Article

fnC - 101 Series - Vulnerability Management

Open-CISO

What is a Vulnerability?

In the computer system and networking technology, a vulnerability is a flaw in design or weakness in an operating system, software application, program, system, and network devices that allow cybercriminals to exploit and gain unauthorized access to one’s private system and network infrastructure. There can be various reasons for vulnerabilities like open ports to the internet of a router or firewall appliance, misconfigured settings, rules, missing patch update in device and software. Vulnerability is considered to be very critical as cybercriminals are using automated tools for vulnerability discovery. Nick Espinosa, a cybersecurity expert, in one of his ted talks, If there’s a vulnerability, it will be exploited, and everything is vulnerable in some way. These statements are something we can correlate in our daily lives while surrounded by technology. It doesn’t matter how secure is your network infrastructure, or how confident you’re on flawless design architecture; everything is exploitable in one way or another.

How are Vulnerabilities discovered?

Various factors define vulnerabilities, and everybody has their definition of a vulnerability. Every day thousands of vulnerabilities are discovered by both good and bad guys. Good guys report the bug or vulnerability to concerned authorities, whereas bad actors leverage the advantage to gain unauthorized access. So how is a vulnerability discovered exactly? The answer to this question is a bit tricky. Even an experienced security professional can lack the skills to find bugs in your system and software. Therefore, one needs to act as a threat actor to discover flaws and weaknesses in the network and system. Enterprises hire security professionals to find weaknesses and faults in their complex distributed system and network environment. The security professional uses various skills and methods like a Vulnerability scanner, penetration testing, conducting VAPT, and security audits to discover vulnerabilities.

The discovered vulnerabilities by an individual or a security team are then reported to the vendor using legal and proper channels. Once the vulnerabilities are disclosed, vendors may immediately release a patch fix or delay it based on the severity and type of vulnerability. Some vulnerability still goes unknown and is only discovered by end-user inputs or in the typical production environment. Threat actors specifically look for undiscovered vulnerabilities. Hackers easily exploit these types of vulnerabilities while the vendor has no idea about the vulnerability.

What causes a Vulnerability?

There can be various reasons that cause security vulnerability in networks and systems. Misconfigured settings, proper ACL and security rules, less compliant IT policy, and poor user policy management. We have listed down below a few for you.

  • Poor/Weak Password Management: Using simple and small passwords can make your system and accounts more vulnerable than the software bugs. Hackers can easily exploit weak passwords.

  • Network Design Flaw: Software bugs, misconfigurations, and all are last; if your network architecture is not secure and has design flaws, bad actors can quickly get into your network. Once they do, exploiting other vulnerabilities becomes a piece of cake for them.

  • Operating System/Software Bugs: Another primary reason for vulnerabilities is bugs and security weaknesses in the operating system and software application. Bad actors discover unknown bugs and security irregularities before the vendor does. This makes the system more vulnerable.

  • Lack of user input validation: Your system and software need to check and validate the user input before it should execute them. Failing to do so will lead to unintended command executions resulting in severe vulnerabilities.

  • People inside the Organization: Humans in an organization are considered to be the weakest link. As a result, they are likely to get phished and attacked with little or no cybersecurity knowledge, making them highly critical and vulnerable.

How are Vulnerability, Risk, and Threat different from each other?

Vulnerability, risk, and threat are technically associated; without vulnerability, there won’t be any threats, and no risk would be there without threats.

  • Vulnerability According to OWASP, A vulnerability is a hole or a weakness in the application, which can be a design flaw or an implementation bug that allows an attacker to cause harm to the stakeholders of an application. Stakeholders include the application owner, application users, and other entities that rely on the application.

  • Threat If there’s a vulnerability, you’re under threat of being exploited. Threats are always critical for businesses.

  • Risk is something that may happen to the vulnerable asset when a threat or vulnerability is exploited. Risk highlights the post-vulnerability damages that the existing potential vulnerability can cause.

How are Vulnerabilities ranked?

