The Essentials Of Vulnerability Management
Vulnerability management is the “cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities”, especially in software and firmware. Vulnerability management is integral to computer security and network security. [Source definition from Wikipedia]
Vulnerabilities are potential gray areas and flaws in software code or system configurations which may enable hackers to compromise your network or systems.
Errors occurred while programming often results in inadvertent vulnerabilities, empowering hackers.
Other vulnerabilities might not be because of software bugs rather due to incorrect configurations, like the failure of closing appropriate ports over a firewall.
Hackers constantly look for the doors and windows left open, all possible vulnerabilities in software and system configurations and try to exploit these openings to get access and bypass protection and security controls.
Vulnerabilities come in various forms. For instance, items like open ports and protocols might leave unintended access of key areas in a system.
Memory management issues might generate other avenues for attackers to exploit and get control over your systems.
As multiple devices are connected together in modern businesses, once control of one system is achieved, has become easier for an attacker to get control over additional system resources as well within your network.
Once the vulnerability is explored and identified by the community, software vendors often release fixes or patches that address the vulnerability. However, patches themselves might contain errors, and may have unintended impacts on other areas of your systems, specifically if you have extensive customization. Hence, thorough examination, review and testing of patches prior to deploying on production systems are often recommended.
To point out which systems are subject to which vulnerabilities, regular tracking and monitoring of systems are required.
Instead of keeping track of the latest patches that can be applied to each system, it is often simply easier to run automated assessments against known vulnerabilities to identify if these the vulnerabilities are present on a particular system over your network or not.
Vulnerability scans offer automation to help examine which systems are subject to which type of vulnerabilities.
By examining ports and protocols as well as installed software and OS versions, a scan of your network might yield a list of systems and the vulnerabilities each system suffers. These might then be prioritized depending on risk levels, with plans for remediation putting into action.
Vulnerability management includes not just one-time scans, rather the process of managing such scans and the related remediation of the identified vulnerabilities in a very systematic approach.
Managing vulnerabilities might be a time-consuming and complicated task, particularly for mid-level organizations that may not always have time and necessary staff available for performing the investigation.
As software flaws or misconfigurations might permit cyber attackers to get access over to your IT systems, these vulnerabilities require being quickly detected and remediated before they can be exploited [Refer Figure 1].
Enterprises often find challenges while attempting to deploy vulnerability management on their own, without the support of a services organization, including:
➢ Scanning technology which might require too much time and effort to deploy and manage
➢ IT personnel who might not have the bandwidth to frequently scan and analyze the outcomes
➢ The time and effort it consumes to prioritize and follow up on vulnerability remediation
In case you are responsible for your organization’s information security program, undoubtedly you may find that managing security flaws on your operating systems, network devices, and applications is both time-consuming and complex.
It’s difficult to manage with the ever-expanding amount of flaws which are exploited by attackers, for instance: SYN Flood (DDoS), Shellshock (UNIX), Heartbleed (Open SSL), and Poodle (SSL 3.0).
Daily, it looks like there is another update to install. Prioritizing essential patches and performing the related testing prior to implementation can be a daunting task, specifically for smaller organizations.
As per the survey, more than 7,000 vulnerabilities added to the National Vulnerability Database in 2014 alone.
Approaches to vulnerability management needs to research and prioritize the vulnerabilities based on following factors:
✓ The business value of the IT asset
✓ The criticality of the IT asset within the network security design
✓ The availability of exploits targeting the vulnerability
✓ The exposure time of the system
Figure 1: The process of vulnerability management life cycle is an infinitely repeating loop that constantly re-evaluates the security posture of the organization.