Vulnerability Management Glossary (Part. 2)
March 5, 2020
This blog is part 2/2 of the Vulnerability Management Glossary. In the cybersecurity and vulnerability management industry, there are vast amounts of unique terms that are commonly used within the sector, here we will highlight the essential and everyday terms for a better understanding of vulnerability management.
What is Vulnerability Management?
Vulnerability management is the process of assessing and providing suitable actions against possible weaknesses and vulnerabilities in an organization’s devices and web applications that are connected to a specified network.
Vulnerability management consists of evaluating the cyber security risk and threat which those discovered vulnerabilities offer. The vulnerability findings are then used to initiate the required remediation actions, or patching or quarantining efforts, that will ultimately remove those vulnerability risks from the network. Information security professionals agree that vulnerability management is an essential element of modern day efforts to maintain computer and network security.
Why Do Enterprises Need Vulnerability Management?
The explosion of enterprise applications, traditional servers and laptops, and any number of connected devices makes it increasingly difficult for enterprise IT and security teams to keep up with software upgrades and new releases. So, as vulnerabilities are discovered in software applications and web applications, fixes (or “patches” in the industry vernacular) are developed by software companies, they are incorporated into new versions of their software.
The users of that software then upgrade their systems with the new versions. This sounds straightforward, but the number of vulnerabilities on networks inevitably climbs into the thousands, tens of thousands, and even hundreds of thousands or millions. Patching all those vulnerabilities with new software upgrades becomes impossible, and, as we’ll discuss below, even ill-advised.
Closely related to vulnerabilities are another class of security gaps: inadvertent data exposures. These typically result from misconfigured servers that make data available accidently. As an aside, Delve has developed an open source tool to find such exposed data on its customers’ networks.
Vulnerability Collections and Revelations
How are Vulnerabilities Collected and Revealed to the Public?
The most prominent vulnerabilities database is maintained by the MITRE Corporation, a non-profit company that serves as a think-tank and research operation for the US Federal Government. MITRE maintains the Common Vulnerabilities and Exposure (CVE) database. MITRE’s work on the CVE is funded by the US Department of Homeland Security.
The National Institute of Standards and Technology (NIST) maintains the National Vulnerability Database (NVD), which pulls vulnerability data from the MITRE CVE database and adds a criticality score of 1 to 10 for each vulnerability. The NIST Common Vulnerability Scoring System (CVSS) is the primary score used by vulnerability teams to rank the severity of vulnerabilities. As we’ll discuss later, the CVSS is a good starting point, but its value is the same for each vulnerability irrespective of its network context.
MITRE and NIST make the CVE and CVSS data available to the public free of charge.
Who Discovers Vulnerabilities in Software?
Vulnerabilities can be discovered by multiple entities, including:
- The software companies that develop the software.
- “White Hat” hackers that identify vulnerabilities and report them to the company to be fixed, and are typically cyber security researchers at universities and from other origins.
- Bad actors that discover the vulnerabilities, and gain access to a network.
- “Bug Bounty” program participants who are incentivized to find vulnerabilities and report them to the organization sponsoring the program, for example, Microsoft, Facebook, and even government entities like the US Department of Defense (https://en.wikipedia.org/wiki/Bug_bounty_program)
Vulnerability In Cyber Security
What is a Vulnerability in Cyber Security?
A vulnerability defines a hole in a network or organization’s cyber security. The gap could be abused and exploited by malicious attackers if not dealt with in the appropriate manner. The vulnerability can be used to gain entry to an organization’s network and used to steal sensitive company data, hold company and stakeholder data hostage in return for ransom, or the vulnerability in cyber security may be leveraged to diminish an organization's public image or reputation.
Hackers are constantly advancing and getting smarter. Leveraging modern day technology advancements, they are constantly looking to make use of new vulnerabilities within an organization’s cyber security or find old ones which may have gone unpatched, many of which are likely available if a company is not appropriately dealing with vulnerabilities.
How Are Vulnerabilities in Cyber Security Formed?