Vulnerability can be ranked and defined using various parameters. The SCAP framework developed by NIST categorizes SCAP as:

  1. CVE (Common Vulnerabilities and Exposure)
  2. CCE (Common Configuration Enumeration)
  3. CVSS (Common Vulnerabilities Scoring System)
  4. CPE (Common Platform Enumeration)

A Vulnerability can be further ranked based on the severity level using the “Common Vulnerabilities Scoring System.” It is an open-source, free industry standard used by many enterprises and cybersecurity organizations to efficiently manage, assess and characterize the vulnerabilities found in assets. The vulnerability severity score ranges from 0.0 to 10.0. Further, the national vulnerability database NVD adds severity ratings.

What is a Vulnerability Database?

A vulnerability database provides insights on old and latest vulnerabilities, vendor details, devices, software versions, and details about the discovered vulnerabilities. Many vulnerability databases offer free services and a few charges for them. An open-source and top choice for users among CVE databases

Other vulnerability databases are as follows:

What is Vulnerability Management?

Vulnerability Management is a cyclic process of identifying, classifying, prioritizing, and mitigating the security vulnerabilities in systems, networks, applications, and software. Vulnerability management is a continuous and repetitive series of events that regularly runs in an organization to deal with evolving threats and vulnerabilities. Vulnerability management detects the vulnerabilities and prevents them, and plans proper strategies for causing future damages. The essential components of the vulnerability management process include vulnerability discovery, assessment, and remediation workarounds. A good vulnerability management program combines the latest technology and a team of security experts that uses advanced tools, vulnerability scanners, vulnerability assessment mechanisms, and automated processes to tackle unknown zero-day vulnerabilities.

What makes Vulnerability Management different from Vulnerability Assessment?

Vulnerability assessment is a one-time process and not recurring. It is run once to assess the active vulnerability present in the system and network. Therefore, vulnerability assessment can also be termed as a part of vulnerability management. Vulnerability assessment is an initial step of the vulnerability management cycle. Organizations and security teams use vulnerability assessment to analyze and discover vulnerabilities across their IT infrastructure. Vulnerability management is a reverse process. Rather than one single occurrence, Vulnerability management is a cyclic occurrence. It moves from assessment to prioritization and remediation of security vulnerabilities. Put together, vulnerability assessment provides you a current snapshot of your IT infrastructure state, while vulnerability management powers you to constantly get reports on evolving vulnerabilities and real-time data intelligence to remediate the same.

Why is Vulnerability Management crucial for all businesses?

Vulnerability management is crucial for everyone, whether a small or large organization; each has critical IT infrastructure and essential data, information, and files to protect. Unfortunately, every single day hundreds of vulnerabilities are discovered either by vendors or bad actors. A report states, 18020 security vulnerabilities (CVEs) were published in 2021, 18325 in 2020, and 17344 in 2019, with an average severity of 7.1 out of 10. Your IT environment comprises of products and services from Microsoft, Google, and Oracle. Microsoft stands atop with the highest number of vulnerabilities, with 1003. Google is in second place with 903, and Oracle with 612 vulnerabilities is in 5th position.

The Vulnerability Management Process

With each evolving vulnerability and its landscape, businesses are introduced with new risks and threat factors. A well-defined, proactive, and research-based vulnerability management framework or process helps organizations effectively identify, discover, and remediate severe unpatched vulnerabilities. Gartner’s Vulnerability Management Guidance Framework allows you to prepare 5 pre-work steps before the vulnerability management process starts.

  • Determine the scope of the program
  • Determine roles and responsibilities
  • Select vulnerability assessment methods and tools
  • Create and refine policies and SLAs
  • Identify asset context sources

Once the pre-work is completed and evaluated, the actual vulnerability management process can be initiated in detail.

Six stages of the Vulnerability Management Process

The industry-standard vulnerability management process is a six-step method or process followed by organizations to implement the process in a broader context. While there are many vulnerability management stages, one can choose to define the stages based on their choices, but despite terminologies and definitions used, the process remains the same.

  • Discover Vulnerabilities: You can’t simply protect or secure something that you’re not sure or unaware of; a vulnerability is something similar. If the organization is unaware of vulnerabilities in their applications, services, networks, and systems, they’re on the verge of a potential security breach. Regular vulnerability assessments, vulnerability scans for both internal and external networks, and systems need to be performed to identify the vulnerabilities. Vulnerability discovery must be performed regularly with a fixed or automated schedule.

