Understanding vulnerability management

Vulnerability management is the process of identifying, assessing, and treating cyber vulnerabilities across systems and software used in an organisation. It is an ongoing, cyclical process to manage the vulnerabilities and report on the status. Vulnerability management is an important part of an organisation’s security program and is integral to reducing the attack surface.

The technology space is transient with systems and networks undergoing changes. Also, cyber-attacks are becoming more vicious and use sophisticated technology. Thus, vulnerability management is a continuous process to monitor and treat vulnerabilities.

Vulnerability, Risk, and Threat

While all three terms denote a security concern, they differ in meaning and also in their treatment approach.

A vulnerability as defined in ISO 27002 is a weakness in an asset or a group of assets that can be exploited by threats.

A threat is something that can exploit the vulnerability in a system or software.

A risk is potential damage that can be caused when a threat exploits a vulnerability.

The Vulnerability Management Process

Vulnerability management is an ongoing process. The process can use different terminologies in different organisations or contexts, but the process remains more or less similar in all cases.

The vulnerability management process requires a precursor as defined by Gartner’s Vulnerability Management Guidance Framework. It outlines 5 steps before vulnerability management begins.

1. Determine the scope of the program
2. Define roles and responsibilities
3. Select vulnerability assessment tools
4. Create and refine policies and SLAs
5. Identify asset context sources

After this groundwork, you can begin the vulnerability management process.

The vulnerability management process can be broken down into 4 major steps.

1. Identifying vulnerabilities
2. Evaluating vulnerabilities
3. Vulnerability treatment
4. Reporting

Identifying vulnerabilities

This step is usually carried out using a Vulnerability Scanner, even though other methods are available, too. A vulnerability scanner is a tool that searches for known vulnerabilities in the IT infrastructure and reports them. It will perform the following tasks:

• Ping network-accessible systems or send TCP/UDP packets to systems to scan them
• On scanned systems, identify the services running and detect open ports
• Where possible, remotely login into systems to detect detailed system information
• Check system information against known vulnerabilities
• Report vulnerabilities identified in the system

If you are not using a vulnerability scanner, you can use other vulnerability management solutions that continuously gather data from systems without running scans. The end result should be the same though – i.e., the method should be able to identify vulnerabilities.

Evaluating vulnerabilities

Vulnerabilities need to be evaluated to ascertain their severity and also so that the vulnerability management process is aligned with risk management. Vulnerability management solutions evaluate vulnerabilities by assigning risk ratings and scores. A popular scoring system is the Common Vulnerability Scoring System (CVSS). Read more about how CVSS works in What is the Common Vulnerability Scoring System?

These scores help you prioritise vulnerabilities. Along with the CVSS scores, you should also consider the below factors to get a complete view of the risks associated with a vulnerability.

• How difficult is it to exploit the vulnerability?
• Can it be exploited from the internet?
• Can you verify that the vulnerability is not a false positive?
• Is there a known code that can exploit the vulnerability?
• What would be the consequences of the vulnerability being exploited?
• How long has the vulnerability resided in the system?
• Have you implemented any security controls to address the vulnerability?

Not all vulnerability scanners and other vulnerability management tools are always perfect. There is a chance of false positives while identifying vulnerabilities. Thus, all vulnerabilities need to be validated.

Penetration testing is a comprehensive method to validate vulnerabilities. There are other validation methods, too. Evaluation methods are important because they can help uncover vulnerabilities that you didn’t know existed in your system or didn’t know were severe enough to treat. Read more on how pen testing is relevant to cybersecurity and GRC in Cybersecurity, GRC, and the Role of Penetration Testing.

Vulnerability Treatment

A vulnerability once validated as a risk needs vulnerability treatment. Below are the options for vulnerability treatment.

• Remove vulnerability: Implement a fix for the vulnerability to remove it from the system. This is the ideal solution for any company. 

• Reduce vulnerability: If the vulnerability cannot be completely eliminated from the system, it needs to be mitigated. If a security patch or control that can remove the vulnerability isn’t available, measures should be taken to reduce the risk associated with the vulnerability. This is usually a temporary solution till such a point where the control or security patch can be implemented. 

• Monitor vulnerabilities: When vulnerabilities can neither be removed nor reduced, they need to be monitored to detect a threat or an attack. 

• Accept vulnerabilities: This is for vulnerabilities that can neither be removed nor reduced. These vulnerabilities need to be accepted. When the vulnerability is low-risk and low-impact, or when the cost of fixing the vulnerability is greater than the impact of the vulnerability, it is recommended that the vulnerability be accepted.

Vulnerability management solutions also recommend treatment options. However, the option provided might not always be the most optimal solution. So, any option must be evaluated by security experts, system owners, and system administrators.

When vulnerability fixes are implemented, it is recommended that you run the vulnerability scans again to confirm that the vulnerability has been resolved.

Reporting

Vulnerability management solutions come with different options for customising reports and a dashboard view to see how the vulnerability management program is performing. These reports help the security teams make decisions about the security controls and other techniques to be used to deal with each vulnerability.

Since vulnerability management is a regular and continuous process, it helps to have updated reports generated regularly so that vulnerabilities can be monitored.

Since vulnerability management is a cyclical process, the information from the reports needs to be used to improve the status of vulnerabilities and then repeat the above cycle right from identifying vulnerabilities.

What to look for in Vulnerability Management solutions?

At the core of vulnerability management is managing the exposure of your data and assets to known vulnerabilities. However, when you choose a vulnerability management solution, you should also consider the below factors.

• Performance

Many vulnerability management solutions provide endpoint agents to continuously gather vulnerability data. These agent-based solutions can sometimes be quite bulky, impacting the performance of the endpoint. Choose a lightweight solution that will not impact the performance.

• Timeliness

Vulnerability management solutions need to be fast. If they take too long to scan the networks and collect vulnerability data, chances are the data is already outdated by the time the tool reports it. This is a common problem with network-based vulnerability management solutions.

• Visibility

The vulnerabilities in the system should be instantly visible. A vulnerability management solution that shows a real-time dashboard can help you to see vulnerabilities in time and the further process to assess and treat them can be triggered.

Tackle changes with vulnerability management

There are a lot of organisational changes due to the demand for adding more systems and applications, rising adoption of cloud, hybrid work culture, etc. At the same time, the threat landscape is evolving, and the number of cyber attacks is increasing.

All these changes need a strong vulnerability management process. New changes such as onboarding a new partner, hiring, getting a cloud service, etc. are inevitable in a growing organisation. But it is also growing your attack surface. Protecting your organisation from these threats is critical and vulnerability management is an important part of this exercise. Read more in the blog Integrating Vulnerability Management into your ISMS.

To know more about how the 6clicks platform helps with vulnerability management and supports integration with vulnerability scanning platforms, get in touch with our team to take a free tour of the platform.