Vulnerability Management

• Identifying Vulnerabilities
  • Vulnerability Scanning
  • Penetration Testing
  • Security and Process Auditing
• Responsible Disclosure
  • Bug Bounty Programs
  • Benefits, Considerations, and Recommendations
• Analyzing Vulnerabilities
  • True Positive
  • False Positive
  • True Negative
  • False Negative
• Prioritize, Classify. and Assess
  • Prioritize
  • Classify
  • CVE
  • Assessing Impact
• Exposure Factor
• Risk Tolerance
• Response and Remediate
  • Patching
  • Purchasing Cybersecurity Insurance Policies
  • Network Segmentation
  • Implementing Compensating Controls
  • Granting Exemptions and Exceptions
• Validating Vulnerability Remediation
  • Rescans
  • Audit
  • Verifications
  • Best Practices
• Vulnerability Reporting
  • Internal Reporting
  • External Reporting
  • Responsible Disclosure Reporting
  • Confidentiality in Vulnerability Reports

Identifying Vulnerabilities

Vulnerability Scanning

Automated method of probing networks, systems, and applications to discover potential vulnerabilities.

• Many tools available, including Nessus and OpenVAS.
• These tools can analyze your system’s current state against known vulnerabilities.
• They can also generate a detailed report of vulnerabilities and criticality levels.
• Passive/non-invasive, compared to penetration tests.
• Should be ran periodically, either through manual or scheduled manner.

Types:

• Credentialed Scan, where host/device credentials is entered to scanning tool.
• Uncredentialed Scan, which mimics someone who doesn’t have access

As a cybersecurity professional, you need to:

• Prioritize
• Patch
• Mitigate

Penetration Testing

Used to simulate a real-world attack on a system to evaluate its security posture.

• Attackers are likely to use similar attack vectors and techniques.
• Mitigate the identified issues found in the report.
• To learn more, please see Penetration Testing.

Security and Process Auditing

Process that involves conducting a comprehensive review of the information systems, security policies, and procedures. This ensures the organization adheres to security best practices.

Four-Step Process:

1. Planning
   • Set clear goals for the audit, e.g. compliance, risk assessment, or performance evaluation.
   • Determine the systems, processes, and policies to be reviewed.
   • Allocate the necessary resources, including tools and personnel.
   • Establish a timeline for the audit process.
2. Testing
   • Conduct vulnerability assessments and penetration testing on test systems.
   • Evaluate current security policies, procedures, and controls.
   • Gather data through interviews, questionnaires, and reviewing documentation.
   • Analyze the collected data to identify weaknesses and areas for improvement.
3. Implementing
   • Provide actionable recommendations based on the findings from the testing phase.
   • Create a plan to address identified vulnerabilities and improve security measures.
   • Implement the recommended changes and improvements.
   • Awareness programs, ensuring that staffs understand new policies and procedures.
4. Auditing
   • Verify that the implemented changes have been made and are effective.
   • Ensure that all changes comply with relevant regulations and standards.
   • Establish ongoing monitoring processes to maintain security and compliance.
   • Document audit findings, actions taken, and future recommendations.

Responsible Disclosure

Describes the ethical practice where a security researcher discloses information about vulnerabilities in a software, hardware, or online service in confidential manner to the relevant stakeholders.

• Allow affected party with enough time to address the vulnerability before a public disclosure.
• Researchers contacts the owner/developer privately like sending an email.
• Both parties agrees on a certain timeframe before a disclosure can be made.
• This ensures the vulnerability is not exploited by a threat actor.

Bug Bounty Programs

Bug Bounty Programs encourage cybersecurity researchers to find and report vulnerabilities. Monetary rewards can be offered by organizations to incentivized researchers to participate in the organization’s disclosure program in a more controlled and ethical manner. It can done:

• Internally
• Externally through third-party platforms

These platform include:

• HackerOne
• Bugcrowd
• Synack

Benefits, Considerations, and Recommendations

Benefits of a Bug Bounty Program:

• Helps increase security of the organization.
• Fosters community collaboration.
• Cost-effective, only pay for the vulnerability found.

Considerations:

• Scope of the program
• Rules of Engagement
• Rewards
• Legal protection of researchers

Recommendations:

• Follow industry best practices.
• Have a clearly defined scope of the program.
• Clearly communicate permitted testing to researchers.
• Ensure full transparency inside of the bug bounty program.

Analyzing Vulnerabilities

True Positive

A true positive occurs when a security system correctly identifies a real threat.

• Accurate detection of a genuine vulnerability
• Ensures timely remediation
• Boosts confidence in the security system
• Reduces potential damage from attacks

False Positive

A false positive happens when a security system incorrectly flags a non-threatening situation as a threat.

• Wastes time and resources investigating non-issues
• Can lead to alert fatigue
• May cause unnecessary panic
• Undermines trust in the security system

True Negative

A true negative is when a security system correctly identifies that there is no threat present.

