The purpose of this document is to understand what a vulnerability management plan (VMP) is and how it is more than just a vulnerability assessment. This paper will also talk about how to set up an effective vulnerability management plan and the benefits that companies get by setting up the VMP with a SECOPs mindset.
A vulnerability assessment is the process of defining, identifying, classifying and prioritizing vulnerabilities in computer systems, applications and network infrastructures and providing the organization doing the assessment with the necessary knowledge, awareness and risk background to understand the threats to its environment and react appropriately.
A vulnerability assessment process intends to identify threats and the risks they pose. It typically involves the use of automated testing tools such as network security scanners, which provides results in form of a vulnerability assessment report.
Organizations of any size, or even individuals who face an increased risk of cyberattacks, can benefit from some form of vulnerability assessment, but large enterprises and other types of organizations that are subject to ongoing attacks will benefit most from vulnerability analysis.
Because security vulnerabilities can enable hackers to access IT systems and applications, it is essential for enterprises to identify and remediate weaknesses before they are exploited. A comprehensive vulnerability assessment along with a management program can help companies improve the security of their systems.
Importance of vulnerability assessments
A vulnerability assessment provides an organization with information on the security weaknesses in its environment and provides direction on how to assess the risks associated with those weaknesses and evolving threats. This process offers the organization a better understanding of its assets, security flaws and overall risk, reducing the likelihood that a cybercriminal will breach its systems and catch the business off guard.
Types of Vulnerability Assessments
Vulnerability assessments depend on discovering different types of system or network vulnerabilities, which means the assessment process includes using a variety of tools, scanners and methodologies to identify vulnerabilities, threats and risks.
- Some of the different types of vulnerability assessment scans include the following:
- Network-based scans identify possible network security attacks. This type of scan can also detect vulnerable systems on wired or wireless networks.
- Host-based scans locate and identify vulnerabilities in servers, workstations or other network hosts. This type of scan usually examines ports and services that may be visible to network-based scans, but it offers greater visibility into the configuration settings and patch history of scanned systems.
- Wireless network scans of an organization’s Wi-Fi networks usually focus on points of attack in the wireless network infrastructure. In addition to identifying rogue access points, a wireless network scan can also validate security posture of a company’s network.
- Application scans test websites in order to detect known software vulnerabilities and erroneous configurations in network or web applications.
- Database scans identify the weak points in a database to prevent malicious attacks, such as SQL injection attacks.
Penetration Testing (Pen Test)
Penetration testing, also called pen testing or ethical hacking, is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing is either performed manually or automated with software applications. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in -- either virtually or for real -- and report the findings.
The main objective of penetration test is to identify security weaknesses. Penetration test is also used to test an organization’s security policy, its adherence to compliance requirements, its employees’ security awareness and the organization’s ability to identify and respond to security incidents.
Typically, the information about security weaknesses that are identified or exploited through pen testing is aggregated and provided to the organization’s IT and network system managers, enabling them to make strategic decisions and prioritize remediation efforts.
Penetration tests are also called white hat attacks because in a pen test, the good guys are attempting to break in.
Purpose of penetration testing
The primary goal of a pen test is to identify weak spots in an organization’s security posture, as well as measure the compliance of its security policy, test the staff’s awareness of security issues and determine whether -- and how -- the organization would be subject to security disasters.
A penetration test can also highlight weaknesses in a company’s security policies. For instance, although a security policy focuses on preventing and detecting an attack on an enterprise’s systems, that policy may not include a process to expel a hacker.
Penetration testing responsibilities vary for different mixes of cloud and on-premises systems.
The reports generated by a penetration test provide the feedback needed for an organization to prioritize the investments it plans to make in its security. These reports can also help application developers create more secure apps. If developers understand how hackers broke into the applications they helped develop, the intention is to motivate developers to enhance their education around security so they will not make the same or similar errors in the future.
Penetration testing tools
Pen testers often use automated tools to uncover standard application vulnerabilities. Penetration tools scan code in order to identity malicious code in applications that could result in a security breach. Pen testing tools examine data encryption techniques and can identify hard-coded values, such as usernames and passwords, to verify security vulnerabilities in the system.
Vulnerability assessment done. What now?
Vulnerability assessment establishes the current state of an organization’s cyber security, but to meet industry best practices, companies should go beyond that to achieve continuous improvement.
For modern companies, a small website outage or data breach can spell huge disaster to the organization’s profits and reputation. This is what makes the job of information technology security officers such a challenge – they are responsible for protecting all digital systems from external attacks, even though they can’t predict how, when or where they will occur.
That makes cyber security, as a practice, essentially impossible to perfect. Companies must accept the fact that vulnerabilities exist in their current infrastructure and software and are likely to continue to appear as they expand. However, that does not mean you can take a hands-off approach. The opposite is the case, because IT security officers must be as proactive as possible in locating and patching found vulnerabilities.
It is imperative for IT departments to become familiar with an activity known as a vulnerability assessment (VA), which helps to assess the current state of your organization’s cyber security efforts. However, to meet industry best practices, you should go beyond a simple VA and turn that activity into a continuous improvement strategy.