There are many reasons why organizations can find vulnerabilities in their cyber security, and they can come in different shapes and sizes, but most require attention at some point. Some of the main causes of vulnerabilities in cyber security are listed below:
- Common Familiarities. Common software, coding, operating systems and hardware being used across industries increase the probability that an attacker can locate or already has information about commonly known vulnerabilities, putting all organizations using these tools at risk.
- Weak Passwords. Poor password choices can be broken with brute force in cyber attacks, and if employees of a company reuse passwords it can result in one data breach in cyber security spiralling into many.
- Internet Misuse. The Internet is full of spyware and malicious code that can be installed automatically on computers via phishing attacks, for example, if employees are not vigilant in their online activities.
- High Connectivity. If there are more employees with access to a device, it creates a higher chance of a vulnerability being exploited. This is because, with increased access comes an increased chance of a slip in cyber security processes. It only takes one vulnerability in cyber security to be breached for a hacker to have access to the network.
- Bugs in a Software: Programmers or security professionals can accidentally or deliberately (which is rare) leave a bug in an organization’s software. Bugs would be an easy target for a cyber attack and are typically the source of traditional vulnerabilities.
- Unchecked user inputs. If an organization's website or software automatically assumes that all input is safe, it may open the door and execute unintended SQL commands, commonly referred to as an “SQL Injection” vulnerability.
When Can A Vulnerability in Cyber Security Become Exploited?
The window of vulnerability in cyber security is the moment when the vulnerability was first introduced in the organization right through to the moment it is patched. To be classified as an exploitable vulnerability it must contain at least one known, working attack vector. If the correct security measures and processes are in place, then many vulnerabilities within cyber security are not easily exploitable, but the appropriate measures can be challenging to deploy without proper staffing.
What is Vulnerability Intelligence?
Vulnerability intelligence involves understanding vulnerabilities in order to build and craft appropriate defense layers against future attacks, and build the most efficient remediation plans. Vulnerability intelligence enables organizations to consider the broader picture when assessing a given vulnerability or set of vulnerabilities.
For vulnerability intelligence to work, it compiles vulnerability information from a range of different sources, including software vendors, public and governmental organizations, cyber security professionals or stakeholders, and individuals. For each vulnerability, vulnerability intelligence provides an examination of criticality ratings, historical data, information about exploits, potential patches and numerous other factors that assist cyber security professionals in assessing the risk each vulnerability poses to the organization.
You can only appropriately deal with vulnerabilities if you have the ability to consolidate and contextually prioritize the different large sets of data, for example, whether it is structured/unstructured, offline/online, and be able to identify the ones that are the most valuable to your organization.
Why Should an Organization Use Vulnerability Intelligence?
Vulnerability Management allows an organization’s cyber security teams to ensure that vulnerabilities are handled efficiently and correctly by creating the larger set of comprehensive vulnerability data that is contextual to your organization. Some of the key reasons for vulnerability intelligence to be implemented in an organization are listed below:
- Its reliability. By enriching the vulnerability data collected with intelligence, the right software vulnerability intelligence gives it a context and supports the first steps of risk management. It allows vulnerability management to give a criticality rating which reflects the vulnerability’s threat and the impact it may have on an organization.
- Time saving. contextualizing and rating vulnerabilities helps make sense of the raw data collected. Vulnerability intelligence transforms the data so it is reliable and can be used. And this reliability allows cyber security professionals and management to focus on more pressing organizational issues.
- A foundation to security processes. Vulnerability intelligence is the foundation of good cyber security processes. It plays a vital part in each element of IT security strategy, and is a part of the solution to vulnerability overload in each stage, from vulnerability discovery to remediation.
Vulnerability Management AWS
What is Vulnerability Management AWS (Amazon Web Services)?
AWS (Amazon Web Services) provides a robust cloud platform to host applications and infrastructure but security is something that is placed into the hands of the users of AWS. There are often many cases where attackers hack the AWS platform and abuse or exploit it for their own gain.
When it comes to AWS, you are given the responsibility for keeping your environment secure. This is accomplished through updating your systems on a regular basis. To do this, you'll need to check asset inventory, configuration, and vulnerability data. It will be essential to know, in real-time, what vulnerabilities exist and if they are or will affect you. You also need to know how important and dangerous the threat they pose is to you. This is the point when a vulnerability management system comes into play. Vulnerability management offers continuous security and compliance visibility for AWS environments.
