Risk mitigation is the centerpiece of the vulnerability management process. While remediation always remains a worthwhile goal, you can’t totally eliminate risk, no matter how fortified your system’s defenses appear to be. Moreover, the primary source of vulnerability in software apps comes from within, from the code itself.
In this article, I will explain the steps involved in vulnerability management and how it is used to manage, mitigate, and remediate cybersecurity risks.
Why is the Vulnerability Management Process Important?
In Code Complete, Steve McConnell says there are about 15 - 50 errors or bugs per 1000 lines of delivered code. McConnell, however, noted that NASA’s mission-critical application, its Space Shuttle Software, had zero code defects. But this mind-boggling feat was achieved at a cost of thousands of dollars per line of code!
Needless to say, this cost is simply too prohibitive for most businesses. Besides, most of them aren’t sending spaceships into orbit where astronauts' lives are literally put on the line. Vulnerability management is, therefore a more achievable objective for the common business.
As a process, vulnerability management entails identifying, assessing, and prioritizing security vulnerabilities across systems, workloads, and endpoints. After the vulnerabilities have been classified, the process typically delves into remediation, reporting, and resolving the uncovered threats satisfactorily.
What’s The Difference Between a Vulnerability Management Program and a Process?
The terms "vulnerability management program" and "vulnerability management process" are related but represent different aspects of handling vulnerabilities in an organization's security practices.
A vulnerability management program is a comprehensive and strategic approach to managing vulnerabilities across an organization's IT infrastructure software and systems. It is a higher-level concept that involves various elements, including policies, procedures, tools, and resources, aimed at reducing the overall risk posed by vulnerabilities.
A vulnerability management program typically includes the following components:
- Vulnerability Assessments: Regularly scan systems, applications, and networks to identify potential vulnerabilities.
- Risk Prioritization: Evaluate and prioritize vulnerabilities based on their severity and potential impact on the organization.
- Patch Management: Develop processes for applying security patches and updates to mitigate identified vulnerabilities. (often made easier with security testing tools)
- Threat Intelligence: Integrate threat intelligence to understand the latest vulnerabilities and potential attack vectors.
- Reporting and Metrics: Generate reports and metrics to track the effectiveness of vulnerability management efforts.
- Responsibilities and Roles: Clearly define responsibilities and roles for personnel involved in the vulnerability management process.
The vulnerability management process is a more specific and operational part of the vulnerability management program. It refers to the step-by-step procedures and actions that are taken when dealing with a single vulnerability or a set of vulnerabilities. The process involves the execution of tasks and follows a structured approach to handling vulnerabilities effectively.
The vulnerability management process typically includes the following stages:
- Identification: This stage involves discovering and cataloging vulnerabilities through various methods, such as vulnerability scanning, manual assessments, or penetration testing.
- Evaluation: Once vulnerabilities are identified, they are assessed to determine their severity and potential impact on the organization's assets and operations.
- Remediation: In this phase, the organization takes action to address the identified vulnerabilities. This may involve applying security patches, configuration changes, or implementing workarounds.
- Verification: After the remediation steps have been taken, the organization verifies whether the vulnerabilities have been effectively addressed and mitigated.
- Reporting: Throughout the process, documentation and reporting are crucial for tracking progress, maintaining compliance, and communicating with stakeholders.
In summary, a vulnerability management program is a comprehensive strategy encompassing various elements to manage vulnerabilities in an organization effectively. On the other hand, the vulnerability management process is a specific set of steps and actions taken to identify, evaluate, and remediate individual vulnerabilities as part of the larger program. The process is an integral part of the program, contributing to its overall success.
The Five Stages of the Vulnerability Management Process
As opposed to vulnerability assessment, which is a one-time event, vulnerability management is a continuous, ongoing process. These are the steps to follow in a vulnerability management lifecycle.
Step 1: Identifying Vulnerabilities
This step revolves around identifying and classifying vulnerabilities. Vulnerabilities are typically ranked using the Common Vulnerability Scoring System (CVSS).
The role of the CVSS is more prominent in stage two; however, what takes center stage at this point is vulnerability scanning. Vulnerability scanning is often done as part of a penetration testing exercise by a pentester or a security team of penetration testers.
In this process, a vulnerability scanner is an automated tool used to search, identify, and report the known vulnerabilities present in a company’s IT infrastructure.
It creates an inventory of all the IT assets available in the system, especially those actively connected to the organization’s network. These typically include firewalls, servers, operating systems, containers, virtual machines, routers, printers, laptops, desktops, and switches.
They also probe endpoints like open ports, IoT devices, system configurations, installed software, third-party apps, and file system structures.
Since vulnerability scanners perform scans across an organization’s network to search for vulnerabilities, the potential to disrupt the system or its elements is high. Therefore, white hat hackers usually fine-tune their methods to account for this during penetration testing. As a result, they might exclude systems susceptible to unstable or erratic behavior, or adapt their methods to be less disruptive. For instance, if network bandwidth is an issue, they can decide to perform network scans during non-peak business hours when network bandwidth isn’t limited.
Vulnerability management solutions are also adept at continuously collecting data from systems using endpoint agents. As they have advanced, they have also become more nimble; so they scan a new system or device immediately after it connects to the network.
