Vulnerability Management

From Socology.org - The Study of Security Operations
Revision as of 08:17, 1 November 2018 by Frankangiolelli (Talk | contribs)

Jump to: navigation, search

This section is under active development

Objective

The objective of Vulnerability Management can be described as identifying, prioritizing and mitigating weaknesses in assets which can be exploited. This service is currently listed at #3 in the CIS Top 20 Controls (CIS, 2018), discussed in the NIST Framework (NIST, 2013) and is listed in ISO 27002 A.12.6.1 as discussed by several sources[1][2].

A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005) Gartner defines Vulnerability Management as "Vulnerability management is a process that can be implemented to make IT environments more secure and to improve an organization's regulatory compliance posture."

Process

Tripwire states "The vulnerability management process is a continuous information security risk undertaking that requires management oversight. There are four high-level processes that encompass vulnerability management: discovery, reporting, prioritization and response."(Bisson, 2018)

Gartner defines the processes as follows: Policy, baseline, prioritize, shield (read:Compensating Controls), mitigate and maintain(Gartner, 2005)

Unless there are policies in place, compliance within the organization lacks accountability and we will document that under the Documentation section. NIST SP 800-40 Ver 2 Defines "Patch management is the process for identifying, acquiring, installing, and verifying patches for products." and this author makes the argument that this is a process in Vulnerability Management. It could also be performed independently, as applying patches does not necessarily require Vulnerability to operate. Vulnerability Management however is a part of three respected standards (CIS Top 20 Controls, NIST and ISO 27k) and therefore is advisable to be performed.

The prioritization phase is necessary given that organizations will likely lack the resources to deal with every vulnerability.

  • Identify - Through threat intelligence, vulnerability scans or other input mechanisms, identify vulnerabilities and their existence in the enterprise.
  • Prioritize - Prioritization should follow a methodology. That methodology can be based on Severity and Impact[3]. When considering Severity and Impact, it is advisable to assess it from a business criticality, data governance, reputational risk and legal risk standpoint for starters.
  • Mitigate - After prioritization has occurred, the mitigation process takes over.
  • Reporting - This takes the form of both reporting on completion of the task and metrics on the overall program

Tooling

Not an all inclusive list:

  • Alerting system for critical vulnerabilities being reported on the internet (e.g. Shellshock). This drives action if the enterprise is affected.
  • Vulnerability Management System - This is more than just a scanner. The vulnerabilities need to be collected, assessed and prioritized.
    • Scanner
    • Collection of Identified Vulnerabilities
    • Asset Management Information
    • Data Governance Information
  • Ticketing system for the enterprise - Vulnerabilities which must be remediated should have tickets associated with them and assigned to the appropriate team.

Ticketing

Reporting

Staffing

Budgeting

Communications

Documentation

Lessons Learned | Pain Points

Citations

Bisson. 2018. "What is Vulnerability Management Anyway?". Retrieved from https://www.tripwire.com/state-of-security/vulnerability-management/what-is-vulnerability-management-anyway/

Center for Internet Security. 2018. CIS Controls™. Retrieved from https://www.cisecurity.org/controls/

ISO/IEC. 2015. Information technology -- Security techniques – Code of practice for information security management. ISO/IEC 27002

NIST - Souppaya and Scarfone. 2013. Guide to Enterprise Patch Management Technologies. Retrieved from https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-40r3.pdf

Tom Palmaers. 2013. Implementing a vulnerability management process. Retrieved from https://www.sans.org/reading-room/whitepapers/threats/implementing-vulnerability-management-process-34180

Qualys. 2018. Vulnerability management for dummies. Chichester: John Wiley & Sons, 2008. eBook.

Retrieved from "https://socology.org/wiki/index.php?title=Vulnerability_Management&oldid=332"