Vulnerability management is the process of assessing and providing the required and accurate actions against possible weaknesses and vulnerabilities in an organizations’ devices and web applications that are connected to a specified network or in Amazon Web Services (AWS).
How Does Amazon Web Services Handle Vulnerability Management?
AWS will work to validate any reported vulnerabilities found in the vulnerability management processes. If AWS requires additional information in order to identify or reproduce the issue, they will then work with you to obtain it. When the initial investigation into the reported vulnerability is complete, results will be delivered to you along with a remediation plan for the resolution.
Amazon Web Services makes a commitment to being responsive and keeping you informed regarding the progress of a vulnerability as the investigation or mitigation of your reported issue progresses from the vulnerability management report. AWS will acknowledge receipt of your reported vulnerability within 24 hours, and they will then provide updates within every 5 working days.
If your vulnerability management highlights a vulnerability within a third-party product, Amazon Web Services will act as the middleman and continue to coordinate between you and the third party creator. If there is a case where a vulnerability can not be addressed or corrected, then AWS will ensure communication with you regarding the matter.
How Does AWS Prioritize Vulnerabilities?
Amazon Web Services use version 2.0 of the Common Vulnerability Scoring System (CVSS). They use this to evaluate all potential vulnerabilities. The resulting score helps quantify the severity of the risk/threat, and then prioritizes its appropriate response accordingly.
Vulnerability Management Best Practices
What are Vulnerability Management Best Practices?
Implementing the correct and appropriate vulnerability management best practices greatly benefits an organization’s efforts to minimize current and emerging vulnerability risk from its network and stakeholders. Some of the best practices an organization can employ are listed below:
- Conduct broad scans. Ensure one of your vulnerability management best practices includes scanning everything; all corners of an organization's network should be covered to minimize the chance of an attack.
- Accurate scanning. Organizations should be weary of inaccurate scans which may propose issues that don’t exist and strain resources, for example, an abundance of “false positives”.
- Keep vulnerability a high priority. Ensure vulnerability is not just a one off or once-a-quarter thing. The vulnerability profile of any network constantly changes and develops, so for an organization to stay ahead, it should keep vulnerability management a forefront priority.
- Compare changes over time. An organization should keep on top of its vulnerabilities and keep its security risk low by comparing changes. This way the company knows if the appropriate action is being taken or if process changes need to be made.
- Fix high priority risks first. After vulnerability prioritization, an organization should be well aware of which vulnerabilities pose the greatest risk. If these are not handled with the utmost importance, the organization and all of its stakeholders may be in imminent risk of attack.
- Get the right information to the right people. Vulnerability management has no value without the correct action. Most vulnerabilities cannot be addressed and corrected by the IT team alone, so for vulnerability management to be effective, a best practice is to keep teams and managers informed.
What Happens if Vulnerability Management is Not Implemented Correctly?
A vulnerability in a network or organization is a gap in security that could be abused and exploited by malicious attackers, and without the correct vulnerability management practices, these vulnerabilities can be used to steal sensitive company information, hold vital data hostage in return for ransom, or the vulnerability may be used to facilitate a breach that could damage an organization's public image.
Hackers are developing and getting smarter, and leveraging technology advancements. They are constantly looking to exploit new vulnerabilities or find old ones which may have gone unpatched, especially if a company is not employing the appropriate vulnerability management processes. Many of the breaches exploited by hackers are the result of vulnerabilities that may be months or years old but were never appropriately dealt with. Vulnerability management best practices can be used to ensure that assets are patched accordingly and thereby minimize risk to the organization.
Vulnerability Management Lifecycle
What is Vulnerability Management Lifecycle?
The vulnerability management life cycle is the key process for any organization to find and remediate security weaknesses and vulnerabilities before they are exploited by malicious attackers. As threats continue to become more complex and targeted with the growing advancements in modern technologies, it’s more important than ever for organizations to focus their efforts on minimizing the risk that unpatched vulnerabilities pose. The vulnerability management lifecycle helps organizations achieve that.
