Vulnerability management is the process of identifying, evaluating, prioritizing, remediating and reporting on security vulnerabilities in web applications, computers, mobile devices and software.
Continuous vulnerability management is integral to cybersecurity and network security and is on the Center for Internet Security's (CIS) list of basic security controls, citing that organizations need to “continuously acquire, assess, and take action on new information in order to identify vulnerabilities, and to remediate and minimize the window of opportunity for attackers.”
What is a vulnerability?
A vulnerability is a weakness which can be exploited by a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access a system's memory, install malware, and steal, destroy or modify sensitive data.
The most concerning vulnerabilities for security teams are wormable vulnerabilities like the WannaCry cryptoworm ransomware attack. Computer worms are a type of malicious software that self-replicates, infecting other computers while remaining active on infected systems.
Worms often rely on actions of and the exploitation of vulnerabilities in networking protocols, operating systems or backdoors to propagate without user knowledge.
An early example is the Morris worm. The Morris worm was one of the first internet worms and was written to highlight security flaws rather than cause damage.
It spread by exploiting known vulnerabilities, like those that would now be listed on CVE, in Unix sendmail finger, rsh/rexec, as well as weak passwords. At its height, the Morris Worm was running on nearly 10 percent of all internet-enabled computers at the time.
The Morris Worm highlight the need for vulnerability management software and why security teams should keep their systems up-to-date.
That said, the most dangerous vulnerabilities are known as zero-day vulnerabilities. Zero-day vulnerabilities are unpatched vulnerabilities that are unknown to the software, hardware or firmware developers and therefore do not have a patch.
BlueKeep (CVE-2019-0708) is an example a remote code execution flaw that affects approximately one million systems (as of 29 May, 2019) running older versions of Microsoft operating systems.
This zero-day vulnerability made headlines during Microsoft's May 2019 Patch Tuesday due to its wormability.
Microsoft saw BlueKeep as such a large cyber threat to information security and cybersecurity that they released patches for out-of-support and end-of-life operating systems like Windows 2003 and Windows XP.
Why is vulnerability management required?
Increasing growth in cyber crime and growing regulatory scrutiny is forcing organizations to focus more attention on information security. A vulnerability management process should be part of an organization's overall information risk management strategy.
This process allows organizations to obtain a continuous overview of vulnerabilities in their IT environment and the risks associated with them.
Only by identifying and mitigating vulnerabilities can organizations reduce the risk of attackers exploiting new vulnerabilities, patching identified vulnerabilities as they are listed on CVE and other vulnerability databases is an effective risk management strategy that reduces cybersecurity risk.
What is the vulnerability management process?
The vulnerability management process is a cyclical practice of identifying, classifying, remediating and mitigating security vulnerabilities. The essential elements to any vulnerability management program are vulnerability detection, vulnerability assessment and reporting.
How are vulnerabilities detected?
At the heart of a typical vulnerability management tool is a vulnerability scanner.
A vulnerability scanner is software designed to assess computers, networks or applications for known vulnerabilities like those listed on CVE. Vulnerability scanning can identify and detect vulnerabilities arising from misconfiguration and flawed programming within a network and perform authenticated and unauthenticated scans:
- Authenticated scans: Allow vulnerability scanners access networked resources using remote administrative protocols like secure shell (SSH) or remote desktop protocol (RDP) and authenticate using provided system credentials. The benefit of authenticated scans is that they provide access to low-level data such as specific services, configuration details and accurate information about operating systems, installed software, configuration issues, access control, security controls and patch management.
- Unauthenticated scans: Do not provide access to networked resources, which can result in false positives and unreliable information about operating systems and installed software. This type of scan is generally used by cyber attackers and IT security analysts to try and determine the security posture of externally facing assets, third-party vendors and to find possible data leaks.
Like any security service, vulnerability scanners aren't perfect, which is why other techniques like penetration testing and Google hacking are employed by organizations.
Penetration testing is the practice of testing an information technology asset to find exploitable vulnerabilities and can be automated with software or performed manually.
Whether automated or manual, pen testing gathers information about its target, identifies possible attack vectors and then attempts to exploit them. Pen testers will then report on their findings. It can also be used to test on-premise security controls, adherence to information security policies, employees susceptibility to social engineering attacks like phishing or spear phishing, as well as to test incident response plans.
Google hacking is the use of a search engine to locate security vulnerabilities. IT teams and attackers alike can use advanced search operators in queries that locate hard-to-find information or information that is being accidentally exposed through misconfiguration of security tools and cloud services. These vulnerabilities tend to fall into two categories, namely software vulnerabilities and misconfigurations.
What is the vulnerability assessment process?
The vulnerability assessment process can be broken down into five steps:
- Identify vulnerabilities: Analyzing network scans, pen test results, firewall logs, and vulnerability scan results to find anomalies that suggest a cyber attack could take advantage of a vulnerability.
