Vulnerability Management

Are you still looking for articles to learn more about Vulnerability Management? Have you thought about how complex could it be to run a Vulnerability Management program for an organization? What are the challenges? Can we fix them? Do we need to accept the complexity and learn to live with it? If these questions have come across your mind then you are at the right place, I hope this series of posts will help you to learn from my experience and help you to learn and strengthen/improve the Vulnerability Management program.

I understand, there are multiple articles available on the internet that can answer your queries, but this is just another try to share my experience and I am sure, there will be definitely something new for everyone. My idea is to start with the fundamental posts where we will discuss the theoretical aspects and then slowly we will move to other topics which involve strategizing, documentation, troubleshooting, and automation use cases.

Let’s start this series!

Before we dive into technical aspects, I would like to define a few technical terms which will be frequently referred to in this series. The remaining will be explained as we make progress.

• The asset has been defined by NIST: An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation)
• The vulnerability has been defined by NIST: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
• The risk has been defined by NIST: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
• The threat has been defined by NIST: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

NIST explains Vulnerability Management as An ISCM capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network. This may sound straightforward to implement but becomes a complex process as the size of the organization increases.

Is Vulnerability Management really important? Absolutely necessary to have for an organization to defend against threats. NIST CSF talks about the Vulnerability Management program. ISO 27001 also mentions controls to be implemented to avoid technological vulnerabilities from being exploited. PCI-DSS also mandates vulnerability scans. Other Industry standard frameworks like SOC, HITRUST, HIPAA, etc. mention about Vulnerability Management.

Do you get confused between Vulnerability Assessment and Penetration Testing? If yes, then let’s discuss this quickly. Vulnerability Assessment is a process of discovering the vulnerability. In the majority of the Vulnerability Assessment scenarios, our focus is not on the exploitation phase. Once a vulnerability has been identified, the report is shared with details of the vulnerabilities and remediation steps. In Penetration testing, we move to the exploitation phase. Once a vulnerability has been identified, we try to exploit and compromise one or multiple pillars of the CIA triad. The motive is to understand what is the real exposure post-exploitation. Is there any path to locally/laterally escalate the privilege to own the sensitive account/data? This whole process of compromising and moving across the accounts/assets/networks is captured and presented in the report. Penetration testing mimics the attacker’s mindset and processes and hence helps to prioritize the remediation.

To ensure the program is properly implemented and maintained, the whole process of managing the vulnerabilities is split into multiple phases. The multiple phases could be represented in multiple ways, and the one depicted below is one of them.