Why is Vulnerability Management Lifecycle Important?
A vulnerability in a network or organization is a security hole that could be abused and exploited by hackers and malicious attackers; Such vulnerabilities may be exploited to steal sensitive information, deploy ransomware, or the vulnerability may be used to damage an organization's public image or reputation. With fast moving, modern technology advancements, hackers are also developing and getting smarter with the times. They are constantly looking to exploit new vulnerabilities in a network or find old ones which may have gone unpatched. Many of the breaches exploited by hackers are the result of vulnerabilities that may be months or years old, but have been appropriately dealt with.
Vulnerability management lifecycle provides security professionals and IT teams with the necessary information to help prevent or minimize the likelihood of such attacks. The lifecycle outlines everything the organization needs to know to develop the appropriate action against vulnerabilities when it is needed. The vulnerability management lifecycle details all information from which asset the vulnerability is found in, to how to correctly remediate and monitor it.
What Does The Vulnerability Management Lifecycle Include?
The typical vulnerability management lifecycle breaks down into multiple stages to assist security professionals through, analyzing, prioritizing, and remediating an organization’s vulnerabilities within their network. The lifecycle consists of six main stages, listed below:
- Discover. This means identifying all of a company's assets and uncovering any forgotten devices. It works to identify all the assets and web applications within an organization which are connected to a given network, in preparation for the vulnerability scans and tests.
- Assess. Stage 2 involves the tests to make sure every device is scanned, both accurately and efficiently, after compiling all of your devices and inventory within the organization.
- Prioritization. Once you’re aware of the potential risks to assets, the next step is to prioritize those vulnerabilities. The prioritization process prioritizes them on the basis of how urgently they need to be remediated by analyzing a number of internal and external factors.
- Report. The primary purpose of the report is to significantly decrease the security risk that these vulnerabilities pose to a network by presenting clear, actionable information to all stakeholders. These reports will include vulnerability remediation recommendations as well as vulnerability management progress and risk reduction (or increase) over time.
- Remediate. As vulnerabilities are detected and processed into reports, the next step in the vulnerability management lifecycle is to patch or quarantine those vulnerabilities. This can be accomplished through the appropriate updates and patches to avoid the threat of attacks.
- Verify. This step helps you see that the mitigation and remediation was successful for the organization, but it also helps to maintain transparency and accountability across the company. It is a crucial step because it helps determine the success of the entire process.
Vulnerability Management Metrics
What Are Vulnerability Management Metrics?
Vulnerability management metrics are a way to share information about the risks associated with vulnerabilities throughout the organization. It can be tricky to measure the security profile of an organization. Due to the possible threat they pose to sensitive information and the accessibility of an organization's network, the Chief Information Security Officer of the organization may find great difficulty in presenting the security position and stance of the organization in a clear and understandable way.
Whether they are qualitative or quantitative measures, vulnerability management metrics are vital elements to assisting the cyber security teams and their management to be better aware of the risk exposure, mitigation effort effectiveness, and progress of the organization.
What Are Some of The Main Goals Achieved by Vulnerability Management Metrics?
The vulnerability management metrics can be used and greatly beneficial to an organization in order to achieve the following:
- To create a reference in regards to understanding vulnerabilities in the future.
- To greatly improve the cyber security level of the organization.
- To optimize the level of protection by measuring performance of remediation resources
- To assist in the integration of the security practices with the daily processes of the business.
- To validate the costs related to maintaining cyber security within an organization.
What Are Some Vulnerability Management Metrics That Can Improve Vulnerability Management?
- Time taken to detect. This metric monitors the time from when a vulnerability is formed until the time the vulnerability is detected.
- Time to remediation. This metric registers how quickly attacks on an organization are contained or how long mitigation of a vulnerability takes.
- System Hardening Metric. This metric provides a view into the proper configuration of an organization's operating systems, applications, and network infrastructure devices.
- Access Control. This metric aims to ensure an organization is protecting its network from unauthorized access; with this control, only the authorized personnel can access key systems.
