Vulnerability Management Glossary (Part. 1)
March 4, 2020
In the world of cybersecurity and vulnerability management, there are vast amounts of unique terms that are commonly used within the industry. This blog is part 1/2, and highlights the essential and everyday terms for a better understanding of vulnerability management.
Cyber Vulnerability Assessment Process
What is a Cyber Vulnerability Assessment?
A cyber vulnerability assessment is the process an organization engages in to identify the vulnerabilities in its network, systems and hardware, and taking active steps to remediate and correct gaps in its cybersecurity. The information gathered via vulnerability testing can be leveraged by IT and security professionals to assess and improve the organization’s threat mitigation and prevention processes.
What is Involved in the Cyber Vulnerability Assessment Process?
A good cyber vulnerability assessment process will help an organization allocate its cybersecurity resources as efficiently and effectively as possible and ultimately prevent any serious breaches in the company's network. The process involves 5 steps:
Planning - An organization needs to start the cyber vulnerability assessment process by determining which systems and networks within the organization will be assessed, including the identification of business-critical assets, and where particularly sensitive data resides. The planning must ensure that everyone involved has the same expectations and goals for what the assessment will provide, and make sure that communication will remain transparent throughout the assessment process. It’s also critical to leverage modern technology like machine learning to automate as much of this process as possible.
Scanning - The next step in the process is to actively scan the organization’s system or network. This is done with any one of the many available automated tools. Vulnerability databases are used to identify security flaws and weaknesses collected in the wild; filtering out false positives can be time-consuming and resource-intensive, but machine-learning based tools can be used to minimize the manual labor required. Particularly with a first assessment, the number of vulnerabilities found within the organization can be overwhelming, which is where the next step comes in.
Prioritization - This is the crucial step after receiving a mass of vulnerabilities in the scanning phase. More detailed analysis follows, providing a clear sense of the causes of the vulnerabilities, their potential dangers which they pose, and the suggested methods of remediation to tackle them. Each vulnerability is then ranked and prioritized based on their risk to the organization, the severity of the flaw, and the damage that could be at hand by a breach of said vulnerability. The idea of the analysis step is to quantify the threat it poses, giving a clear sense of the level of urgency to address each vulnerability and its potential impact. Ultimately, the goal of vulnerability prioritization is to optimize precious remediation resources to minimize organizational risk.
Remediation - This is the final step in the cyber vulnerability assessment process. The vulnerability assessment results are analyzed in an effort to patch key gaps in the organization’s cybersecurity. This could simply be done via a product update or through something more substantial like the installation of new security tools to enhance existing security procedures. The prioritization step will help vulnerability managers assess which vulnerabilities are to be addressed first in this process, ensuring that the most urgent are handled first. It's also worth noting that some cyber vulnerabilities may offer so little impact that they may not be worth the organization resources required for remediation.
Repeat the Process - This step highlights the importance of repeating the Cyber Vulnerability Assessment Process. Vulnerability assessments need to be conducted on a regularly scheduled basis. This is because any single assessment is only a snapshot of that moment in time and vulnerabilities are forever changing day-by-day.
Elements of Vulnerability Management
What are the Elements of Vulnerability Management?
There are 5 major elements of Vulnerability Management:
- Discovery - the process of identifying all the “assets” connected to a network.
- Machine Scanning - pinging or probing each asset to gauge its reaction; certain reactions to the probing will indicate a vulnerability.
- Web Application Security Testing - simulating typical attack vectors against an application that interacts with the internet to identify security weaknesses.
- Prioritization - ranking the risk of vulnerabilities to the organization to determine which need to be patched immediately, and which can wait.
- Remediation - patching assets with vulnerabilities by installing more recent versions of the software in which the vulnerability has been identified.
How to Manage Vulnerabilities
Stealing a concept from the best selling book, Extreme Ownership, written by two ex Navy SEAL officers, “Prioritize and Execute” is how to manage vulnerabilities. In the book, the authors tell a story of a SEAL team operation in Iraq in which multiple challenges confronted the team with the mission went awry. Several problems confronted the team simultaneously, but it would have been impossible and counter-productive to attempt to address them all at the same time. The answer? Prioritize and execute. Identify the most pressing problem first, fix it, and then move on to the next most pressing issue. We’ve all learned in basic first aid class that if someone is bleeding and not breathing, the priority is to stop the bleeding first. Not breathing is obviously critical, but a human will die faster from massive blood loss than lack of oxygen.
