All software and hardware has vulnerabilities. So do the non-computing aspects of your organizational security, such as the physical security of your building or how susceptible your employees are to social engineering. Vulnerabilities are everywhere and are in everything. The key to good security is to know how to manage your vulnerabilities. What are they? Where are they? How can they be patched? How can they be mitigated? Which risks are you willing to take?
What is Vulnerability Management?
Vulnerability management is a continuous process of testing, reporting, response, and triage. Bruce Schneier is famous for saying, “Security is a process, not a product.” That very much applies to vulnerability management specifically, as well. You don’t just design systems, configure them, and deploy them. Every day at work you should discover and think about your vulnerabilities and consider how you’ll deal with them.
Two major aspects of your security work will change constantly, whether you like it or not. One is your network and computing infrastructure. New applications will be deployed and patched. New hardware will be introduced. New people will be hired. Policies will be changed. Sometimes regulations change as well. The second constantly changing aspect is the threat landscape. At least one point of your network will be connected to the public internet and new malware and cyber attack bots appear all the time. The way they cyber-. attack and the ways they evade detection will also evolve. New malware can also be introduced to your network through removable media and bring-your-own-devices. There are also social engineering and physical (often building related) attack vectors.
All of those factors evolve and change and that’s the main reason why vulnerability management must be a continuous process. You will also learn something new everyday. If not, you’re doing something wrong.
The Vulnerability Management Process
The first phase of the vulnerability management process is asset discovery. You need to know what’s deployed on your network, which is increasingly difficult with BYOD and lines of business going off and “doing their own thing” outside of IT.
You will learn about vulnerabilities in your network through sources like the CVE security management database, network vulnerability testing, vendor announcements, your logs and your SIEM, reports from your staff, and unfortunately sometimes in the wake of real cyber attacks.
Do make sure you record your vulnerability discoveries in as much detail as possible, and preferably in a way that’s only accessible to the people who need to know about them.
Reports should also be organized according to which aspects a vulnerability pertains to, such as an application your network uses, or a physical building vulnerability. Because vulnerabilities pertain to all the aspects and facets of your network, you should have lots of different categories.
Regulations and compliance standards, as well as company policy, must also be considered. Depending on your company, industry, and jurisdiction, there may be specific standards that your vulnerability management reporting must conform to.
Over time, you will inevitably discover and report a lot of vulnerabilities. A good prioritization process will help you triage your vulnerabilities so you can respond to them more effectively. One important and useful way to categorize your vulnerabilities is according to urgency. Obviously more urgent vulnerabilities should be dealt with first. What are the possible consequences of a particular vulnerability being exploited? How much money is at stake? Is there any possible harm to real people? How large is the attack surface corresponding to a vulnerability? How many of your machines, appliances, applications, or physical entities are at risk? Is the cost of protecting an asset less than the cost of it being attacked?
The next phase is your risk response. That will be somewhat related to your prioritization. You can categorize your risk responses according to which risks you can remediate, mitigate, or accept. Sometimes very difficult decisions have to be made. An asset that would cost more to secure than lose may possibly correlate with a risk you decide to accept. Or you might decide that it’s important enough for employees to be able to bring their own devices into your network that you accept the significant amount of risk that introduces. Patchable software vulnerabilities are remediate-able risks, but patching can also bring it’s own challenges. Note: in some cases mitigating risks could be a matter of taking a hardware device with too many vulnerabilities out of your network and replacing it with a device with fewer vulnerabilities.
Vulnerability Management in a Nutshell
Proper and effective vulnerability management requires a certain mindset and attitude. You must understand that everything has vulnerabilities. Your network and the threat landscape will evolve over time, and you must keep on your toes. Difficult decisions will have to be made sometimes. There are multiple sources for vulnerability information and also multiple ways you can deal with them.