Vulnerability Management
Environmental Variables
Environmental variables refer to unique characteristics of an organization’s setup that can affect how vulnerabilities are assessed and managed.
- Include infrastructure, business operations, and technical environment
- Influence how risks are prioritized and handled
- Help shape appropriate vulnerability management strategies
Exposure Factor
Exposure Factor (EF) is a measure used in risk assessment to quantify the potential impact of a security breach on an organization.
- Represents the percentage of asset value lost due to a specific threat
- Used to estimate the financial impact of a security incident
- A key component in calculating the Single Loss Expectancy (SLE)
How to calculate:
-
EF is expressed as a percentage (0% to 100%)
-
Determined by evaluating the extent of damage a threat can cause
EF = Risk of downtime (hours) / 24 hours
Example:
- If an asset worth 100,000 USD has an EF of 40%, the expected loss from a specific threat would be $40,000.
For more information, please see Quantitative Risk Assessment.
Risk Tolerance
Risk tolerance refers to the level of risk an organization or individual is willing to accept in pursuit of its objectives.
- The amount of uncertainty an organization is prepared to handle
- Balances potential benefits against possible adverse effects
- Influences decision-making and strategic planning
- Guides the development of risk management strategies
- Helps in setting appropriate risk thresholds and limits
Determinants:
- Organizational goals and objectives
- Industry standards and regulatory requirements
- Financial stability and resources
- Stakeholder expectations and risk perception
Example:
- A tech startup may have a higher risk tolerance, accepting the possibility of frequent changes and potential failures to innovate quickly.
- A financial institution, on the other hand, might have a low risk tolerance, prioritizing stability and regulatory compliance to protect client assets.
Identifying Vulnerabilities
Vulnerability Scanning
Automated method of probing networks, systems, and applications to discover potential vulnerabilities.
- Many tools available, including Nessus and OpenVAS.
- These tools can analyze your system's current state against known vulnerabilities.
- They can also generate a detailed report of vulnerabilities and criticality levels.
- Passive/non-invasive, compared to penetration tests.
- Should be ran periodically, either through manual or scheduled manner.
Types:
- Credentialed Scan, where host/device credentials is entered to scanning tool.
- Uncredentialed Scan, which mimics someone who doesn't have access
As a cybersecurity professional, you need to:
- Prioritize
- Patch
- Mitigate
For more information, please see Vulnerability Scans.
Penetration Testing
Used to simulate a real-world attack on a system to evaluate its security posture.
- Attackers are likely to use similar attack vectors and techniques.
- Mitigate the identified issues found in the report.
- For more information, please see Penetration Testing.
Security and Process Auditing
Process that involves conducting a comprehensive review of the information systems, security policies, and procedures. This ensures the organization adheres to security best practices.
Four-Step Process:
-
Planning
- Set clear goals for the audit, e.g. compliance, risk assessment, or performance evaluation.
- Determine the systems, processes, and policies to be reviewed.
- Allocate the necessary resources, including tools and personnel.
- Establish a timeline for the audit process.
-
Testing
- Conduct vulnerability assessments and penetration testing on test systems.
- Evaluate current security policies, procedures, and controls.
- Gather data through interviews, questionnaires, and reviewing documentation.
- Analyze the collected data to identify weaknesses and areas for improvement.
-
Implementing
- Provide actionable recommendations based on the findings from the testing phase.
- Create a plan to address identified vulnerabilities and improve security measures.
- Implement the recommended changes and improvements.
- Awareness programs, ensuring that staffs understand new policies and procedures.
-
Auditing
- Verify that the implemented changes have been made and are effective.
- Ensure that all changes comply with relevant regulations and standards.
- Establish ongoing monitoring processes to maintain security and compliance.
- Document audit findings, actions taken, and future recommendations.
Analyzing Vulnerabilities
True Positive
A true positive occurs when a security system correctly identifies a real threat.
- Accurate detection of a genuine vulnerability
- Ensures timely remediation
- Boosts confidence in the security system
- Reduces potential damage from attacks
False Positive
A false positive happens when a security system incorrectly flags a non-threatening situation as a threat.
- Wastes time and resources investigating non-issues
- Can lead to alert fatigue
- May cause unnecessary panic
- Undermines trust in the security system
Over time, if security teams receive too many false positives, they may start ignoring or tuning them out, potentially missing real threats that appear similar.
This phenomenon is known as alert fatigue, which is a common challenge in cybersecurity operations.
True Negative
A true negative is when a security system correctly identifies that there is no threat present.
- Confirms the absence of vulnerabilities
- Reduces unnecessary alerts
- Supports the accuracy of the security system
- Helps maintain normal operations without interruptions