Vulnerability management is a pro-active approach to managing network security through reducing the likelihood those flaws in code or design compromise the security of an endpoint or network.
Vulnerability management processes include:
- Checking for vulnerabilities: This process should include regular network scanning, firewall logging, penetration testing or use of an automated tool like a vulnerability scanner.
- Identifying vulnerabilities: This involves analyzing network scans and pen test results, firewall logs or vulnerability scan results to find anomalies that suggest a malware attack or other malicious event has taken advantage of a security vulnerability, or could possibly do so.
- Verifying vulnerabilities: This process includes ascertaining whether we can use the identified vulnerabilities to exploit servers, applications, networks or other systems. This also includes classifying the severity of a vulnerability and the level of risk it presents to the organization.
- Mitigating vulnerabilities: This is the process of figuring out how to prevent vulnerabilities from being exploited before a patch is available, or in the event that there is no patch. It can involve taking the affected part of the system off-line (if it is non-critical) or various other workarounds.
- Patching vulnerabilities: This is the process of getting patches-usually from the vendors of the affected software or hardware-and applying them to all the affected areas in a timely way. This is sometimes an automated process, done with patch management tools. This step also includes patch testing.
What is a vulnerability management program?
After a VA scan is completed, the IT security team delivers a final report to all major stakeholders in the organization. This is an important start to meet the best practices of cybersecurity, but alone, it does not guarantee protection.
Proactive measures are the key to strong IT security and that is where the concept of a vulnerability management program (VMP) comes into play. A VMP treats the assessment as an input to a continuous approach to cybersecurity and system reliability. This is critical because as technology continues to change and evolve, so must the approach to safeguarding it.
The final report from a VA should indicate where potential security gaps exist. The next step in the VMP process is to verify the realistic risk of each one and then prioritize them based on severity. After that, the team running the VMP must determine a mitigation tactic for each identified vulnerability. The proper solution depends on whether it is a supplier product, in-house tool or a network-based issue.
Lastly, the VMP should dictate when patches (security updates) for supplier products are installed and automated.
The processes within the VMP must continue to loop. Once we have addressed all the system risks, a new VA should be performed to start the activities again. The team maintaining the VMP must constantly be accounting for new devices, networks and users who have entered the organization.
This is especially true with the movement towards the internet of things (IoT), where every type of machine, from light bulbs to coffee makers, comes with Wi-Fi connectivity installed. Because these types of device have historically had little built-in security, they are highly vulnerable to all sorts of damaging network-based hacks.
What is the tangible benefit of VAs and VMPs? These activities may require a significant amount of time and human resources, so an IT team should justify the effort. Fortunately, the right approach to vulnerability management has proven, in many case studies, to be a critical form of protection for organizations of all sizes. Yet a recent survey revealed that less than half of companies actively follow a VMP.
The worst-case scenario for a company is that a hacker manages to infiltrate its network and is unidentified, until a larger attack is executed. This includes exploits ranging from an old standby like ransomware to newer types, such as crypto jacking and everything in between.
Tools + Tactics = Good VMP
A successful VMP strategy involves the tactics discussed above, as well as a couple of tools. The first tool to deploy is a virtual private network (VPN) in conjunction with your regular ISP (internet service provider).
Although the technology is still evolving, VPNs not only anonymize your geographical location by routing traffic through the server of your choice, but also encrypt all session-related data, so even if a hacker managed to access your data (called “packets”), they would not know what it contained, and the information would remain secure. VPNs are a subset of proxy servers, which, as the name implies, are intermediary proxies between your computer and the rest of the internet.
In addition to using a proxy server to encrypt your network, your company should install a firewall to monitor incoming web traffic and block anything that looks suspicious. Firewalls are a great tool for managing cyber security, but it is important to pair it with a VPN and larger VMP effort to ensure that your network is regularly updated to handle new threats as they emerge.
Vulnerability management program is much more than just vulnerability assessment, Companies vulnerability management setup with SECOPs mindset will
- Step up their game with network scanning to include complete ecosystem visibility, simplified assessment, and automated remediation workflows.
- Effectively address web application vulnerabilities by analyzing complex applications and by adopting DevSecOps practices to keep up with applications that can change daily or hourly.
- Increase resilience to phishing and other social engineering and attacks through education and simulations, and mitigate user risks by linking incident detection and response capabilities with vulnerability management.
- Assess overall risk using customized risk scoring and pen testing to prioritize vulnerabilities based on their real risk to the specific enterprise. Evolving toward such a program requires thinking through the value of each area and finding opportunities to integrate the different areas.
The rewards are dramatic, giving security groups the ability to:
- Monitor today’s vastly expanded attack surface.
- Keep up with quickly changing infrastructure and applications.
- Work collaboratively with IT operations and application development groups to identify and remediate vulnerabilities of all kinds, faster.
- Reduce the ability of attackers to exploit the largest attack vector in most organizations: the users.
- Accurately determine which vulnerabilities pose the greatest risk to the enterprise, to make best use of remediate resources in the short term, and to focus on the most effective defenses in over the long term.