As difficult as it can be to admit, the concept of “prioritize and execute” is also how to manage vulnerabilities. Just about every enterprise network is littered with vulnerabilities. Smaller networks may have thousands, while larger enterprises could be dealing with hundreds of thousands. (In just one recent example, a cyber security professional at Blue Cross Blue Shield of Minnesota revealed that the health insurer had over 200,000 critical vulnerabilities for which patches were available.) It would be impossible to hire the number of professionals necessary to patch all those vulnerabilities, and even if it were somehow feasible, it might not be advisable.
When determining how to manage vulnerabilities, the following realities must be taken into consideration:
- With few exceptions, enterprise networks have far too many vulnerabilities to be patched by any reasonable level of staffing in any reasonable period of time.
- New vulnerabilities are discovered every day, so managing vulnerabilities can feel like bailing out a leaking boat (more new vulnerabilities were reported in the first quarter of 2019 than in any previous 3 month period)
- Patching vulnerabilities carries an inherent risk. The asset or software being patched can break, or the patch can negatively impact connected systems. Moreover, when a patch is applied, the system is unavailable for some period of time necessary to install and test the patch. If the patch target is a business critical system, the consequences can be significant.
- The traditional method for scoring the risk of a vulnerability (the CVSS score) is a grossly inadequate measure, and does not account for any organization-specific factors when ranking vulnerabilities.
- Given these factors, it’s clear that the most important factor in how to manage vulnerabilities is prioritization. But how does a security or IT operations team prioritize tens of thousands of vulnerabilities? Where do you start? It’s not only a good question, but it’s the key to how to manage vulnerabilities.
As mentioned previously, to this point, the primary means of risk ranking vulnerabilities is using the CVSS score. The score can be a useful starting point for ranking vulnerability risk, but its primary deficiency is that it’s generic; it’s the same, static score for any single vulnerability, so it in no way takes into account the context of the vulnerability on a given network in a given organization. However, to this point in the history of vulnerability management, there were no other viable ranking options.
Some vendors have begun marketing algorithms that attempt to predict whether or not a new vulnerability will be exploited. New vulnerabilities are referred to “zero day vulnerabilities” if they don’t have a patch in place to fix the issue. The time between the discovery of the vulnerability and the patch’s availability is considered a particularly attractive time for threat actors to exploit the vulnerability. Predictive exploitability algorithms use historical data to predict if an exploit for a new zero-day vulnerability will be developed and available to bad actors at some point. The problem with this risk ranking method is multifold:
- Like the CVSS score, the predictive exploitability score is the same for all vulnerabilities, irrespective of their context in the organization.
- Most breaches that involve vulnerabilities exploit n-day vulnerabilities, or those that have been known for some time, and for which patches are available. Zero-day vulnerabilities are sexy and often generate significant hype, but they’re rarely responsible for breaches.
- Predictive exploitability vendors claim to reduce the number of vulnerabilities that organizations need to worry about by over 90%, but as crazy as it sounds, that still leaves thousands of vulnerabilities to deal with. In the Minnesota Blue Cross example presented above, a 90% reduction would leave Blue Cross with over 20,000 critical vulnerabilities that need to be addressed. How does Blue Cross go about ranking the remaining 20,000? Predictive Exploitability doesn’t help with that challenge.
Fortunately, modern AI and machine learning technology is enabling a new approach to how to manage vulnerabilities, and specifically, prioritization. Contextual Prioritization leverages AI and 3 dozen internal and external factors to prioritize each vulnerability in the context of its network and organization, and it risk ranks each in order, so operations teams know what needs to fixed first, second, third, and so on...like a page out of the “Prioritize and Execute” SEAL playbook.
A short paper compares the three methodologies (CVSS, Predictive Exploitability, and Contextual Prioritization), and to learn more about how to manage vulnerabilities using Contextual Prioritization, download the white paper, Introduction to Contextual Prioritization.
Risk Threat Vulnerability
Many cyber security related words are tossed to and fro in marketing literature, blog posts, product videos and trade show booth signage. Some may argue that risk threat vulnerability are right up there with the most popular, and they might be right. Let’s take a minute to break down risk threat vulnerability and try to wrap some basic definitions around them.
Of the three - risk threat vulnerability - risk is probably the most generic, with the most potentially wide-ranging applicability. The classic definition of a risk, of course, is the probability of an occurrence combined with the consequence of that occurrence. When both are high, the risk is high (the probability you’ll contract the Coronavirus if you visit the Wuhan province is relatively high, while the consequence of contracting the virus is also serious).
If the probability is low, but the consequences are significant, the risk may still be high (the probability of a nuclear war is relatively low, but the consequences of a nuclear war are clearly serious).
