VULNERABILITY MANAGEMENT:

PRETTY MUCH EVERYTHING YOU NEED TO KNOW

Proactively manage your assets and security vulnerabilities.

Vulnerabilities are often used by attackers to gain unauthorized access to critical systems. In fact, 60% of businesses suffered data breaches due to unpatched vulnerabilities in the past few years.

Vulnerability management dictates the strategies used to proactively mitigate and/or prevent the exploitation of IT vulnerabilities within an organization's network or systems.

It also helps keep track of all assets (networking, applications, servers, systems, etc.) within the ambit of an organization. The reported breach at NordVPN occurred due to attackers targeting a forgotten network asset. This incident could have been avoided if all assets were tracked diligently throughout their lifecycle. After all, it's almost impossible to protect something that you didn't even know existed. 

Careful review of all your organization’s assets and systems is really at the heart of vulnerability management.

DEFINING VULNERABILITY MANAGEMENT

Before diving into Vulnerability Management, we’ll cover a few terms.

Vulnerability Management

Vulnerability discovery has become quite prevalent in IT. Unfortunately, patching them before an attack happens is still a problem.

Vulnerability management helps organizations track and manage vulnerabilities until they are fixed. It has to be an integral part of any effective cybersecurity plan. Moreover, vulnerability management also involves keeping track of all IT and Network assets within an organization.

Vulnerability Management can be defined as "identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities" on a reoccurring basis.

Risk Exposure

Digitally speaking, risk comes in many shapes and forms, ranging from the threat of exposing sensitive information to the theft of user data. Risk Exposure defines the amount of risk that an organization is exposed to – a measure of potential future loss resulting from an activity such as a cyberattack.

Risk Tolerance

Although a term more commonly used in the world of finance and investments, risk tolerance or risk appetite in cybersecurity defines the amount of risk that an organization is willing to bear. The risk tolerance can take many forms, from delaying a security patch to delaying implementing security protocols or safeguards.

Cyber Threats

A cyber threat is any act that could lead to damaging data, someone stealing data, or even disrupting digital life in some way. These threats remain 'potential' threats only as long as the vulnerabilities allowing them remain unfixed. Vulnerability management helps prioritize threats to ensure that systems aren't compromised because of a delay in patching. 

The US Government defines a threat as “persons who attempt unauthorized access to a control system device and/or network using a data communications pathway.”

Types Of Vulnerabilities

Vulnerabilities come in many shapes and forms. In fact, in addition to severity, there are many other factors that cybersecurity experts use to classify vulnerabilities into different types – aiding the process of managing them.

We can categorize vulnerabilities into three broad categories...

Category 1

Category 3

Category 1

Any vulnerability that could compromise the security of a network is classified as a Network Security Vulnerability. Although there are many types of such potential threats, we’ll cover the five most common ones that plague organizations around the world.

Network Security
  • Missed Security Patches: Missing/skipping security patches can be quite disastrous when it comes to network security, allowing a relatively easy entry point into your network.
  • Weak or Default Passwords: Using insecure or default passwords on networks is among the most common network vulnerabilities, sometimes cropping up even on corporate networks.
  • Incorrectly Configured Firewall Rules: Firewall rules are often overlooked. However, a firewall is only as good as the rule configuration that it is set to work with. A not-so-ideal setting will usually give organizations an illusion of security until an attacker manages to successfully gain access to core systems and networks.  
  • Unknown Mobile Devices: Employees, customers, and other third-party contractors might use several different devices to access your network. Even the most stringent security procedures are no match for an employee inadvertently logging in from an unsafe, public Wi-Fi spot.
  • Flash Drives: The damage that a seemingly-benign USB flash drive can do will surprise most people. Its portability makes it one of the most convenient devices to use as well as the most dangerous. Frequently plugging it into different systems, especially unknown ones, can be a recipe for disaster when it comes to network security. The threat here is really security-unaware employees.

Category 2

Information security teams regularly scan for vulnerabilities in their organization’s web applications to better prevent an attack. Here are the most common types of application security vulnerabilities.

Application Security
  • SQL Injection: Allows alteration of backend SQL statements by manipulating user-supplied data. Usually, this is a login form.
  • Cross-Site Scripting (XSS): An attack that enables attackers to execute scripts on a trusted (victim’s) browser.
  • Broken Authentication and Session Management: Attackers can hijack an ongoing session (using a vulnerability like XSS above) and gain unauthorized access to a system.
  • Insecure Direct Object References: Exposing a pivotal reference to an internal object can result in attackers using that information to gain access to other internal objects.
  • Cross-Site Request Forgery (CSRF): A malicious website/email/program causes the victim’s browser to perform an unwanted action on a trusted site.
  • Security Misconfiguration: Simple security misconfigurations can result in attackers quickly gaining access to your systems and even taking control of them in extreme cases.
  • Insecure Cryptographic Storage: Not storing sensitive data securely (hashed, encrypted) makes it extremely valuable to attackers and equally damaging to the organization responsible for such a misstep.

Category 3

Although zero-day vulnerabilities and attacks has become a hot term in the world of cybersecurity, experts note that they aren’t as prevalent as they seem. Why? Because the vulnerabilities themselves aren’t the issue: patching them is.

Zero Day

Without an organized and efficient vulnerability management policy, critical zero-day exploits might remain unpatched until teams finish whatever task they were handling before the discovery. However, even a small delay is enough for competent attackers to penetrate an organization’s defenses with ease.

How To Manage Vulnerabilities: Open Source Tools

Managing vulnerabilities should be systematic, and there are several open-source as well as premium tools, in addition to cloud-based services, out there to help.

