Vulnerability management plays an important role in keeping businesses online by ensuring systems are protected against vulnerabilities. In large businesses, dedicated teams exist to track, assess and remediate vulnerabilities. We previously blogged about what a vulnerability scan is, what a penetration test is, and the purpose of each with respect to organizational security. Understanding the two is an important step in identifying the security needs of your business, are often confused as the same thing, when that is far from the truth.
Vulnerability management is the processes for identifying vulnerabilities in IT assets, evaluating risk and taking appropriate action. Vulnerability scanners are commonly used in vulnerability management to identify weaknesses across systems and networks, and play an integral role in the process.
Processes of Vulnerability Management
Asset tracking is important for vulnerability management. If you are conducting vulnerability scans and not scanning all assets it could leave vulnerabilities undiscovered. Vulnerability scanners have forms of asset management built-in where the most popular methods are to discover hosts by conducting a light scan on a network to determine which hosts are active, and to input asset details such as an IP address, network range or domain name. Assets can be categorized by groups based on details such as operating systems, purpose of the machine, network, and physical location. These groups help manage and prioritize assets and becomes very useful in the remediation and scanning processes.
Vulnerability Scanning is the process of running a vulnerability scan to identify weaknesses. Scans can be tuned, configured, and scheduled to meet needs of the business and security requirements. A single group can be scanned for a single vulnerability or all your assets can be scanned for everything the scanner detects. Vulnerability scans provide a snapshot of security at a single point in time and for that reason it is recommended to conduct frequent scans of systems within the environment.
The longer duration between scans the greater the chance systems are left vulnerable. The frequency of scanning is dependent on several factors, in most organizations monthly scanning of assets is recommended. When new malware or new high-value exploits are discovered urgent, ad-hoc scans are conducted frequently in an environment to ensure risk is minimized. These scans may occur daily and are configured to scan for a low number of specific vulnerabilities. The scanning schedules and assets groups evolve with a business’s security maturity as vulnerability management is implemented, risks identified and evaluated appropriately.
Evaluating Risks involves interpreting the results from the scanner to determine what systems contain vulnerabilities to determine answers for the following questions:
- What is the impact (damage) if exploited?
- How likely is exploitation?
- Who are the threats, and how easy is it to discover the vulnerability?
- How difficult is the vulnerability to exploit?
It’s important to answer these questions to understand the associated risks of a vulnerability in order to take appropriate actions to remediate or mitigate the risk and defining a dead-line for the action. Timelines for remediation are usually in line with the risk of the vulnerability, the higher risk the quicker it needs to be addressed.
Taking Action on vulnerabilities identified ideally means remediating the issue either by applying relevant patches, modifying configurations, or code changes for applications within a defined time frame. Often times security patches or configuration changes might not be possible to directly resolve the issue so compensating controls that reduce the likelihood, impact or chance of exploitation are implemented. These controls might include firewall rules to restrict network access, configuration changes, privilege changes and other temporary changes. Complete remediation may not be possible due to a variety of reasons often coming down to business needs and requirements. Software on legacy systems may not support newer operating systems, patches may break specific functionality of a piece of software, or the required changes require significant review and redesign are a few examples. In these cases, the business owners need to accept and sign-off on the risk. The risk acceptance would require a clearly defined plan to eventually mitigate the risk.
After issues are addressed, rescanning is conducted to confirm the fix. Vulnerability management is an on-going cycle that is repeated continuously and cooperation from key stakeholders.
Why is Vulnerability Management Needed?
If patching and securely configuring systems is a top priority for keeping your business secure, patch management is essential. Attackers and researchers discover new vulnerabilities every day and vendors race to patch vulnerabilities or provide steps to harden systems against the vulnerabilities. The majority of attackers are financially motivated and are continuously adapting. Malware that exploits vulnerabilities is written and deploy fast in a race against patching. This is consistently observable over the past couple of years and continues today, a prime example is all the new ransomware variants.
Vulnerability management provides continuous pulse-checking of the security of your business to ensure patches are being applied and vulnerabilities remediated. Often times systems may report they are up to date, when in reality patches have not been applied.
Packetlabs has an experienced team of cyber security professionals with numerous advanced certifications. If you’re looking for penetration testing services or vulnerability management, we are available to help build and implement solutions that meet or exceed your requirements. Contact us today.