Introduction to Vulnerability Management
If we’re honest, we love a good challenge. If you have an emergency or a straight up disaster on your hands, of course we are happy that you call us. But there are two sides to this cyber security coin: On one side, the passion for the adrenaline of an all-windows-barred, high-security war room where we help right a ship in the middle of a storm. On the other, the hope to see things fixed before they become a problem.
Today, we are talking about one of the aspects of that second side of the coin: Vulnerability Management.
01.1 What is Vulnerability Management?
Vulnerability Management is one of the many iterations of “detect early, remediate early.” In a field as fast-paced as ours, this can be a genuine challenge – there is always something new to secure in any given IT landscape, a new vulnerability to address, new risks to consider and so on. If these developments go ignored, they might leave one vulnerable to unexpected cyber-attacks. And who wants that, without first deciding that this is a risk worth taking? Nobody, that is who.
A Vulnerability Management Program has the goal to discover unaddressed vulnerabilities. It consists of different phases: uncovering system vulnerabilities through a vulnerability scan, evaluation, reporting and remediation to reduce and manage the risk that unaddressed, maybe even undiscovered, vulnerabilities pose for an organization.
Is Vulnerability Management the same as Risk Management? Not quite. Vulnerability management is more focused on uncovering and addressing technical vulnerabilities within IT-systems in a continuous program to strengthen an organization’s security posture. As such it can be a valuable part of a broader Risk Management program.
01.2 How to run a Vulnerability Management Program
Luckily, Vulnerability Management is pretty straight-forward. The SANS Institute published an introductory whitepaper about the topic that we think is a good start to dip your toes into the waters of what Vulnerability Management can look like in practice.
Here are our 5 phases of a successful Vulnerability Management Program:
01.2.1 Prepare
If this is the first time scanning for vulnerabilities, or you have acquired new tooling to support your vulnerability management process, this is the phase where you want to implement and configure your tool. This is also the time to decide on the scope of your scan. Our recommendation is to think big but start small – especially if you have many servers. As a rule of thumb, aim to cover your business-critical infrastructure first, then expand your scans and remediation efforts.
01.2.2 Vulnerability Scan
Once your scanning tool is set up and configured for your scope, it is time to scan! What can be scanned? That depends on your scanning solution, but as an example, the InsightVM from our partners at Rapid7 conducts scans on internal IP addresses, external IP addresses and has the capability to scan web applications as well.
If you want to read more on how Rapid7 tools scan for vulnerabilities, give us a call. If you prefer to dig into it on your own first, we recommend Rapid7’s article on Vulnerability Management and Scanning.
01.2.3 Vulnerability Analysis
After the scan is concluded, it is time to evaluate the discovered vulnerabilities. Many tools include a vulnerability score in their reporting, often based on the Common Vulnerability Scoring System (CVSS) that rates vulnerabilities by severity, or provide risk metrics to help organizations prioritize the findings.
It is this phase where you handle false positives, analyze scanning results and prepare to report the findings and necessary remediation steps to your service owners. If you want or need to go the extra mile for a critical system, this is also when you would validate core vulnerabilities through pen testing tools.
By the end of this phase, you want to have a list of vulnerabilities that is grouped by how you respond to them: By remediating, mitigating or accepting the vulnerability. If you have a good team of cyber professionals on your side, they will help by giving remediation and eradication recommendations for your prioritized findings and support you in addressing these vulnerabilities.
01.2.4 Vulnerability Report
It is time to show them what you found – ‘them’ being the service owners, usually. After scanning, interpreting the results and prioritizing them for compliance and security, it is time to involve the right stakeholders.
We recommend being in dialogue with your service owners about your Vulnerability Management Program, especially when you are just starting up. Getting them on board and helping them allocate the resources needed to address the vulnerabilities found will strengthen your program for years to come.
01.2.5 Vulnerability Fix/ Support
Next up is addressing your vulnerabilities. Often, this will be in the hands of the service owners, but you can support them by providing whatever relevant information from your findings they need, with your reasoning and analysis if required. Listen to their feedback – they are bound to know their system and its use more in-depth and will be able to give some more context for your future analysis.
When employing frequent and consistent scanning, you’ll start to see common threads between the vulnerabilities for a better understanding of the full system.
Rapid7, Vulnerabilities, Exploits, and Threats
But why do all that when you have been (mostly) fine so far? You could just close your eyes to the dangers of your potential exposure and never think about your internal and external vulnerabilities ever again.
Well, unfortunately, for systems that are exposed to the internet, unaddressed vulnerabilities can open the door to automated attacks that are as easily executed as sending out a mass-email. If you have reason to believe that your organization could be on the receiving end of a targeted attack, vulnerability management should be at the top end of your list of priorities. Internal systems are just as critical – once an adversary has compromised a user account, or worse, an insider threat is looking for some leverage, you will be glad that you are in control of managing your vulnerabilities.
Read more about Vulnerability Management in our Sources:
Tool: Common Vulnerability Scoring System Calculator – provided by NIST
Whitepaper: Implementing a Vulnerability Management Process – Tom Palmaers for SANS™ Institute
Article: Vulnerability Management Process – Rapid7
Fundamentals: Vulnerabilities, Exploits, and Threats – Rapid7
Partnership announcement
We are excited to announce that we have partnered with Rapid7 to bring the best of vulnerability scanning and Vulnerability Management to you! Together, we offer Vulnerability Management as-a-Service to organizations across Denmark and the Nordics, and no-strings-attached demos and Proof-of-Concepts – as always just one email away.