Vulnerability Management

Are you still looking for articles to learn more about Vulnerability Management? Have you thought about how complex could it be to run a Vulnerability Management program for an organization? What are the challenges? Can we fix them? Do we need to accept the complexity and learn to live with it? If these questions have come across your mind then you are at the right place, I hope this series of posts will help you to learn from my experience and help you to learn and strengthen/improve the Vulnerability Management program.

I understand, there are multiple articles available on the internet that can answer your queries, but this is just another try to share my experience and I am sure, there will be definitely something new for everyone. My idea is to start with the fundamental posts where we will discuss the theoretical aspects and then slowly we will move to other topics which involve strategizing, documentation, troubleshooting, and automation use cases.

Let’s start this series!

Before we dive into technical aspects, I would like to define a few technical terms which will be frequently referred to in this series. The remaining will be explained as we make progress.

  • The asset has been defined by NIST: An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation)
  • The vulnerability has been defined by NIST: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
  • The risk has been defined by NIST: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
  • The threat has been defined by NIST: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. Also, the potential for a threat-source to successfully exploit a particular information system vulnerability.

NIST explains Vulnerability Management as An ISCM capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network. This may sound straightforward to implement but becomes a complex process as the size of the organization increases.

Is Vulnerability Management really important? Absolutely necessary to have for an organization to defend against threats. NIST CSF talks about the Vulnerability Management program. ISO 27001 also mentions controls to be implemented to avoid technological vulnerabilities from being exploited. PCI-DSS also mandates vulnerability scans. Other Industry standard frameworks like SOC, HITRUST, HIPAA, etc. mention about Vulnerability Management.

Do you get confused between Vulnerability Assessment and Penetration Testing? If yes, then let’s discuss this quickly. Vulnerability Assessment is a process of discovering the vulnerability. In the majority of the Vulnerability Assessment scenarios, our focus is not on the exploitation phase. Once a vulnerability has been identified, the report is shared with details of the vulnerabilities and remediation steps. In Penetration testing, we move to the exploitation phase. Once a vulnerability has been identified, we try to exploit and compromise one or multiple pillars of the CIA triad. The motive is to understand what is the real exposure post-exploitation. Is there any path to locally/laterally escalate the privilege to own the sensitive account/data? This whole process of compromising and moving across the accounts/assets/networks is captured and presented in the report. Penetration testing mimics the attacker’s mindset and processes and hence helps to prioritize the remediation.

To ensure the program is properly implemented and maintained, the whole process of managing the vulnerabilities is split into multiple phases. The multiple phases could be represented in multiple ways, and the one depicted below is one of them.

Vulnerability Management Lifecycle

Identify is the very first phase where efforts are put into inventorizing the assets. The focus is not on only preparing the list of assets but also on the classification of the assets based on the data they hold/process and their placement in the network. We will be talking about different attributes which should be at least tagged to the assets.

Scanning is the second phase after inventorizing the assets. Once we have identified what to be tested for vulnerabilities, we proceed ahead and perform vulnerability tests. Performing efficient scans involves brainstorming with different stakeholders to arrive at the methodology of the scan. This phase will be discussed in depth in subsequent posts.

Reporting the third phase which comes after the scanning phase. Once the scans have been performed, the report is made available to the asset owners or the stakeholders responsible for fixing the vulnerability.

Remediation is the fourth phase which focuses on prioritizing based on the score assigned to the vulnerabilities. In this phase, the patching team either patches the vulnerabilities or implements workarounds. If a patching team finds that the reported vulnerability does not apply to the asset, they can approach the scanning team to perform false positive validation. If the vulnerabilities can be patched or compensated with any controls, the team need to look for alternative or accept the risk associated with running a vulnerable system. The challenges faced in this phase will be discussed in subsequent posts.

Continuous Improvement is the last phase where the team tries to improve the Vulnerability Management program by measuring the success of declared metrics. We will talk in-depth about what metrics can be adopted by the team to measure success and how to improve the overall program.

Let’s stop for now and continue in the next post where we will discuss the very first phase of vulnerability management i.e Identification.

Up ↑

%d bloggers like this: