What is Vulnerability Management?

Table of contents

  1. What is a vulnerability?
  2. Why is vulnerability management required?
  3. What is the vulnerability management process?
  4. How are vulnerabilities detected?
  5. What is the vulnerability assessment process?
  6. Should vulnerabilities be publicly reported?
  7. Should I worry about my third-party vendors’ vulnerabilities?
  8. How UpGuard can help you identify high-risk vulnerabilities and request remediation

1. What is a vulnerability?

2. Why is vulnerability management required?

3. What is the vulnerability management process?

4. How are vulnerabilities detected?

  • Authenticated scans:Allow vulnerability scanners access networked resources using remote administrative protocols like secure shell (SSH) or remote desktop protocol (RDP) and authenticate using provided system credentials. The benefit of authenticated scans is that they provide access to low-level data such as specific services, configuration details and accurate information about operating systems, installed software, configuration issues,access control, security controls and patch management.
  • Unauthenticated scans: Do not provide access to networked resources, which can result in false positives and unreliable information about operating systems and installed software. This type of scan is generally used by cyber attackers and IT security analysts to try and determine the security posture of externally facing assets,third-party vendors and to find possible data leaks.

5. What is the vulnerability assessment process?

  1. Identify vulnerabilities: Analyzing network scans, pen test results, firewall logs, and vulnerability scan results to find anomalies that suggest a cyber attack could take advantage of a vulnerability.
  2. Verify vulnerabilities: Decide whether the identified vulnerability could be exploited and classify the severity of the exploit to understand the level of security risk.
  3. Prioritization of vulnerabilities: Assess which vulnerabilities will be mitigated or remediated first based on their wormability and other risks.
  4. Mitigate vulnerabilities: Decide on countermeasures and how to measure their effectiveness in the event that a patch is not available.
  5. Remediate vulnerabilities: Update affected software or hardware where possible.
  • Is the vulnerability a false positive?
  • Is this vulnerability exploitable from the Internet or would an attacker need physical access
  • How difficult is it to exploit this vulnerability?
  • Is there publicly available exploit code for this vulnerability?
  • What is the business impact if this vulnerability were exploited?
  • Is your organization employing a defense in depth strategy that reduces the likelihood and/or impact of this vulnerability being exploited?
  • How old is the vulnerability?
  • Does your organization have regulatory requirements like CCPA, FISMA, GLBA, PIPEDA or the NIST Cybersecurity Framework?
  • What is the average cost of a data breach in your industry?
  • Remediation: The vulnerability is patched and cannot be exploited.
  • Mitigation: The likelihood or impact that the vulnerability can be exploited is minimized.
  • Acceptance: No action is taken because the vulnerability is deemed low risk or the cost is substantially greater than the cost incurred by your organization if it were exploited.

6. Should vulnerabilities be publicly reported?

  1. Immediate full disclosure:Some cybersecurity experts argue for immediate disclosure including specific information about how to exploit the vulnerability. Supporters of immediate disclosure believe it leads to secure software and faster patching improving software security, application security, computer security, operating system security and information security.
  2. Limited to no disclosure:While others are against vulnerability disclosure because they believe the vulnerability will be exploited. Supporters of limited disclosure believe limiting information to select groups reduces the risk of exploitation.

7. Should I worry about my third-party vendors’ vulnerabilities?

8. How UpGuard can help you identify high-risk vulnerabilities and request remediation

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
UpGuard

UpGuard

https://www.upguard.com — UpGuard combines third-party security ratings, vendor questionnaires, and threat intelligence in a single cyber risk solution.