What is Vulnerability Management? – Definition from Trenovision

Posted on: | By: Comments Off

Vulnerability Management

Vulnerability is a hole or a weakness in the system, which can be a design flaw, an implementation bug etc. that allows an attacker to cause harm to the stakeholders of the system. Stakeholders include the application owner, administrators, users, and other entities that rely on the system.

Sources of Vulnerabilities

There are two sources of vulnerabilities

  • Weaknesses in the information technology (IT) products as supplied by the vendor(s)
  • Weaknesses in the ways organizations manage and use the technology

IT Product Vulnerabilities

The number of vulnerabilities in IT products discovered each year is increasing dramatically. According to CERT, 140 vulnerabilities were reported in 1995 and 4,129 vulnerabilities were reported in 2002. Vulnerability represents a weakness in a product that can be exploited in some way to help an attacker achieve the objective of compromising a system.

There are two types of IT product vulnerabilities

  • Vulnerabilities resulting due to system architecture. For e.g. Operating System architecture
    • Difficult to correct
  • Vulnerabilities resulting due to low level design or implementation errors. For e.g. bugs in programs
    • Easier to correct

In either case, IT product vulnerabilities are often long-lived with many Internet connected systems vulnerable to a particular form of attack many months after vendors produce corrections to the vulnerability that was exploited by the attack.

 

Weaknesses in Management and Operational Practice

The second major source of vulnerability includes weaknesses in the management and operational practices of system operators. Factors that lead to weaknesses in operational practices include things like:

  • Lack of, ambiguous or poorly enforced organizational security policies and regulations; security roles and responsibilities that are not clearly defined or lack of accountability
  • Failure to account for security when outsourcing IT services
  • Lack of security awareness training for all levels of staff
  • Poor account management or password management by all users
  • Poor physical security leading to open access to important computers and network devices
  • Weak configuration management practices that allow for vulnerable configurations
  • Weak authentication practices that allow attackers to masquerade as valid system users
  • Lack of vulnerability management practices that require system administrators to quickly correct important vulnerabilities
  • Failure to use strong encryption when transmitting sensitive information over the network.
  • Lack of monitoring and auditing practices that can detect attacker behavior before damage is done.

Weaknesses in any of these areas open the doors for attackers and give them opportunities to take advantage of the weaknesses to achieve their goals. Managing the risk associated with this category of vulnerability requires that organizations dedicate resources to the risk management task. Operations must be continuously assessed and corrective actions taken when needed.

 

Vulnerability Classifications, Categorizations and Severity Levels

Vulnerability can be classified in 4 major category –

Vulnerability Classification

  • Active Vulnerability:  An active vulnerability is the one which was identified in the previous assessment(s) as well as in the current vulnerability assessment
  • New Vulnerability: A new vulnerability is the one which is recently identified in current vulnerability assessment and was not present in previous assessment(s) results
  • Re-opened Vulnerability: A re-opened vulnerability is the one which was identified in the earlier vulnerability assessment(s), then fixed and again identified in current assessment
  • Fixed Vulnerability: A fixed vulnerability is the one which was identified in previous vulnerability assessment(s) and fixed before current assessment and therefore identified as fixed/ (non-existing) vulnerability in current assessment.

Category and Severity Levels

The vulnerabilities identified during the vulnerability assessment exercise are categorized into confirmed vulnerability, potential vulnerability and information gathering with various severity levels as described below:

  1. Confirmed Vulnerability

A vulnerability whose existence is confirmed is called as a confirmed vulnerability. Vulnerabilities can exist in several areas of network, such as in firewalls, FTP servers, Web servers, operating systems or CGI bins.

  1. Potential Vulnerability

The vulnerability whose existence could not be confirmed is called as a potential vulnerability. The only way to verify the existence of such vulnerabilities on network would be to perform an intrusive scan, which could result in a denial of service. This is again a call to be taken by the vulnerability assessment team.

The confirmed and potential vulnerabilities can be further classified into 3 security levels based on their impact on the systems

  • Low: Intruders can collect information about the host like OS installed, open ports, services etc.
  • Medium: Intruders can collect sensitive information from the host, including security settings. This could result in potential misuse of the host by intruders. For example, vulnerabilities at this level may include partial disclosure of file contents, access to certain files on the host, directory browsing, disclosure of filtering rules and security mechanisms, denial of service attacks, and unauthorized use of services, such as mail-relaying.
  • High: Intruders can gain control of the host, which can lead to the compromise of entire network security. For example, vulnerabilities at this level may include full read and write access to files, remote execution of commands, and the presence of backdoors.

Vulnerability Management

To overcome the growing risk posed by vulnerabilities, an organization must develop a formal vulnerability management program addressing the entire life cycle of vulnerability management as shown in FIG A. All of these must be supported by an underlying foundation of people, process and technology initiatives.

Vulnerability Management Lifecycle

Vulnerability Management Lifecycle

Asset Management

To get a confident start to a VM process it is very important to have an accurate inventory and profile of what the infrastructure contains. For an organization of any significant size, this inventory will be complex and constantly changing as new components are added and existing components are retired. The below mentioned steps aid in making a comprehensive asset inventory

  • Identification of assets can be done either manually, or by using an automated tool like an asset management software
  • Discovered assets must be reviewed to determine business criticality and risk tolerance
  • All technologies or software running on these assets must be identified at a specific version level
  • All patches and system configurations applied to these technologies must be identified on an asset-by-asset basis
  • The individuals accountable for the assets must be identified.