• Confirms the absence of vulnerabilities
• Reduces unnecessary alerts
• Supports the accuracy of the security system
• Helps maintain normal operations without interruptions

False Negative

A false negative occurs when a security system fails to detect a real threat.

• Leaves vulnerabilities unaddressed
• Increases risk of undetected attacks
• Undermines the security posture
• Potentially leads to significant damage and breaches

Prioritize, Classify. and Assess

Prioritize

Factors to consider when prioritizing vulnerabilities:

• Ease of exploitation
• Magnitude of potential damage
• Importance of affected system

Classify

Factors to consider when classifying vulnerabilities:

• Type of threat
• Potential impact to the organization
• Systems or data that may be affected

Sample categories:

• Software flaws
• Configuration errors
• Security policy gaps

Within each category, we can further sub-classify them, like:

• Buffer overflows
• Privilege Escalation
• Insecure default settings

CVE

Common Vulnerabilities and Exposures (CVE) is a standardized system for identifying and cataloging known security vulnerabilities in software and hardware.

• Helps in tracking and managing vulnerabilities
• Facilitates sharing and dissemination of information about vulnerabilities
• Referenced in security advisories and reports
• Integrated into vulnerability management and scanning tools
• Improves security assessment and patch management processes
• Assists in the prioritization of threat mitigation efforts

Structure:

• CVE IDs follow the format: CVE-YEAR-NUMBER (e.g., CVE-2024-12345)
• Each CVE entry includes a brief description of the vulnerability
• May contain references to further details, patches, or advisories

Link: cve.mitre.org

Assessing Impact

Vulnerabilities’ impact can be assessed in terms of:

• Confidentiality
• Integrity
• Availability

Impact can also be assessed based on the industy:

• Healthcare Vulnerabilities
  • Risks patient data and safety.
• Financial Institution Vulnerabilities
  • Lead to monetary losses and regulatory scrutiny.

Exposure Factor

Exposure Factor (EF) is a measure used in risk assessment to quantify the potential impact of a security breach on an organization.

• Represents the percentage of asset value lost due to a specific threat
• Used to estimate the financial impact of a security incident
• A key component in calculating the Single Loss Expectancy (SLE)

How to calculate:

• EF is expressed as a percentage (0% to 100%)

• Determined by evaluating the extent of damage a threat can cause

   EF = Risk of downtime (hours) / 24 hours
  

Example:

• If an asset worth 100,000 USD has an EF of 40%, the expected loss from a specific threat would be $40,000.

For more information, please see Quantitative Risk Assessment.

Risk Tolerance

Risk tolerance refers to the level of risk an organization or individual is willing to accept in pursuit of its objectives.

• The amount of uncertainty an organization is prepared to handle
• Balances potential benefits against possible adverse effects
• Influences decision-making and strategic planning
• Guides the development of risk management strategies
• Helps in setting appropriate risk thresholds and limits

Determinants:

• Organizational goals and objectives
• Industry standards and regulatory requirements
• Financial stability and resources
• Stakeholder expectations and risk perception

Example:

• A tech startup may have a higher risk tolerance, accepting the possibility of frequent changes and potential failures to innovate quickly.
• A financial institution, on the other hand, might have a low risk tolerance, prioritizing stability and regulatory compliance to protect client assets.

Response and Remediate

Vulnerability response and remediation refers to the strategies that identify, assess, and address vulnerabilities in a system or network to stengthen an organization’s security posture.

Importance:

• Ensures timely and effective response to vulnerabilities
• Reduces the risk of exploitation and potential damage
• Enhances overall security posture and resilience
• Supports compliance with regulatory and industry standards

Implementation:

• Regularly conduct vulnerability assessments and penetration testing
• Develop and maintain a comprehensive patch management policy
• Invest in cybersecurity insurance as part of risk management strategy
• Employ network segmentation to minimize the impact of breaches
• Use compensating controls and manage exceptions carefully

The process includes:

• Patching
• Purchasing Cybersecurity Insurance Policies
• Network Segmentation
• Implementing Compensating Controls
• Granting Exemptions and Exceptions

Patching

• Regularly updating software and systems to fix known vulnerabilities
• Ensures systems are protected against known exploits
• Requires thorough testing to avoid introducing new issues
• Essential for maintaining compliance with security standards

Purchasing Cybersecurity Insurance Policies

• Provides financial protection against losses from cyber incidents
• Assists in risk management and financial planning
• Covers costs related to data breaches, ransomware, and other cyber threats

Network Segmentation

• Dividing a network into smaller, isolated segments to limit spread of attacks
• Enhances control over data flow and access permissions
• Reduces the potential impact of a security breach
• Improves the ability to detect and respond to threats

Implementing Compensating Controls

• Using alternative measures when primary controls are infeasible or impractical
• Equal level of protection, plus additional layer of defense
• Can include monitoring, encryption, and access controls

Granting Exemptions and Exceptions

• Exception
  • Temporarily relaxez security controls for operational business needs.
  • Need to understand the associated risk of bypassing controls.
  • Ensures that exceptions are documented and reviewed regularly
• Exemption
  • Permanently waive control over specific reasons, like using legacy system.
  • Allowing processes to deviate from policies under certain conditions
  • Requires thorough risk assessment and justification

Validating Vulnerability Remediation

Validating vulnerability remediation ensures that identified vulnerabilities have been effectively addressed and mitigated. This process confirms that remediation efforts are successful and that systems are secure.

