Vulnerability mangament

The Equifax breach was caused by a vulnerability. The WannaCry virus  exploited a vulnerability. The stories don’t seem to end but it seems  like no one is talking about how to solve this problem which is – start a  vulnerability management program.

“Manage the vulnerabilities in my network? Sounds easy” well, not so  much, but not so difficult that you shouldn’t be spending time and  resources on it. 

This month, we are dedicating this weekly blog to the concept,  planning and set up of vulnerability management programs. Starting with  this –

What is Vulnerability Management? 

Vulnerability Management is widely described as the practice of  identifying, classifying, remediating and mitigating vulnerabilities. It  is also described as the discovery, reporting, prioritization, and  response to vulnerabilities in your network.

 Vulnerability management is no longer an option for organizations,  in fact, it is becoming required by multiple compliance, audit and risk  management frameworks. SANS Security Controls lists continuous  vulnerability assessment and remediation as number four on their most  recent framework citing that it needs to “Continuously acquire, assess,  and take action on new information in order to identify vulnerabilities,  and to remediate and minimize the window of opportunity for attackers”.

You can’t stop what you can’t see. That’s why vulnerability  management should be the foundation of your security program because you  have to know what is on your network in order to monitor and protect  it. A good vulnerability management program can help you proactively  understand the risks to ever asset in order to keep it safe. 

Four Stages of VM 

1. Discovery

Build a list of every computing asset you have on your network and  then build a database that vulnerability management solutions can use.  This list will be constantly changing so it will need to be constantly  refreshed. However, make sure all assets are found, categorized and  assessed.

2. Reporting

This will include all data from your network assets in their current  state. Typically, this is done with a vulnerability scanner which will  produce a report of all known vulnerabilities on any assets in your  network.

3. Prioritization

Depending on the size of your organization or the age of your assets,  the list of known vulnerabilities can be pages long. In this step, the  vulnerabilities will be ranked from highest to lowest risk depending on  multiple factors. Your vulnerability management solution should  prioritize these by the MITRE Common Vulnerabilities and Exposure (CVE)  Score and by the unique risk they pose to your organization. 

4. Response

The goal of discovering, reporting and prioritizing your  vulnerabilities is so that your team can focus its remediation to the  largest risks in your network. Once you remediate or patch these  vulnerabilities, you should conduct a penetration test to ensure that  the patch is valid and that you no longer have an issue before moving on  to the next vulnerability.

How can you benefit from a vulnerability management program?

There are thousands of known vulnerabilities in the wild, most of  them with patches. However, not all vulnerabilities are the equal which  is why you need to manage them. Using a vulnerability management program  you can:

• Intelligently Manage Vulnerabilities: Not all vulnerabilities  carry the same risks. With a vulnerability management program, your  organization can more intelligently prioritize remediation, apply  security patches and allocate security resources more effectively. 
• Meet regulatory requirements and avoid fines: Vulnerability  management programs not only help your organization by keeping you  compliant across industry regulations but it can also help you to  provide detailed reports to help avoid significant fines for  non-compliance and allow you to provide ongoing due diligence during an  audit.

Who needs a vulnerability management program? 

Anyone who has assets connected to the internet needs a vulnerability  management program. Many industries are requiring one in order to be  compliant with regulations. Attacks resulting in data loss are often  caused by breaches using known, unpatched vulnerabilities. If you have  any asset on your network that is not patched regularly, a vulnerability  management program is for you.

Does this sound like you? You’re not alone! There are millions of  people trying to keep up and stay ahead of the newest exploit and stop  the next breach. Let us help.