- Baseline Metric. This metric provides a clear understanding of what exactly ‘normal’ is within an organization. This makes it much easier for security professionals to understand deviations from normal.
- Patch Management Efficiency. This metric addresses the understanding of changing patch cycles and remediation efforts in vulnerability management.
Vulnerability Management Process
What is a Vulnerability Management Process?
Vulnerability management process defines the step by step actions which are involved in managing vulnerabilities and risks posed to an organization or business. The process comprises five key elements, which all work to efficiently measure and remediate vulnerabilities.
Network vulnerabilities represent security gaps and opportunities to be exploited and abused by attackers to damage network assets, trigger a denial of service, and/or steal potentially sensitive information. Attackers are advancing and developing alongside modern technologies, constantly looking for new vulnerabilities to exploit—and taking advantage of old vulnerabilities that may not have been taken care of appropriately, and therefore gone unpatched.
Having a vulnerability management process in place that regularly checks for, prioritizes, and patches the highest risk vulnerabilities is crucial for an organization in its bid to prevent cybersecurity breaches. Without a vulnerability management process identifying, testing and patching vulnerabilities, old security holes may be left on the network for long periods of time. This opens the door for attackers to exploit vulnerabilities and carry out their cyber attacks.
Vulnerability Management Program
What is a Vulnerability Management Program?
A vulnerability management program is used by organizations and businesses to correctly identify, manage and deal with any vulnerabilities in its network. Any organizations which contain assets connected to the internet would make use of a vulnerability management program.
With the advancements in modern day technologies, many industries are now requiring the use of a formal vulnerability management program in order to be compliant with regulations. Attacks due to a company's vulnerabilities can result in data loss and are often caused by breaches in unpatched vulnerabilities. If an organization has any assets on its network that are not patched regularly (and most enterprises have thousands of them), a vulnerability management program is an essential feature in their business processes.
What Benefits Does a Vulnerability Management Program Offer?
Modern day networks are filled with known vulnerabilities, most of which go unpatched. Not all vulnerabilities are the same, and nor should they all be treated the same either, that is why an organization would be required to use a vulnerability management program. The key benefits a vulnerability management program offers are:
- Ability to intelligently manage vulnerabilities in a network. Vulnerabilities come in different shapes and sizes, and they don't all carry the same risk. A vulnerability management program can allow an organization to prioritize the risk which the vulnerability poses and the appropriate remediation, apply the correct security patches, and use the company resources more effectively.
- Avoid fines and meet industry regulations. As mentioned previously, vulnerability management programs are becoming a requirement in many industries, this is because of the harm risk vulnerabilities pose to a company and its stakeholders. Implementing programs allows a company to remain compliant with industry regulations, and also provides reports to assist with due diligence and avoid major fines as a result of non-compliance.
Vulnerability Management Report
What is a Vulnerability Management Report?
A Vulnerability Management report provides an organization a view of their vulnerability management program. The report usually consists of the discovered vulnerabilities, especially useful for summarizing vulnerability findings for management teams, detailing the conclusive findings and mitigation recommendations, and tracking progress during the remediation process. A Vulnerability management report will translate raw security data from the findings into a common language and more understandable format for communicating the risks found back to the organization.
Information security professionals can not only use a vulnerability management report to gain an understanding of which assets contain vulnerabilities, exploits, or are missing crucial patches, but can also use it to plan remediation efforts. Security teams can use the report to determine which assets are still in need of additional attention and which vulnerabilities can now safely be deprioritized.
Are Vulnerability Management Reports Necessary?
A vulnerability in a network or organization is a gap in security that could be abused and exploited by malicious attackers. Such vulnerabilities can be used to steal sensitive information, withhold vital data hostage in return for ransom, or the vulnerability may be used to damage an organization's public image.
Hackers are developing and getting smarter alongside technology advancements, and are constantly looking to exploit new vulnerabilities or find old ones which may have gone unpatched.
Many of the breaches exploited by hackers are the result of vulnerabilities that may be months or years old but were not appropriately dealt with. A vulnerability management report provides security teams with the necessary information to combat this. With the use of a report, the appropriate action can be taken when it is needed. The vulnerability details found in a report can be used to ensure that assets are patched accordingly and mitigate otherwise imminent danger to the organization.