But system scanning alone isn’t the primary objective of this stage.
Overall, an organization’s system and network security are enhanced with the road map of IT assets created in this stage. With this asset discovery, an organization can easily ascertain which devices are protected, which components aren’t, and how system endpoints can be potentially accessed.
This stage is crucial because it helps to determine the attack surface exposed or vulnerable to exploitation. Moreover, the information gathered by the vulnerability management solution is used to create reports and system metrics used in the next step of the vulnerability management process.
Ensuring secure data storage is crucial in vulnerability management. One way to achieve this is by utilizing top-tier database management software.
Step 2: Evaluating Vulnerabilities
After the vulnerabilities have been discovered, the next step is to evaluate the identified vulnerabilities for their degree of risk. In step 1, I briefly mentioned CVSS and how it is used as a ranking system for cybersecurity vulnerabilities.
CVSS is a free and open standard used to communicate the severity of vulnerabilities. It provides a score ranging from 0.0 to 10.0. To augment the vulnerability assessment, the National Vulnerability Database (NVD) includes a severity rating for the CVSS scores, as indicated in the table below.
CVSS Score | Severity Rating |
0.0 | None |
0.1 - 3.9 | Low |
4.0 - 6.9 | Medium |
7.0 - 8.9 | High |
9.0 - 10.0 | Critical |
These scores communicate to organizations the risk posed to their infrastructure by each vulnerability. Hence, organizations are able to prioritize the vulnerabilities and threats to focus on. This evaluation also informs the organization’s risk management strategy and remediation efforts.
While vulnerability scanners and CVSS scores are excellent tools, they might not always provide a comprehensive view of the risks faced by an organization.
This is because these out-of-the-box rating scores don’t always provide the best insight into the threats your business faces because of its peculiar risk profile. Although smart vulnerability management tools can prioritize risk, they might not always be nuanced enough to understand other additional factors.
Cybersecurity professionals can provide a better, well-rounded context of your risk exposure using the inventory of threat intelligence gathered. These security professionals often consider a myriad of factors like the following to determine a suitable risk assessment:
- Is this a true vulnerability or merely a false positive?
- What is the degree of difficulty in exploiting the vulnerability?
- Can this vulnerability be exploited remotely?
- How easy is it to exploit this vulnerability?
- Does this vulnerability have publicly published exploits?
- How many devices are reported with this vulnerability?
- Is this a new vulnerability (older vulnerabilities tend to pose a higher risk burden) and do you know how long it has existed in your network?
- Are there security policies, protocols, and controls present in your infrastructure to mitigate the impact of the vulnerability in case it’s exploited?
- What is the impact on the overall organization in the event of a successful exploit of the vulnerability?
Step 3: Remediating Vulnerabilities
This step focuses on treating and mitigating the discovered vulnerabilities. Several strategies are put in place to prioritize and eliminate vulnerabilities based on the level of risk they pose to the business.
Patching
Patching is often the low-hanging fruit that remediates a large portion of the vulnerabilities found in software. In fact, most cybersecurity breaches are a result of unpatched software. Therefore, a patch management system that ensures operating systems and third-party software are up-to-date is vital.
However, there might be occasions when a vendor hasn’t yet released a patch for a particular vulnerability. In this instance, the organizations should switch to mitigation measures to lessen the impact of the vulnerability’s possible exploitation.
These measures might include limiting user permissions for those activities or—depending on their severity—truncating or blacklisting the impacted devices from the network.
Where threats and vulnerabilities are addressed, controls need to be established and progress demonstrated toward a more secure security posture within the organization.
Acceptance
Acceptance is also a counterintuitive vulnerability management strategy. This involves taking no action with discovered vulnerabilities. This strategy makes sense with low-risk vulnerabilities that pose minimal threats to the business. More so when the cost of fixing the vulnerability exceeds the possible cost incurred by its exploitation.
Even when there are only benign vulnerabilities to be fixed, organizations should still strive to optimize their reported vulnerability metrics. Hence, the more the vulnerability management system is geared to improving those metrics, the more it reduces the organization’s attack surface.
Moreover, this remediation process can set a baseline for risk management that the organization can constantly reset with new and more aggressive targets.
Step 4: Verify Vulnerabilities
This step ensures that the threats in the system have been eliminated through follow-up audits. Penetration testing should also be used to verify the efficacy of the remediation measures taken. In addition, it also makes sure new vulnerabilities aren’t inadvertently created during the process.
Step 5: Report Vulnerabilities
It is important to document not only the discovered vulnerabilities but a security plan on how to describe known vulnerabilities and monitor suspicious activity. These reports are vital because they leave records that help businesses improve their security responses in the future.
These reports are also important to share with top management and for compliance audits. This is because demonstrating and recording fixed vulnerabilities and issues displays accountability. And this accountability is often required to maintain compliance standards.
Fortunately, there are smart and sophisticated vulnerability management software and web application penetration tools that can auto-generate these reports, so you don’t have to do so manually.
The Importance of Vulnerability Management
Vulnerability management processes are vital if you want to keep your network safe by minimizing the presence of threats and exploits.
Learn more about vulnerability and threat management by exploring other articles on our blog, or you can subscribe to The QA Lead's newsletter.