Vulnerability Management - What every CISO needs to know
Understanding what your organisation’s vulnerabilities are is a topic that every CISO needs to know, and what every board member would rather not want to learn about as it covers off so many things such as assessing your host, network, and application vulnerabilities and strategies to remediate them. Every year, thousands of new vulnerabilities are discovered meaning that organisations are trying to patch operating systems (OS) and applications and reconfigure security settings throughout the entirety of their network environment.
In this article we are going to understand in more detail what vulnerability management is, what is vulnerability, how to manage the process, how to make it a board priority and finally, how to find solutions to vulnerability management.
What is Vulnerability Management?
Firstly we must understand what vulnerability management is. As Wikipedia best describes the process as, ‘vulnerability management is the "cyclical practice of identifying, classifying, prioritising, remediating, and mitigating" software vulnerabilities. Vulnerability management is integral to computer security and network security, and must not be confused with vulnerability assessment.’
The most important aspect about vulnerability management is that it is an ongoing process, one used to continuously identify vulnerabilities that can be remediated through patching and configuration of security settings.
This kind of analysis can help organisations stay ahead of the common issues found in cybersecurity and make the necessary changes to ensure that they are protected for present and future requirements.
What is Vulnerability?
Vulnerability is the potential weaknesses that can be exploited by criminals. These can be things such as;
- Malware susceptibility - These include computer viruses, computer worms, Ransomware, Keyloggers, Trojan horses, spyware.
- Insecure system configurations - This is where a configuration is just plain wrong, either from the start or after changes were made that compromise the security of the application or system. This faulty configuration can then end up getting used everywhere in the company.
- Proxy attacks - This is where an attacker will install a proxy through which the user's network traffic will be passed. The attacker can gather confidential information from the traffic while retransmitting it back and forth between the victim and a remote website.
- Botnet attacks - Botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks. The term “botnet” is formed from the word's “robot” and “network.” Assembly of a botnet is usually the infiltration stage of a multi-layer scheme.
Vulnerability Management Process
The vulnerability management process is a way to define a process so that organisations can identify and address vulnerabilities quickly and continually.
There are 4 stages to the vulnerability management process which include:
- First: Determine how critical assets are
- Second: Carry out discovery to create an inventory of assets.
- Third: Identify vulnerabilities
- Fourth: Remediate and report.
Once you have identified the 4 stages, the next element to focus on is the processes which make up vulnerability management - 6 in total - each with their own subprocesses and tasks.
- Discover: there is no way to secure what you’re unaware of. Firstly, you must take an inventory of all assets across the environment, identifying details including operating system, services, applications, and configurations to identify vulnerabilities. This can include both a network scan and an authenticated agent-based system scan. Discovery should be performed regularly on an automated schedule.
- Prioritise: You must then categorise into groups the discovered assets and assign a risk-based prioritisation based on criticality to the organisation.
- Assess: You must establish the risk baseline for your point of reference as vulnerabilities are remediated and risk is eliminated. Assessments provide an ongoing baseline over time.
- Remediate: Based on risk priorities, vulnerabilities should be fixed (whether via something like patching or reconfiguration). Controls should be in place so that any remediation is completed successfully and progress can be documented.
- Verify: Fifth, validation of remediation is accomplished through additional scans and/or IT reporting.
- Report: Finally, IT, executives, and the C-suite all have a need to understand the current state of risk around vulnerabilities. This will help onboard senior staff to the importance of the risks posed to the organisation as well as clearly document where potential attacks can occur.
Making Vulnerability Management a Board Priority
In order to engage senior management and the board with the progress that is being made in vulnerability management, you need to find a way to communicate not only what is being done but the opportunities as well as threats that the organisation faces by doing so. Of course as previously noted, the process contributes toward raising the board’s awareness of the need for effective vulnerability management.
- There is a clear benefit in having assessed the criticality of various assets and applications but this must be communicated to everyone.
- Determine the risk status to the organisation - related to key assets. Think of what can be the ultimate risk to the organisation and why it matters - time and money are great examples.
- Report metrics to the board - and do this frequently and simply:
- Provide a clear, understandable assessment of the current status
- Highlight what needs to change
- Describe how this will be accomplished and what’s needed.
- It can be beneficial to alert the board to what can happen if vulnerability isn’t managed effectively. Again, you must present this as something which relates to the organisation in a way that they can understand; this has cost us x amount of operating hours or it means that a new I.T system to manage new threats will cost you money.
How to Stay on Top of Vulnerabilities
One of the biggest challenges that CISOs face is communicating just how hard it is to stay up to date with developments in modern cybersecurity and privacy along with ever evolving vulnerabilities.
Cybercriminals are becoming smarter and using technologies which can have some major organisations struggling to keep up pace with. The average organisation will be exposed to thousands of vulnerabilities every year. Knowing which are the ones that can cause widespread damage to your organisation is essential - and getting prepared for it is even more important.
There are two sources that security practitioners and developers commonly consult
- the Common Vulnerability Enumeration (CVE) program, run by Mitre
- the National Institute of Standards and Technology's National Vulnerability Database (NVD).
However, there are many unreported vulnerabilities not included in these databases. So it is even more important that future strategies adopt a risk mitigation strategy for unreported vulnerabilities. For example;
- Asset management -
- Knowing the software titles / versions currently on the network
Vulnerability Management Solutions
There are two principle methods for vulnerability management solutions. These are manual vs modern vulnerability management.
A modern vulnerability management solution is a consistent, systematic approach to ongoing, discovered risk within the enterprise environment. It's a data-driven approach that helps companies align their security goals with the actions they can take. A manual vulnerability management solution is however based on something called, ‘Penetration testing’, which is a manual process relying on the knowledge and experience of a penetration tester to identify vulnerabilities within an organisation's systems.
Modern vulnerability solutions simplify and automate the process of vulnerability management. Some of these deal with specific elements in the process (such as scanning only) others provide a comprehensive toolkit. Others go beyond vulnerability management to provide additional cyber security functionality.
Keep Your Vulnerability Management Up to Date
Understanding what your organisation’s vulnerabilities are is a topic that every CISO needs to know. Vulnerability management is the "cyclical practice of identifying, classifying, prioritising, remediating, and mitigating" software vulnerabilities. By understanding how to prioritise the issues and bringing your organisation’s board for greater buy-in, vulnerability management is a process that can protect the present and future success of an organisation.