There’s nothing like absolutely free and open-source software. Maintained by volunteers around the globe, some of these tools can now go toe-to-toe with their paid counterparts.

OpenVAS (Open Vulnerability Assessment Scanner) - This full-featured vulnerability scanner is a framework of services and tools that offers both vulnerability scanning and vulnerability management.

OWASP ZAP (Open Web Application Security Project ZED Attack Proxy) - Maintained by an army of hundreds of volunteers, ZAP is one of the world’s most popular suites of free security tools. The tools are continuously updated and are counted among the very best for experienced pen testers to use for manual security testing.

OWASP DefectDojo - This open-source vulnerability management tool streamlines the testing process by granting templating, reporting, metric assimilation, and baseline self-service capabilities to developers and testers.

How To Manage Vulnerabilities: Premium Tools

In addition to the open-source tools and frameworks detailed above, there are paid/premium options as well. Of course, some developers and information security teams have strong preferences on what tool best suits their purposes and requirements. However, each of them has something great to offer and are invaluable assets for efficient vulnerability management.

Recorded Future - Recorded Future helps provide information that security teams need in order to amplify the power of their cybersecurity efforts. Recorded Future automatically organizes open web, dark web, technical sources for analysis so information security teams can stay a step ahead of threats.

Tenable Nessus- Tenable has been around for over three decades and has been helping information security teams find and manage vulnerabilities since the early days of the industry. It is easy to use and manages vulnerabilities by scanning and highlighting those vulnerabilities that need immediate attention.

Burp Suite Professional - This Java-based Web Penetration Testing framework has slowly become the industry suite of tools for some. It not only helps identify vulnerabilities but manages attack vectors that affect web applications.

Qualys - Qualys is a cloud-based vulnerability management software that tracks all your IT assets and relays the effect certain vulnerabilities may have on those assets – giving you an insight into your assets like never before.

HP WebInspect - In addition to automated dynamic application security testing that mimics real-world attacks, HP WebInspect provides comprehensive analyses of web applications to expose, track, and manage exploits and vulnerabilities.

Core Impact - This penetration testing tool enables security teams to manage vulnerabilities by granting access to functions such as immediate validation of remediation effectiveness and replication of attacks.

HOW TO APPROACH VULNERABILITIES

Vulnerability Management helps you understand all your assets as well as all vulnerabilities that may have repercussions on them. However, effective execution requires access to a lot of information – including the risk tolerance of your organization, relevant threat models, and much more. Having access to all this data helps to approach your vulnerabilities appropriately.

Risk

Asset

Threat Intel

Prioritization

Policy

Approaching every vulnerability according to the risk it poses and weighing that risk against an organization’s risk tolerance is one of the most efficient ways to go about vulnerability management.

Because a vulnerability is only as dangerous as the threat’s potential impact on the organization once it’s exploited, information security experts find a risk-based approach to vulnerabilities an excellent tool to combat threats.

Threat and Vulnerability Management Tools make this task relatively straightforward.

As we’ve stated above, an unaccounted asset is a blind spot for an organization. When an asset is ‘forgotten,’ both digitally and mentally, it poses a severe risk to even the most comprehensive cybersecurity plans. It sounds a bit obvious, but to protect an asset, you must know of its existence in the first place. It’s impossible to secure an asset that no one knows/remembers exists. This is especially pertinent in the case of legacy apps.

Furthermore, assets aren’t necessarily equal when weighing threats and risks. An attacker with access to an unused, empty server, with no connections to anything else in an organization’s network, is far less risky than someone gaining access to a central database or receiving elevated permissions within an active server.

Asset management helps track and organize all IT assets housed within an organization as well as their off-site assets. These assets can range from software and applications to networks and networking devices.

Discovered vulnerabilities that can plague these assets are then assigned, allowing organizations to prioritize patches accordingly and systematically. This way, delaying a patch to a critical vulnerability on a crucial asset rarely happens.

While asset management helps us track all IT assets belonging to and used by an organization, threat intel helps find threats faster.

Scanning for vulnerabilities without a clear objective does work. However, when we’re talking about relatively larger organizations, it’s best to have access to threat intel feeds that can help guide the direction of some vulnerability scans.

Threat intel gives information security teams access to real-time information about vulnerabilities based on real-world exploitability – assisting with the process of vulnerability management.

One of the chief aims of vulnerability management is ensuring that a critical vulnerability isn’t left unpatched for too long, especially not at the cost of patching a less-risky vulnerability.

Not all vulnerabilities, threats, and assets are equal. Therefore, any tool’s prioritization queue has to take into account all three factors to avoid leaving any gaping holes in an otherwise-airtight cybersecurity plan.

Do you really need a vulnerability management policy? Yes, is the short answer here. Without a proper vulnerability management policy, organizations can waste valuable development time trying to fix vulnerabilities that aren’t as threatening while leaving much more serious vulnerabilities, assets, or threats unattended.

The absence of decent vulnerability management is bound to result in an attack is in itself a risky situation. Attackers are always on the lookout for targets that haven’t safeguarded certain assets or patched vulnerabilities that they should have. Given enough time, attackers could gain access and wreak havoc with both your systems as well as your reputation.

Many tools out there have made the process of vulnerability management quite straightforward – leaving no excuse for organizations not to plan and implement an airtight policy on the matter.

Reach out to see what vulnerability management tool is best for your organization or to begin writing your vulnerability management policy.

STOP BACKTRACKING.

Get in touch to see how a vulnerability management service can help you get ahead.

REACH OUT