Finally, if the probability is high, but the consequences are minor, the risk is probably low (the chances of catching the common cold is high, but the consequences, although no fun and annoying, are not significant in the grand scheme of one’s overall health.)
Cyber risk is clearly high, as the probability of a breach is non-trivial in today’s threat environment, and the consequences of a breach can be very serious for an organization.
In the context of information security, a risk is something that exposes your enterprise or elements of your enterprise to compromise. That risk could be anything from a software vulnerability (which we’ll discuss later in this article) to a disgruntled employee. Cyber security risks can be minimized, but all of them can never be eliminated. Steps can be taken to lower the probability of a network compromise or a sensitive data loss, and in theory, the risk can approach zero, but it can never equal zero. This is why risk professionals use phrases like “managing risk,” and never “eliminating risk.”
Cyber risk can also increase (or decrease, but given today’s landscape, it’s unlikely to do the latter) as a result of external factors over which an enterprise has no control. For example, the advent of digital currency, and specifically BitCoin, fundamentally increased the cyber risk to every organization, as cyber criminals were given an untraceable means to extort value from their victims, something that was much more difficult to accomplish prior to BitCoin’s introduction.
Much like a risk, a threat is a broad term that can mean many things. Most typically, however, in the cyber security community, it is associated with another term, like a “threat actor,” or an individual or group launching cyber attacks for any number of motivations. As is the case for “risk” discussed previously, a threat can be conventional, like an external hacker attempting to extort the organization, or a less-obvious issue like an internal employee stealing data or credentials. Of the three (risk threat vulnerability), risk and threat are clearly the most closely related, if not usable interchangeably in many contexts.
Vulnerability is the most well-defined of the three terms, risk threat vulnerability, and has a distinctive meaning in the world of information security. In cyber security, a vulnerability is a figurative “hole” in software that allows threat actors to penetrate the cyber defenses of a network.
Vulnerabilities can be found in older software, or that which has been newly released. Vulnerabilities are unintentional flaws in software that can be discovered by “white hat” hackers (ethical hackers that identify flaws and then notify the software manufacturers) or “black hat” hackers that use the discovered vulnerabilities to profit, either by directly exploiting those vulnerabilities themselves, or by developing exploits and selling them to other cyber criminals.
The typical enterprise network has thousands, tens of thousands, or even millions of vulnerabilities. Many of those vulnerabilities can be considered low-risk for a number of reasons, while others are critical. The remedy for a vulnerability is a software patch, essentially an updated version of the software without the vulnerability. That having been said, patching (installing updated software) is not only time-consuming and resource-intensive, but also risky, as upgrading software can negatively impact the asset on which it's running, or surrounding assets.
Security Vulnerability Assessment
One of the pillars of an effective enterprise information security program is a periodic security vulnerability assessment. Estimates vary, but one recent study placed the percentage of breaches that involve a vulnerability at 60%. Most importantly, that 60% figure reflects vulnerabilities for which a patch was available, meaning those breaches could have been prevented if a periodic security vulnerability assessment had been completed, and the appropriate remediation efforts completed. So why were so many breaches preventable?
The answer is simple: executing a security vulnerability assessment is easier said than done, and gleaning the appropriate information for the vulnerability assessment such that steps can be taken to reduce the risk identified in the assessment is even more challenging. There are just so many vulnerabilities on the typical enterprise network (thousands, tens of thousands, or even millions) that the effort is overwhelming to most organizations.
We’ll discuss the challenges in more detail below, but first, let’s review the steps in good security vulnerability assessment:
- Asset discovery, including machines and connected devices
- Identification of business-critical assets
- Web application discovery and security testing
- Asset vulnerability scanning
- Vulnerability risk prioritization
- Remediation scenario planning and optimization
The first step is to make sure you’re accounting for all the assets on your network, so effective asset discovery is important. And keep in mind that asset discovery is not a one-time element of a security vulnerability assessment; it’s an on-going process, as assets are added and removed from enterprise networks frequently.
Identification of Business-Critical Assets:
Not all assets on a network are created equally. Some are more important than others. Perhaps they house particularly sensitive data or a revenue-generating application. A security vulnerability assessment needs to account for the importance of assets to help prioritize remediation efforts that maximize risk reduction, and that effort starts with an accurate identification of business-critical assets.
Web Application Discover & Security Testing:
Not all assets are created equally, and not all assets are made of metal. A key element of a comprehensive security vulnerability assessment is the discovery and testing of web applications. As, by definition, web applications are accessible from anywhere, they can be compromised by threat actors located anywhere, so they are particularly vulnerable to attack. Discovering and tracking the relationship between web applications and assets is also a key element of a good security vulnerability assessment. And again, this is an on-going process, as an enterprise network is a living, changing entity in contemporary IT operations.
