Fix It Before They Break It: The True Role of Vulnerability Management

Before we start let's understand a few keywords

1. Vulnerability: Vulnerability is always defined by the ISO 27002 and VM is a weakness of an asset or group of assets that can be exploited by 1 or more threats.

2. Assets: Anything that needs to be monitored and protected is known as assets , eg data, systems, Hardware, S/w or process.

3. Threat: The potential actor or event that can exploit the vulnerability eg. Malware, Hacker

4. Risk: The Potential damage or loss caused if the threat exploits the vulnerability eg. financial loss due to data breach.

Let's understand the those keywords with the realtime eg

A banking app with weak password policies (vulnerability) could be targeted by phishing attacks (threat), resulting in unauthorized access to customer accounts (risk)

Who categories & ranks Vulnerability?

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that provides a standardized way to access and communicate the severity and characteristics of s/w vulnerabilities.

The National Vulnerability Database (NVD) adds a severity rating for CVSS scores. NVD maintains an updated library of common vulnerabilities and exposures (CVEs) with rankings and related details like vendor and product information. Originating from the MITRE Corporation in 1999, this list is synced with NVD and offers basic insights into each vulnerability.

The CVSS Base Score ranges from 0.0 to 10.0

• 0.0: No impact (None)
• 0.1–3.9: Low severity
• 4.0–6.9: Medium severity
• 7.0–8.9: High severity
• 9.0–10.0: Critical severity

Let's understand with the real world eg

The 2021 Log4Shell vulnerability (CVSS score: 10.0) in the popular Log4j library posed critical risks to organizations globally, as attackers could remotely execute code on affected systems.

The Vulnerability Management Lifecycle

An effective vulnerability management program involves five key stages, each critical for ensuring a robust security posture:

1. Assess:

• Identify vulnerabilities across assets using tools like network scans or agent-based systems.
• Example: A company scans its servers with a vulnerability scanner to detect weak points like unpatched software.

1. Prioritize:

• Rank vulnerabilities based on their CVSS scores, threat exposure, and business impact.
• Example: A healthcare provider prioritizes vulnerabilities in its patient data system over an internal HR tool.

1. Act:

Apply one of the following actions:

• Accept: Acknowledge the risk but take no action for non-critical issues.
• Mitigate: Reduce risk through controls like firewalls.
• Remediate: Fix the vulnerability entirely, such as by applying patches.
• Example: Patching a critical operating system vulnerability in servers.

1. Reassess:

• Verify the effectiveness of remediation actions and ensure no new vulnerabilities have emerged.
• Example: After patching software, the IT team conducts another scan to confirm the issue is resolved.

1. Improve:

Use lessons learned to refine processes and tools for future vulnerabilities.

Example: Automating patch deployment to reduce manual errors and delays.

for mindmap
https://sivolko.github.io/mindmaps/