Key Methods:

• Rescans
• Audits
• Verifications

Rescans

• Conducting a new scan of the system after remediation efforts.
• Ensures identified vulnerabilities have been successfully patched or mitigated.
• Rescans can also identify new vulnerabilities that needs to be mitigated.
• Recommendations:
  • Use the same or updated comprehensive scanning tools.
  • Rescan under the same conditions as the initial scan.
  • Compare results with the initial scan to ensure no vulnerabilities remain.
  • Schedule regular and automatic rescans to maintain ongoing security.

Audit

• An independent review and assessment of remediation activities.
• Systematically reviewing logs, configurations, and patches.
• Provide an objective evaluation of the effectiveness of remediation efforts.
• Recommendations:
  • Conduct internal or external audits of security practices and controls.
  • Review remediation documentation and evidence of patch application.
  • Assess compliance with security policies and standards.
  • Identify any gaps or areas for improvement.
  • Leverage automated auditing tools and compliance checks.
  • Patch auditing, verifies proper patch application.
  • Configuration auditing, checks for misconfiguration.

Verifications

• Additional checks to confirm that vulnerabilities have been addressed.
• Ensure that remediation measures are properly implemented and effective.
• Recommendations:
  • Perform manual checks and validations by security professionals.
  • Utilize automated testing tools to verify the absence of vulnerabilities.
  • Review system logs and alerts for signs of successful mitigation.
  • Penetration testing, to simulate potential attacks and ensure defenses hold.
  • User verifications, to ensure applications are still functioning correctly.
  • Feedback Loops, to identify any remaining issue post-remediation.

Best Practices

• Schedule regular rescans and audits as part of the security maintenance routine.
• Use combination of automated tools and manual verifications for thorough validation.
• Document all validation activities and results for future reference and compliance.
• Continuously monitor systems for new vulnerabilities and ensure timely remediation.

Vulnerability Reporting

Vulnerability reporting is the process of documenting and communicating identified security weaknesses to relevant stakeholders, ensuring timely and effective remediation.

• Ensure vulnerabilities are managed discreetly
• Use clear, concise, and transparent language to ensure they are well understood.
• Communications and the reports need to remain confidential.

Internal Reporting

• Reporting vulnerabilities within an organization to the appropriate internal teams.
• Ensure prompt attention and action by internal security, IT, and management teams.
• Process:
  • Use standardized reporting formats to document vulnerabilities.
  • Communicate findings through channels like incident tracking systems or email.
  • Prioritize vulnerabilities based on severity and potential impact.
  • Follow up on remediation efforts and validate fixes.
• Importance:
  • Facilitates quick response and remediation.
  • Enhances coordination among internal teams.
  • Helps maintain internal security posture and compliance.

External Reporting

• Reporting vulnerabilities to external parties, e.g. vendors, partners.
• Alert external parties who can address vulnerabilities in their products.
• Process:
  • Identify the appropriate external contact or reporting mechanism.
  • Can include engaging with vendor support, security advisories, etc.
  • Provide detailed information, including steps to reproduce and potential impact.
  • Protect any sensitive systems and data details from disclosure.
  • Collaborate with external parties to track remediation progress.
  • Respect any protocols or guidelines set by the external entity.
• Importance:
  • Ensures vulnerabilities in third-party products are addressed.
  • Enhances overall ecosystem security.
  • Builds trust and collaboration with external stakeholders.

Responsible Disclosure Reporting

• Reporting vulnerabilities in a way that balances security with public safety.
• Give affected party reasonable time to fix the issue before it’s disclosed publicly.
• Process:
  • Work with the affected party to coordinate public disclosure if necessary.
  • Report the vulnerability directly to the affected organization or vendor.
  • Allow a specified period for remediation before making details public.
  • Follow established guidelines, such as those provided by the Organization for Internet Safety (OIS).
• Importance:
  • Encourages responsible behavior among security researchers.
  • Provides time for fixes, reducing the risk of exploitation.
  • Maintains a balance between transparency and security.

Confidentiality in Vulnerability Reports

• Ensures details of reported vulnerabilities are kept confidential until resolved.
• Prevent malicious actors from exploiting vulnerabilities before they are fixed.
• Process:
  • Limit access to vulnerability reports to authorized personnel only.
  • Use secure channels for communication and reporting.
  • Monitor and control the distribution of sensitive information.
  • Ensure reports are encrypted and use secure storage.
  • Apply non-disclosure agreements (NDAs) where appropriate.
• Importance:
  • Protects sensitive information from unauthorized access.
  • Reduces the risk of exploitation during the remediation period.
  • Preserves the integrity of the vulnerability management process.

---

Back to main page