Skip to main content

Vulnerability Management

Updated Jan 30, 2024 ·

Exposure Factor

Exposure Factor (EF) is a measure used in risk assessment to quantify the potential impact of a security breach on an organization.

  • Represents the percentage of asset value lost due to a specific threat
  • Used to estimate the financial impact of a security incident
  • A key component in calculating the Single Loss Expectancy (SLE)

How to calculate:

  • EF is expressed as a percentage (0% to 100%)

  • Determined by evaluating the extent of damage a threat can cause

    EF = Risk of downtime (hours) / 24 hours

Example:

  • If an asset worth 100,000 USD has an EF of 40%, the expected loss from a specific threat would be $40,000.

For more information, please see Quantitative Risk Assessment.

Risk Tolerance

Risk tolerance refers to the level of risk an organization or individual is willing to accept in pursuit of its objectives.

  • The amount of uncertainty an organization is prepared to handle
  • Balances potential benefits against possible adverse effects
  • Influences decision-making and strategic planning
  • Guides the development of risk management strategies
  • Helps in setting appropriate risk thresholds and limits

Determinants:

  • Organizational goals and objectives
  • Industry standards and regulatory requirements
  • Financial stability and resources
  • Stakeholder expectations and risk perception

Example:

  • A tech startup may have a higher risk tolerance, accepting the possibility of frequent changes and potential failures to innovate quickly.
  • A financial institution, on the other hand, might have a low risk tolerance, prioritizing stability and regulatory compliance to protect client assets.

Identifying Vulnerabilities

Vulnerability Scanning

Automated method of probing networks, systems, and applications to discover potential vulnerabilities.

  • Many tools available, including Nessus and OpenVAS.
  • These tools can analyze your system's current state against known vulnerabilities.
  • They can also generate a detailed report of vulnerabilities and criticality levels.
  • Passive/non-invasive, compared to penetration tests.
  • Should be ran periodically, either through manual or scheduled manner.

Types:

  • Credentialed Scan, where host/device credentials is entered to scanning tool.
  • Uncredentialed Scan, which mimics someone who doesn't have access

As a cybersecurity professional, you need to:

  • Prioritize
  • Patch
  • Mitigate

Penetration Testing

Used to simulate a real-world attack on a system to evaluate its security posture.

  • Attackers are likely to use similar attack vectors and techniques.
  • Mitigate the identified issues found in the report.
  • For more information, please see Penetration Testing.

Security and Process Auditing

Process that involves conducting a comprehensive review of the information systems, security policies, and procedures. This ensures the organization adheres to security best practices.

Four-Step Process:

  1. Planning

    • Set clear goals for the audit, e.g. compliance, risk assessment, or performance evaluation.
    • Determine the systems, processes, and policies to be reviewed.
    • Allocate the necessary resources, including tools and personnel.
    • Establish a timeline for the audit process.

  2. Testing

    • Conduct vulnerability assessments and penetration testing on test systems.
    • Evaluate current security policies, procedures, and controls.
    • Gather data through interviews, questionnaires, and reviewing documentation.
    • Analyze the collected data to identify weaknesses and areas for improvement.

  3. Implementing

    • Provide actionable recommendations based on the findings from the testing phase.
    • Create a plan to address identified vulnerabilities and improve security measures.
    • Implement the recommended changes and improvements.
    • Awareness programs, ensuring that staffs understand new policies and procedures.

  4. Auditing

    • Verify that the implemented changes have been made and are effective.
    • Ensure that all changes comply with relevant regulations and standards.
    • Establish ongoing monitoring processes to maintain security and compliance.
    • Document audit findings, actions taken, and future recommendations.

Analyzing Vulnerabilities

True Positive

A true positive occurs when a security system correctly identifies a real threat.

  • Accurate detection of a genuine vulnerability
  • Ensures timely remediation
  • Boosts confidence in the security system
  • Reduces potential damage from attacks

False Positive

A false positive happens when a security system incorrectly flags a non-threatening situation as a threat.

  • Wastes time and resources investigating non-issues
  • Can lead to alert fatigue
  • May cause unnecessary panic
  • Undermines trust in the security system

True Negative

A true negative is when a security system correctly identifies that there is no threat present.

  • Confirms the absence of vulnerabilities
  • Reduces unnecessary alerts
  • Supports the accuracy of the security system
  • Helps maintain normal operations without interruptions

False Negative

A false negative occurs when a security system fails to detect a real threat.

  • Leaves vulnerabilities unaddressed
  • Increases risk of undetected attacks
  • Undermines the security posture
  • Potentially leads to significant damage and breaches

Prioritize, Classify. and Assess

Prioritize

Factors to consider when prioritizing vulnerabilities:

  • Ease of exploitation
  • Magnitude of potential damage
  • Importance of affected system

Classify

Factors to consider when classifying vulnerabilities:

  • Type of threat
  • Potential impact to the organization
  • Systems or data that may be affected

Sample categories:

  • Software flaws
  • Configuration errors
  • Security policy gaps

Within each category, we can further sub-classify them, like:

  • Buffer overflows
  • Privilege Escalation
  • Insecure default settings

CVE

Common Vulnerabilities and Exposures (CVE) is a standardized system for identifying and cataloging known security vulnerabilities in software and hardware.

  • Helps in tracking and managing vulnerabilities
  • Facilitates sharing and dissemination of information about vulnerabilities
  • Referenced in security advisories and reports
  • Integrated into vulnerability management and scanning tools
  • Improves security assessment and patch management processes
  • Assists in the prioritization of threat mitigation efforts

Structure:

  • CVE IDs follow the format: CVE-YEAR-NUMBER (e.g., CVE-2024-12345)
  • Each CVE entry includes a brief description of the vulnerability
  • May contain references to further details, patches, or advisories

Link: cve.mitre.org

Assessing Impact

Vulnerabilities' impact can be assessed in terms of:

  • Confidentiality
  • Integrity
  • Availability

Impact can also be assessed based on the industy:

  • Healthcare Vulnerabilities

    • Risks patient data and safety.

  • Financial Institution Vulnerabilities

    • Lead to monetary losses and regulatory scrutiny.