT departments that do not have someone in charge of IT security. Secunia's service facilitates to a great extent the system's maintenance up to an acceptable security level.
IT security is important for any IT project, just as its maintenance is, but it is also a never-ending task. There are so many systems, both hardware and software, within a company that it is impossible to be up to date on each and every one of them. Thanks to Secunia we now know where we are in terms of IT security. We know what steps to take in order to keep ourselves at a comfortable level between security and time-spent.
The main benefit of Secunia's service, for us, is the tranquility. Now we know where we are and we have the comfort of knowing that our systems are as we want them to be in terms of IT security. Investing minimum time, we now have the certainty of knowing that we are covered”.
About Secunia
Secunia assists companies in their vulnerability management process, including vulnerability assessment and security configuration baseline. Mitigation activities are prioritised based on the severity of the vulnerability, the current threat environment, and the business use of the vulnerable asset. We assist companies protecting and shielding vulnerable assets until a permanent solution is completed as well as identify the root cause for the vulnerability, enabling the company to eliminate the threat through changes in the network, server, and pc configuration policies.