  • Prioritize the Assets: When you know the availability of vulnerabilities in your infrastructure, whether in an application, web server, network, or printer, you can classify the discovered assets in a group to effectively prioritize the critical resources and components of the IT environment. This enables organizations to understand and prioritize the vulnerabilities and remediate them as well.

  • Assess Vulnerabilities: The third step is to assess the vulnerabilities. The assessment provides the current statistics of your system, network, and critical services. It’s an ongoing continuous process. It further helps to recognize the previously missed or undetected vulnerabilities.

  • Remediate the Vulnerabilities: Once the vulnerabilities are discovered and prioritized, the fourth step is to mitigate or remediate them based on the risk factor. In this phase, vulnerabilities must be fixed by applying software patches, firmware upgrades, or security rules and settings reconfiguration.

  • Verify Remediation: Last but not least is to verify the remediated vulnerabilities. It is the most reviewed phase in the entire vulnerability management cycle. The verification process is validated with additional vulnerability scans, assessments, and reporting. This ensures the riskiest and critical vulnerability has now been resolved, and earlier reported vulnerability can now be eliminated or closed.

  • Report the final statistics: Vulnerability is not an issue of concern for the IT and security team and high-level management and executives. However, high-ranked vulnerabilities cause critical risk and severe threats to an organization’s IT infra like zero-day vulnerability, major design flaws, or difficult software application bugs. The C-suite executives and board members are also aware of the top risky vulnerabilities and need a simplified detailed report on how the security team tackled or remediated the vulnerability. In addition, they want further assurance that there would be no active threats on mitigated vulnerabilities. Reporting and archiving the whole vulnerability management process makes security audits smoother and helps map the technical stats in the future in case of similar vulnerabilities discovery.

Vulnerability Management Solutions should have the following elements.

Different vendors are offering vulnerability management solutions, and each is claiming to be the best. While the vulnerability management process remains the same, the method and technology shall vary. So what to look for in the solutions?

  • Performance: Most vendors offer agent-based vulnerability management solutions; this drastically reduces the endpoint performance. Look out for solutions that don’t impact your system or network performance.

  • Scanning: A good vulnerability management solution must offer vulnerability scanning capabilities across systems, networks, and security appliances.

  • Timely discovery: Your vulnerability management solution must find or update about vulnerabilities within a specified timeline. For example, suppose the vulnerability scan runs for days, and there isn’t one instance found.

  • Real-time data and statistics are essential: Traditional vulnerability management tools and scanners can provide you with outdated data. However, as the vulnerabilities evolve, current solutions must offer real-time vulnerability statistics.

  • Risk prioritization: A typical vulnerability management solution shall prioritize the risk factor, and based on the risk; it should mitigate the vulnerabilities in crucial assets and services.

You can have all the physical and logical security in the place. But being unaware of vulnerabilities present inside and outside across the organization infrastructure is one critical threat factor that risks all the essential systems, services, and networks. A vulnerability statistic report 2021 Edgescan states Over 65% of the CVEs from 2020 are more than 3 years old, with 32% dating back to 2015 or earlier. Remote desktop (RDP) and Secure Shell (SSH) exposures increased by 40%, likely due to the increase in remote working due to Covid-19. This resulted in a massive increase in discovering vulnerabilities such as the infamous Bluekeep (CVE-2019-0708), the critical bug behind the Wannacry attack of 2018. Big names in the IT industry like Microsoft, Google, Apple, Redhat, and Oracle are the top vendors with the highest vulnerabilities in 2021. This makes vulnerability management one of the critical issues globally. But, if such big organizations can not keep up with the latest and unknown vulnerabilities, how will the small corporations deal with them? The world is changing along with technology. And, with rapid growth in vulnerability discovery, vulnerability management and remediation should also be rapid and up to date.

Vulnerability Management is about being Cyber Aware of your Infrastructure
Cybersecurity is best when seeded into Business Functions. FnCyber assures you Direct and Uncomplicated Cybersecurity Consulting.

Contact Us

Get in Touch

mail
one@fncyber.com
location
Level 1, Salarpuria Knowledge City, InOrbit Mall Road, HITEC City, Hyderabad, Telangana 500081 India

Follow us on Social Media

linkedin
@FnCyber
twitter
@FnCyberSecurity