What Details Are Included In A Vulnerability Management Report?
A vulnerability management report includes some necessary information about a vulnerability in order for it to be appropriately managed. These details are listed below:
- The vulnerability name.
- The date which the vulnerability has been discovered.
- The vulnerability CVSS rating score.
- An understandable explanation of the vulnerability.
- The asset which is being affected by the vulnerability.
- The methods to fix the vulnerability.
- Proof of Concept of the vulnerability.
Vulnerability Remediation Planning
Today’s vulnerability scanning products are not only numerous, but effective. Most, if not all, deliver a long list of vulnerabilities that inevitably grows with time. Even after eliminating unavoidable vulnerability false positives, the list of legitimate vulnerabilities requiring remediation attention is often daunting. Moreover, remediation is time-consuming, not to mention risky, as installing patches can result in planned and, more distressingly, unplanned downtime when the newly installed software breaks existing systems. The key, of course, is effective remediation planning and vulnerability prioritization, starting with the latter.
Optimally deploying always-limited, precious remediation resources is crucial to an effective vulnerability management operation, but doing so is easier said than done. With many enterprise networks hosting thousands, hundreds of thousands, or some larger networks even millions, of vulnerabilities, know which pose the greatest risk to the organization and which can wait to be attended to used to be an art. However, the advent of modern artificial intelligence and machine learning technologies is replacing that from art with science...data science.
Using modern solutions like Delve, vulnerability management teams can now leverage an affordable software tool that delivers, with little or no human intervention, a meaningfully prioritized list of vulnerabilities from 1 to n, based not only on external factors, but more importantly, unique, internal characteristics of an individual enterprise’s network environment.
Anyone who’s had orthopedic surgery or an injury that required physical fitness knows the first thing the physical therapist does is establish initial parameters of the patient’s condition before beginning. This facilitates the measurement of the patient’s progress over time and the effectiveness of the therapy.
The same is true for vulnerability management on a given network. Some measure of the overall vulnerability risk of the network must be established so progress - in the case of VM, risk reduction or increase - can be measured continuously. Note that it’s important that this metric not be too basic, for example, the total number of vulnerabilities on the network. Such a metric is not indicative of a network’s risk, and moreover, may mask progress that the vulnerability management team is making.
At Delve, we’ve developed a “Health Score” to establish a baseline that can be measured against as remediation activities are completed. The Health score decreases as vulnerabilities are patched, and increases as new vulnerabilities are discovered, but accounts for the progress of the vulnerability management team, and also for the risk contribution of individual vulnerabilities.
Vulnerability Remediation Planning and The Four Critical Stages:
Most importantly, Delve provides a “Remediation Planning Scenario” tool that delivers comparative projected Health Scores based on different remediation plans. Users can build a remediation plan, and then view the Health Score for the organization that would result from the completion of that remediation plan. If the remediation plan would yield little or no increase in the organization’s Health Score, it can be re-worked to better deploy remediation resources. Conversely, the remediation plans that deliver a significant increase in Health Score can be implemented with confidence, knowing those resources have been wisely committed.
In summary, vulnerability remediation planning comprises four critical stages:
- Meaningful prioritization of all enterprise vulnerabilities.
- Establishment of a baseline risk score against which progress can be measured.
- A scenario planning capability so different remediation strategy trade-offs can be compared.
- Implementation of the optimal remediation plan.
What is Vulnerability Scanning?
In the most basic sense, vulnerability scanning is the process of making requests or queries to ports on network-connected machines (e.g. servers, laptops) and analyzing the responses. Asset “discovery,” closely tied to scanning, probes machines for the services they might be running (e.g. HTTP or SQL). Vulnerability scanning software must therefore include sophisticated knowledge of a number of protocols to comprehensively test machines for vulnerabilities.
Delve’s vulnerability scanning software uses its machine learning engine to modify or improve automated scanning based on, for example, newly discovered machines or services on those machines, or newly identified vulnerabilities or exploits.
Delve’s vulnerability scanning software also scans web applications for security vulnerabilities, a topic that will be discussed below.