Vulnerability Management 

Vulnerability Management 

 

What is Vulnerability Management?  

Vulnerability management can be defined as a continual process of identifying, evaluating, and remediating vulnerabilities. This can be simply described as an approach that eliminate vulnerabilities before it led to a security breach. Now with the development of automated tools and guidelines vulnerability management was become easier. But a proper understanding is needed to implement a vulnerability management program. This article will cover all the aspects on how your organization can have an effective vulnerability management program. 

Why Vulnerability Management? 

Vulnerabilities are weaknesses that can be exploited by a threat actor. Vulnerabilities can be of different types, system vulnerabilities, network vulnerabilities, application vulnerabilities, software vulnerabilities and configuration errors.  

Day by day new exploitations are found, new technologies are introduced and with this rapid growth we can also see an increment in cybersecurity cases in an organization. Most of the time a vulnerability opens an opportunity to attack your system. And attackers use this for their advantage and try to attack your system. This highlights the importance of a vulnerability management for an organization to develop security strategies. 

A vulnerability management program can help to conduct thorough search continuously rather than just scanning and overlooking vulnerabilities just to ignore them. Even after identifying a vulnerability the cycle does not end, it ends only after giving the appropriate remediation but after implementing the solution and re-scanning.  

  • Make sure that the attack surface is patched up properly and make sure that it has eliminated all the openings to an attacker. 
  • Helps you to evaluate your network and secure the network.  
  • Ensures that vulnerabilities do not habitat in your system.  

 

 

Vulnerability Management Program 

The most common problem everyone has is with what are the phrases in a vulnerability management program.  There are four phases namely,  

Above shows the vulnerability management process flow. This is referred as vulnerability management lifecycle as this is a continuous cycle. Vulnerability management lifecycle steps starts from Identify the vulnerabilities and a cycle ends when its rescanned and validated.  

 

These phrases may differ according to the need of your organization and its scope. 

  1. Identify  

The whole world is now connected through the internet and every day the internet is growing therefore vulnerabilities also keeps growing. The first step to protect your network or system is to check for vulnerabilities. Rather than checking once and deciding a continuous approach should be followed when scanning for vulnerabilities. This will help in identify new vulnerabilities that was not there before.  

Now comes the question on how can we conduct these scans to identify vulnerabilities? Vulnerabilities scanning tool have made this process easier now. There are many tools and technologies that can be used.  But before using these tools we should have a clear understanding of the scope of the scan that is conducted and there it will impact or cause a system down time. It is recommended to perform these scans outside of work hours to avoid any downtime.  

2. Examine  

In this stage we have already identified the vulnerabilities in the system. This is where the risk is examined. The scanned report may tell those hundreds of vulnerabilities are detected and you be confused on what should be fixed first.  

First, the outliers should be removed. This includes applications that are no longer used but show vulnerabilities. Then after a list should be made addressing each vulnerability. The name of the vulnerability, system detected, the due date, person responsible and so forth. This can be done using an automated vulnerability management program or using a spreadsheet like excel.  

Second, you must score the risk, for that you can use the Common Vulnerability Scoring System (CVSS) risk formula.  

 

3. Prioritize  

Now you have a risk score for your vulnerabilities. The next step is to prioritize the risk based on the highest risk. You should prepare a vulnerability prioritization strategy where all the highest risks of critical assets are addressed first. 

 

Sometimes all the operating systems may have common problems like not been updated to the new version in such case you can patch them using an auto update mechanism.  

 

 4. Remediation 

All the vulnerabilities are fixed when it comes to this phase. What remains is to make sure that they are all gone.  We sometimes think that after the vulnerability is fixed that the work is done but without confirming our remediation it is never finished. Some vulnerabilities will not vanish even when its patch and some need more than one patch to resolve it.  

 Many standard bodies also have suggested different frameworks that can be used when implementing a vulnerability management program.   

  1. OWASP – OWASP Vulnerability Management Guide introduce that three cycles and in each cycle, there are four main processes.  

 2. NIST – NIST Software Security Vulnerability Management  this guide help in implementing a software security vulnerability management program. 