- Verify vulnerabilities: Decide whether the identified vulnerability could be exploited and classify the severity of the exploit to understand the level of security risk.
- Prioritization of vulnerabilities: Assess which vulnerabilities will be mitigated or remediated first based on their wormability and other risks.
- Mitigate vulnerabilities: Decide on countermeasures and how to measure their effectiveness in the event that a patch is not available.
- Remediate vulnerabilities: Update affected software or hardware where possible.
After vulnerabilities are identified, they need to be evaluated to understand what risks they pose, possible security solutions and how they will be dealt with in accordance to your organization's risk management strategy.
Vulnerability management solutions can provide security ratings, such as Common Vulnerability Scoring System (CVSS) scores, which can help organizations understand which vulnerabilities should be focused on first.
Some additional things to consider include:
- Is the vulnerability a false positive?
- Is this vulnerability exploitable from the Internet or would an attacker need physical access
- How difficult is it to exploit this vulnerability?
- Is there publicly available exploit code for this vulnerability?
- What is the business impact if this vulnerability were exploited?
- Is your organization employing a defense in depth strategy that reduces the likelihood and/or impact of this vulnerability being exploited?
- How old is the vulnerability?
- Does your organization have regulatory requirements like CCPA, FISMA, GLBA, PIPEDA or the NIST Cybersecurity Framework?
- What is the average cost of a data breach in your industry?
Once a vulnerability has been deemed an acceptable cybersecurity risk, the next step is to prioritize how it will be treated:
- Remediation: The vulnerability is patched and cannot be exploited.
- Mitigation: The likelihood or impact that the vulnerability can be exploited is minimized.
- Acceptance: No action is taken because the vulnerability is deemed low risk or the cost is substantially greater than the cost incurred by your organization if it were exploited.
Many vulnerability management systems will provide recommended remediation techniques for common vulnerabilities, which can be as simple as installing a readily-available security patches or as complex as replacing hardware.
Should vulnerabilities be publicly reported?
There is ongoing debate about whether new vulnerabilities should be reported by organizations who find them, it remains a contentious issue with two opposing sides:
- Immediate full disclosure: Some cybersecurity experts argue for immediate disclosure including specific information about how to exploit the vulnerability. Supporters of immediate disclosure believe it leads to secure software and faster patching improving software security, application security, computer security, operating system security and information security.
- Limited to no disclosure: While others are against vulnerability disclosure because they believe the vulnerability will be exploited. Supporters of limited disclosure believe limiting information to select groups reduces the risk of exploitation.
Like most arguments, both sides have valid points.
Should I worry about my third-party vendors' vulnerabilities?
Vendor risk management (VRM) is an often overlooked part of vulnerability management. It is no longer enough to solely focus on your internal cybersecurity. If your third-party vendors don't have the same security solutions and security standards in place, you and your customer's sensitive data is at risk.
Yes, outsourcing can introduce strategic advantages (lower costs, access to expertise and organizational focus). That said, it can also introduce additional vulnerabilities that aren't in your immediate control, making cyber attacks and corporate espionage possible.
This is where VRM can help. VRM programs are concerned with management and monitoring of third and fourth-party risk, as well as ensuring that customer data and enterprise data is not exposed in third or fourth-party data breaches and data leaks.
Increased regulatory scrutiny means that vendor risk management teams are spread thin and need to look at automating as much as possible including vendor questionnaires.
Don't make the mistake of only negotiating service-level agreements with potential vendors, monitor vendors in real-time and request remediation of high-risk vulnerabilities or change vendors.
Your organization's information security policy needs to focus on both first, third and fourth-party security postures, which means investing the time to develop a robust third-party risk management framework. And ask for your vendor's SOC 2 report.
You may even be legally liable for third-party data breaches that result from poor vulnerability management depending on your industry.
How UpGuard can help you identify high-risk vulnerabilities and request remediation
Companies like Intercontinental Exchange, Taylor Fry, The New York Stock Exchange, IAG, First State Super, Akamai, Morningstar and NASA use UpGuard to protect their data, prevent data breaches, monitor for vulnerabilities and avoid malware.
UpGuard Vendor Risk can minimize the amount of time your organization spends managing third-party relationships by automating vendor questionnaires and continuously monitoring your vendors' security posture over time while benchmarking them against their industry.
Each day, our platform scores your vendors with a Cyber Security Rating out of 950. We'll alert you if their score drops.
UpGuard BreachSight can help monitor for DMARC, combat typosquatting, prevent data breaches and data leaks, avoiding regulatory fines and protecting your customer's trust through cyber security ratings and continuous exposure detection.
If you'd like to see how your organization stacks up, get your free Cyber Security Rating.