Risk mitigation is the centerpiece of the vulnerability management process. While remediation always remains a worthwhile goal, you can’t totally eliminate risk, no matter how fortified your system’s defenses appear to be. Moreover, the primary source of vulnerability in software apps comes from within, from the code itself.
In Code Complete, Steve McConnell says there are about 15 – 50 errors or bugs per 1000 lines of delivered code. McConnell, however, noted that NASA’s mission-critical application, its Space Shuttle Software, had zero code defects. But this mind-boggling feat was achieved at a cost of thousands of dollars per line of code!
Needless to say, this cost is simply too prohibitive for most businesses. Besides, most of them aren’t sending spaceships into orbit where astronauts’ lives are literally put on the line. Vulnerability management is therefore a more achievable objective for the common business.
As a process, vulnerability management entails identifying, assessing, and prioritizing security vulnerabilities across systems, workloads, and endpoints. After the vulnerabilities have been classified, the process typically delves into remediation, reporting, and resolving the uncovered threats satisfactorily.
In this article, I will explain the steps involved in vulnerability management and how it is used to manage, mitigate, and remediate cybersecurity risk.
The Five Stages Of The Vulnerability Management Process
As opposed to vulnerability assessment, which is a one-time event, vulnerability management is a continuous, ongoing process. These are the steps to follow in a vulnerability management lifecycle.
The role of the CVSS is more prominent in stage two; however, what takes center stage at this point is vulnerability scanning. Vulnerability scanning is often done as part of a penetration testing exercise by a pentester or a security team of penetration testers.
In this process, a vulnerability scanner is an automated tool used to search, identify, and report the known vulnerabilities present in a company’s IT infrastructure.
It creates an inventory of all the IT assets available in the system, especially those actively connected to the organization’s network. These typically include firewalls, servers, operating systems, containers, virtual machines, routers, printers, laptops, desktops, and switches.
They also probe endpoints like open ports, IoT devices, system configurations, installed software, third-party apps, and file system structures.
Since vulnerability scanners perform scans across an organization’s network to search for vulnerabilities, the potential to disrupt the system or its elements is high. Therefore, white hat hackers usually fine-tune their methods to account for this during penetration testing. As a result, they might exclude systems susceptible to unstable or erratic behavior, or adapt their methods to be less disruptive. For instance, if network bandwidth is an issue, they can decide to perform network scans during non-peak business hours when network bandwidth isn’t limited.
Vulnerability management solutions are also adept at continuously collecting data from systems using endpoint agents. As they have advanced, they have also become more nimble; so they scan a new system or device immediately after it connects to the network.
But system scanning alone isn’t the primary objective of this stage.
Overall, an organization’s system and network security are enhanced with the road map of IT assets created in this stage. With this asset discovery, an organization can easily ascertain which devices are protected, which components aren’t, and how system endpoints can be potentially accessed.
This stage is crucial because it helps to determine the attack surface exposed or vulnerable to exploitation. Moreover, the information gathered by the vulnerability management solution is used to create reports and system metrics used in the next step of the vulnerability management process.
Step 2: Evaluating Vulnerabilities
After the vulnerabilities have been discovered, the next step is to evaluate the identified vulnerabilities for their degree of risk. In step 1, I briefly mentioned CVSS and how it is used as a ranking system for cybersecurity vulnerabilities.
CVSS is a free and open standard used to communicate the severity of vulnerabilities. It provides a score ranging from 0.0 to 10.0. To augment the vulnerability assessment, the National Vulnerability Database (NVD) includes a severity rating for the CVSS scores, as indicated in the table below.
0.1 – 3.9
4.0 – 6.9
7.0 – 8.9
9.0 – 10.0
These scores communicate to organizations the risk posed to their infrastructure by each vulnerability. Hence, organizations are able to prioritize the vulnerabilities and threats to focus on. This evaluation also informs the organization’s risk management strategy and remediation efforts.
While vulnerability scanners and CVSS scores are excellent tools, they might not always provide a comprehensive view of the risks faced by an organization.
This is because these out-of-the-box rating scores don’t always provide the best insight into the threats your business faces because of its peculiar risk profile. Although smart vulnerability management tools can prioritize risk, they might not always be nuanced enough to understand other additional factors.
Cybersecurity professionals can provide a better, well-rounded context of your risk exposure using the inventory of threat intelligence gathered. These security professionals often consider a myriad of factors like the following to determine a suitable risk assessment:
Is this a true vulnerability or merely a false positive?
What is the degree of difficulty in exploiting the vulnerability?
Can this vulnerability be exploited remotely?
How easy is it to exploit this vulnerability?
Does this vulnerability have publicly published exploits?
How many devices are reported with this vulnerability?
Is this a new vulnerability (older vulnerabilities tend to pose a higher risk burden) and do you know how long it has existed in your network?
Are there security policies, protocols, and controls present in your infrastructure to mitigate the impact of the vulnerability in case it’s exploited?
What is the impact on the overall organization in the event of a successful exploit of the vulnerability?
Step 3: Remediating Vulnerabilities
This step focuses on treating and mitigating the discovered vulnerabilities. Several strategies are put in place to prioritize and eliminate vulnerabilities based on the level of risk they pose to the business.
Patching is often the low-hanging fruit that remediates a large portion of the vulnerabilities found in software. In fact, most cybersecurity breaches are a result of unpatched software. Therefore, a patch management system that ensures operating systems and third-party software are up-to-date is vital.
However, there might be occasions when a vendor hasn’t yet released a patch for a particular vulnerability. In this instance, the organizations should switch to mitigation measures to lessen the impact of the vulnerability’s possible exploitation.
These measures might include limiting user permissions for those activities, or—depending on their severity—truncating or blacklisting the impacted devices from the network.
Where threats and vulnerabilities are addressed, controls need to be established and progress demonstrated toward a more secure security posture within the organization.
Acceptance is also a counterintuitive vulnerability management strategy. This involves taking no action with discovered vulnerabilities. This strategy makes sense with low-risk vulnerabilities that pose minimal threats to the business. More so when the cost of fixing the vulnerability exceeds the possible cost incurred by its exploitation.
Even when there are only benign vulnerabilities to be fixed, organizations should still strive to optimize their reported vulnerability metrics. Hence, the more the vulnerability management system is geared to improving those metrics, the more it reduces the organization’s attack surface.
Moreover, this remediation process can set a baseline for risk management that the organization can constantly reset with new and more aggressive targets.
Step 4: Verify Vulnerabilities
This step ensures that the threats in the system have been eliminated through follow-up audits. Penetration testing should also be used to verify the efficacy of the remediation measures taken. In addition, it also makes sure new vulnerabilities weren’t inadvertently created during the process.
Step 5: Report Vulnerabilities
It is important to document not only the discovered vulnerabilities but a security plan on how to describe known vulnerabilities and monitor suspicious activity. These reports are vital because they leave records that help businesses improve their security responses in the future.
These reports are also important to share with top management and for compliance audits. This is because demonstrating and recording fixed vulnerabilities and issues displays accountability. And this accountability is often required to maintain compliance standards.
Fortunately, there are smart and sophisticated vulnerability management tools that can auto-generate these reports so you don’t have to do so manually.
The Importance Of Vulnerability Management
Vulnerability management processes are vital if you want to keep your network safe by minimizing the presence of threats and exploits.