 

3. US Cert – According to CRR Supplemental Resource Guide they introduce the vulnerability management in four phrases. 

 

4.Gartner – Gartner Vulnerability management guidance Framework.  

 

Types of Vulnerability management approaches  

Risk based vulnerability management  

Risk based vulnerability management is the process where the constant vulnerabilities are prioritized based on the criticality level and responding to those that can cause a high impact to the organization.  

Need for risk-based Vulnerability management  

In a single scan a whole lot of vulnerabilities are found. Every day a new vulnerability is found, and attackers find methods to exploit them. The problem is that with these huge vulnerabilities that is found it is hard to address all of them.  

The most common example is that when windows released its patch update it unrealistic to update all the windows machines. It may take some time depending on a number of factors. And it should be done without causing any disruption or a downtime to business operations. The point is that all vulnerabilities do not pose the same risk. Threat actors know on those vulnerabilities they should exploit.  They only focus on this small subset of vulnerabilities. Therefore, we should also focus on this vulnerability which carries the highest risk. This is what risk-based vulnerability prioritizes on the most critical risks. 

 

Risk based Approach Vs Traditional Approach 

Risk Based Approach   Traditional Approach 
The vulnerabilities which have a higher probability of getting exploited are scanned.  Vulnerabilities which are fed into the scanning tool has only been scan 
The most critical assets are given priority  Does not worry about the most critical assets to the business just scan all the available assets. 
All the assets are scanned including cloud, BYOD, IOT and third party.  Much attention is not given to assets like cloud, BYOD, IOT and third party. 
Continuous scanning is conducted.  Scan is done only one time or when needed. 

 

 

 Vulnerability Management tools 

Technologies used 

When conducted a vulnerability scan there can bed different types of technologies that can be used, 

  • Host based scanner  
  • Application Scanners 
  • Wireless Scanners 
  • Data base Scanners 
  • Network based scanners 

 

Open-Source Tools 

Offensive Security’s Kali Linux provide us with many open-source vulnerability scanning tools that we can use in vulnerability management. Here are some of such tools what we can use 

  • Metasploit 
  • Burp Suite Free Edition 
  • OWASP ZAP (Zed Attack Proxy) 

 

Industrial used Vulnerability Scanning tools   

  • Qualys Vulnerability Management 
  • Tenable Nessus 
  • Rapid 7 

 

How to select a vulnerability Scanning tools   

When selecting a Vulnerability scanning tool there are certain things that should be looked into, 

  1. The dashboard should clearly define the risk score and help in prioritizing risks.  
  1. It should be able to scan the most critical systems in your network.  

 

Vulnerability management strategy for an organization  

Here are some of the vulnerability management best practices that helps strategies the vulnerability management works. 

  • Determine the scope and the assets of Vulnerability management. 
  • Determine proper tools and strategy. 
  • Prioritize mission critical assets and risks 
  • Prompt remediation and identify new risks 
  • Define a proper metrics 

 

Vulnerability Management Check list 

Identify: 

  • Does the scope define properly? 
  • Is a proper plan in place? 
  • Are policies and procedures in place? 
  • Are the Role and responsibilities defined properly? 
  • Are the proper Vulnerability Assessment tools selected? 

Examine: 

  • Does all the critical assets are covered in the scope? 
  • Is a risk valuing method in place? 
  • Are the risks assign properly? 

Prioritize  

  • Are the assets prioritized based on the criticality? 
  • Are the risks prioritized based on the criticality? 

Remediation: 

  • Is the remediation and mitigation action conducted? 
  • Was all rescanned and validated properly? 

 

Vulnerability prioritization matrix 

Common Vulnerability and Exposure is a list of records that classify vulnerabilities. The CVE glossary used the CVSS to evaluate the threat level and use that score to prioritize vulnerabilities.  

Common vulnerability Scoring system is scoring method that capture the key characteristics and produce the severity level of the vulnerability. It is composed of three metric groups namely Base, Temporal and Environment.  

Use the CVSS: Calculator 

Risk  CVSS Score 
None  0.0 
Low  0.1 – 3.9 
Medium  4.0 – 6.9 
High  7.0 – 8.9 
Critical  9.0 – 10.0 

Risk Matrix