Asset Vulnerability Scanning:
The next step in the security vulnerability assessment process is the one most people associate most readily with vulnerability management in general. Scanning assets for vulnerabilities is, without doubt, the core of any security vulnerability assessment, but since this element of the overall process is the most mature, it tends to consume much of the oxygen in the discussion. In reality, the “easy” part of the security vulnerability assessment process is identifying the thousands or tens of thousands of vulnerabilities on the typical enterprise network. The challenge is extracting actionable intelligence from the mountain of vulnerability data created from the scanning process.
Vulnerability Risk Prioritization:
Vulnerability overload is the most common challenge encountered by IT operations teams when it comes to a security vulnerability assessment, as the typical enterprise network is home to thousands of vulnerabilities, and patching them all is both unrealistic and ill-advised. Patching can bring systems down, and even when it goes smoothly, is time-consuming and consumes resources. Thus, confidently prioritizing vulnerabilities and remediation efforts to minimize risk and remediation efforts is perhaps the most important element of a good security vulnerability assessment.
Doing so, however, is challenging, as prioritizing remediation efforts requires the simultaneous evaluation of dozens of factors, both internal and external to the network, to determine which vulnerabilities pose the highest risk to the organization, and which ones can be deprioritized.
Traditional methods of vulnerability prioritization have varied from the reliance on generic vulnerability risk scores like the CVSS to labor-intensive efforts that require scarce expert cyber security and IT operations professionals to rank remediation efforts. The relatively recent introduction of modern artificial intelligence and machine learning technology has transformed this process and introduced automated, meaningful prioritization as an option for vulnerability prioritization in the security vulnerability assessment process.
Remediation Scenario Planning and Optimization:
Closely connected to vulnerability risk prioritization, remediation scenario planning and optimization is the final step in a security vulnerability assessment, and it’s where the rubber meets the road; it’s where actual vulnerabilities are fixed. The goal of this step in the process is to optimize precious patching resources, and assure that all remediation efforts balance the risk of the remediation against the security risk of the vulnerability.
Key here is to use a tool to evaluate different remediation plans for their overall risk reduction before remediation tasks are undertaken. One remediation plan may use x hours of resources and reduce risk by 10%, while another plan focusing on a different set of vulnerabilities may use the same number of resource hours and reduce risk by 20%.
Gaming different vulnerability remediation scenarios can significantly increase risk reduction with the same expenditure of precious resources. Doing so is the only way to assure that the security vulnerability assessment process accomplishes its primary goal, to optimize risk reduction.
What is Software Vulnerability?
A software vulnerability is a term that defines a mistake in a software component that leaves it open to exploitation by a malicious attacker. The vulnerability can be caused by a host of different reasons and In some cases, the coding error can be as basic as forgetting to close a parenthesis. Then there are exploitations within a software which can be found by an attacker who can find an alternative way to manipulate a given piece of code in ways that may not have been previously anticipated by a software developer or organization. Since software is still in most cases primarily written by humans, we are faced with a mountain of software vulnerabilities that have been written into our products over the course of years.
Who is at Risk of Software Vulnerability?
Just about every device within any organization has software of some type, and therefore just about all devices (or “assets”) on a given network can house vulnerabilities. Operating systems are composed of software, as are web browsers, word processing programs, spreadsheets, video players, websites, and every other of the thousands of applications that either exist today or are being introduced constantly. Moreover, a single software program may have dozens of versions, each of which can be vulnerable in different ways. Computer hardware even uses a form of software called ‘firmware’. Cell phones and networking equipment also have software built in, and therefore they are also possible hosts for software vulnerabilities.
When considering a software vulnerability, there are a few main factors that must be taken into consideration to assess the risk it poses to an organization:
- Existence - is there a vulnerability on a given asset? To determine this, all assets on the network must be scanned on a regular basis. Once a vulnerability on a given asset (which could be a connected device or an application), the software vulnerability needs to be prioritized for remediation.
- Accessibility - This factor must ask the question, “is the software vulnerability accessible to a malicious hacker?” All possibilities must be accounted for, primarily, is the asset accessible remotely, and who has access to the software.
- Exploitability - This addresses whether or not the vulnerability on the asset is being exploited in the wild, or the probability that it will be.
- Ramifications of Exploitation - here, the asset and data on the asset must be accounted for. If the asset or application were to be compromised, what would the ramifications be? Is it a business-critical asset? Is it connected to other critical assets such that its compromise would easily enable attackers to move to other assets on the network?