Vulnerability Assessment

Once the identification of the network assets is done, a vulnerability assessment should be carried out to find the vulnerabilities existing in the network. Many software tools exist that can aid in the discovery (and sometimes removal) of vulnerabilities in a computer system.

Examples of vulnerability scanner tools

  • Retina Network Security Scanner
  • QualysGuard
  • GFI LANguard Network Security Scanner
  • Nessus Vulnerability Scanner

Though these tools can provide a good overview of possible vulnerabilities present, they can not replace human judgment. Relying solely on scanners will yield false positives and a limited-scope view of the problems present in the system. Therefore, a proper vulnerability assessment system should make use of vulnerability scanner tools to identify potential vulnerabilities and then carry out a detailed vulnerability analysis to remove false positives. Finally a report should be generated that lists all the vulnerabilities found in the vulnerability assessment process.

Prioritization of Assets

After identification of vulnerabilities in the assets, the next step is to rate each asset. The owners of the assets have to rate their assets based on how critical each asset, or the information contained on that asset, is to the business, and the severity levels of the vulnerabilities found in the asset that may compromise the system. The highest priority assets should be scanned regularly for vulnerabilities.

The prioritization process enables businesses to notify asset owners when vulnerabilities are discovered and to rank the severity of those exposures. Also it helps businesses to understand and define an acceptable level of risk and how each risk affects the technology and business activities of the company.

This model can then be communicated to staff in business, technical and behavioral terms, so that all employees understand what will be expected of them when vulnerabilities are fixed.

Remediation

Remediation is the most important step in VM process. Hence care should be taken to prevent any unwanted changes taking place because of the remediation process.

Steps for the remediation process

  • A risk threshold should be defined and all the vulnerabilities with risk level below the threshold should be accepted
  • For risk levels above the threshold value a specific remediation plan must be defined for each asset or asset group.
  • Testing of the remediation prior to implementation is required
  • Specific vulnerability remedies must be deployed
  • Documentation that a vulnerability remedy has been applied to an asset must be performed for audit purposes

Monitoring

Detecting and fixing vulnerabilities do not offer a complete solution. Organizations need to continuously monitor and track the latest vulnerabilities and their corresponding fixes.

  • Ongoing verification of vulnerability remedies, identification of current technology, and patch and configuration inventories for each asset must be performed
  • The progress of the vulnerability management process must be measured to verify and monitor that an organization’s risk exposure is managed.

Reporting

A VMS that delivers detailed assessment and remediation reporting is crucial in today’s regulated environment. Proper security practices need to be quickly and easily accessible to prove that security best practices are being followed, and that businesses are in compliance with any particular regulation. Each report should deliver critical insights into service performance and security posture and have the flexibility to reflect both technical and business-oriented perspectives, depending on the audience.

People, Process and Technology

The key factors that determine the ultimate success or failure of any organized endeavor are the soundness of the process, the qualifications of the people and the clarity of their respective roles. Like any other organized effort to deliver a technology-dependent solution, the importance of the people and process components to a successful vulnerability management program cannot be underestimated.

An effective vulnerability management solution involves the following critical people components:

  • Identification and support of key stakeholders
  • Established roles and responsibilities
  • Effective teaming of business, IT and security functions
  • Training and awareness

From a process perspective, effective vulnerability management requires:

  • Knowledge of the information assets in the organization
  • Formal, effective risk rating processes
  • Effective process ownership and controls
  • Efficient communication and escalation
  • Integration with critical supporting processes

Finally, there are several key, co-dependent processes that must be integrated into the vulnerability management process to yield maximum value. These processes feed information to and/or draw information from the vulnerability management process:

  • Security policy and standards development
  • Asset management
  • Configuration management
  • Security awareness
  • Disaster recovery
  • System security monitoring
  • Incident response

Vulnerability Management Products

There are many players in the market who offer vulnerability Management products. But one should carefully evaluate those products on the parameters mentioned in the vulnerability management lifecycle before zeroing on to a specific product. Some of the well-known vulnerability management products are:

  • McAfee Foundstone on Demand Service
  • CA eTrust Vulnerability Manager
  • NetIQ Vulnerability Manager
  • Symantec Vulnerability Assessment
  • Symantec Enterprise Security

Conclusion

Numerous incidents serve as reminders that a sound vulnerability management strategy is an essential part of any risk management model. The outbreak of worms and viruses like Nimbda, Blaster, Melissa.A etc. and the damages they caused to the organizations are some examples which make us realize the need for vulnerability management.

Companies that do not properly address critical security vulnerabilities are in danger of cyber attacks, resulting in financial and legal consequences. The vulnerability management strategy developed should comply with regulatory requirements, address multifaceted cyber threats in a cost-effective manner, and meet the demands of government guidelines with allotments for the expansion of the network environment and new technology integration.

 

What is Hacking? – Definition from Trenovision

Continue reading at https://www.trenovision.com/?s=hacking

Related Articles

What is Digital Marketing? 5 types of digital marketing?

What is Digital Marketing? 5 types of digital marketing?

Six Sigma Explained – What is Lean Six Sigma? Process and Methodology

Six Sigma Explained – What is Lean Six Sigma? Process and Methodology

What is Credit Risk ? | Methodology and Stages Explained