June 25, 2020

Fundamentals of Vulnerability Management

by: Alex Bazay

Almost every day, we see headline media reports about Zero-Days, or new exploits, that lead to disruptive cyber-attacks, breaches, and lost data.

Although vulnerability management is not a new concept – it was present since the beginning of the computer era – the volume of known vulnerabilities has skyrocketed in recent years.

To illustrate this point: in 2000, there were 1,020 disclosed vulnerabilities. Fast-forward to 2019, we saw a 2188% increase, reaching a staggering 22,316 vulnerabilities based on the CVSS score of disclosed vulnerabilities. And this is becoming a massive issue for most organizations

Our systems became enormously complex, and so too did finding, evaluating, and mitigating vulnerabilities. It cannot be a manual exercise anymore but requires a modern and continuous lifecycle.

Vulnerability Management

Modern Vulnerability Management Program

A model program for advanced vulnerability management includes the following stages:

1. Asset Discovery: Visibility into all company assets is a foundation for the entire process.

2. Vulnerability Identification: Scan assets for known vulnerabilities and then compare them with CVE and CVSS databases.

3. Threat Risk and Prioritization: Possibly the most crucial component.

> Apply intelligence, add context and set achievable priorities outlining what to address first.

> Use different intelligence feeds to determine if these vulnerabilities are exploitable and how easy it is to exploit them.

> Find out if there is there any active campaign that targets these vulnerabilities.

> Analyze what systems are affected by these vulnerabilities and apply the information you have gathered in the first stage of the Asset Discovery stage.

4. Patch Management: Applying patches or workarounds.

> Pen tests will try to uncover the company’s vulnerability and test its cyber defenses. However, the pen test’s view is a single point in time, and it can become obsolete the week following its completion. Therefore, organizations need to have both – to test their defenses and to discover new vulnerabilities continuously.

5. Repeat: Finally, when all the above steps are completed, you need to go back to #1 and start all processes again. 

Vulnerability Management Misconceptions

1. Penetration testing and vulnerability assessment are the same.

> Many financial regulators – SEC, FINRA, CFTC, NFA – are asking to demonstrate that companies are doing both. Why? A vulnerability assessment will tell you what weakness the company systems have without trying to exploit them.

> Pen tests will try to uncover the company’s vulnerability and test its cyber defenses. However, the pen test’s view is a single point in time, and it can become obsolete the week following its completion. Therefore, organizations need to have both – to test their defenses and to discover new vulnerabilities continuously. 

2. Vulnerability assessment, or vulnerability identification, is equivalent to vulnerability management.

3. Vulnerability management is only about identifying weaknesses.

4. Vulnerability management is the same concept as patch management.

> Patch management is only a piece of the puzzle. Vulnerability management is not only about patches. It is about assessing and managing the risk to your environment

Common Challenges Organizations Face

These misconceptions present challenges that companies are facing in developing and maintaining their vulnerability management programs. Two of the main hurdles are:

1. The overwhelming number of vulnerabilities. The solution to address this challenge is to set priorities and divide them into smaller pieces.

2. The perception that this process is a numbers game. It is tempting to go in the rabbit hole of the numbers. For example, “Last month we eliminated 64.5% of all vulnerabilities. This month we have fixed 72.3%.” What does this mean? Are we getting better? Without proper context, these numbers are useless.

To summarize

The pillars of modern vulnerability management lifecycle are:

1. Asset Discovery

2. Vulnerability Identification and Enumeration

3. Prioritization of Risks and Threats

4. Patch Management

5. Repeat

Vulnerability management must be a part of the overall cybersecurity (or even broader – business resiliency) strategy, and should be tied to risk mitigation. It should answer the following question: How does the company identify and mitigate risk to its systems and operations?

It is all about risk — understanding the materiality of risk and bringing it down to an acceptable level. Most importantly, organizations should focus on overall risk reduction.

For guidance on how your firm can reduce risk and improve visibility, contact us here, or click on the button below.

Contact Us Here
Continue Reading

Related Articles

Privacy  |  Terms and Conditions
©2024 | All Rights Reserved | Align Communications, Inc.

★★★★★

“Align is our trusted provider for all our Managed Services and cybersecurity needs. They provide us best-in-class IT services that not only help drive productivity and growth, but ensure we meet both current and evolving compliance and security requirements with ease. As consultants to financial advisors, trust and reliability are indispensable to our operations, which is why we never hesitate to refer Align to our very own client base. Align isn’t just our partner, they are an extension of our team. We look forward to entrusting them with our IT infrastructure for years to come.”

Ed Fasano - Experienced Advisory Consultants LLC