What is Vulnerability Management?

According to Park Foreman in his book, Vulnerability Management (Taylors & Francis Group, 2010 page 1), Vulnerability Management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities. SANS Critical Security Controls #4 outlines continuous vulnerability assessment and remediation as an integral part of risk and governance programs.

Vulnerability Management Processes

There are few high level processes that encompass vulnerability management: Discovery, Vulnerability Scan, Vulnerability Remediation, Re-Scan. Discovery 1. Compile current list of systems and their owners. 2. Classify the systems/assets into logical groups. Groups can be based upon impact of compromise, impact of downtime and sensitivity of data. 3. Develop a policy which forces system owners to address vulnerabilities identified in the course of a security assessment. The policy should have clearly defined timelines for how long a system owner has to address a vulnerability on their systems, for example: extreme vulnerability category to be addressed within a five-day window, high category to be addressed in a two-week window and medium category within a month. Effective policy should cover the following*: o Define the level of security that the company wants to maintain.
o o o o o

Set guidelines for vulnerability management practices (from testing to remediation). Classify vulnerabilities by risk/threat and remediation effort. Determine how often scans will be performed and allocated remediation times. Define access control policy for all devices connected to company networks. Outline the consequences of noncompliance with vulnerability management policy.

Vulnerability Scan Checklist before starting the vulnerability scan: Get permission from the top management. Inform the system owners days before running the scan, publish your phone number. Keep the target selection small, scanning only one subnet at a time. Only do a scan when you are in the office and by the phone. Consideration for choosing a scanner tools

Product license. Flexibility of the product to handle companys growth. Operability of the product, such as it supports Common Vulnerabilities and Exposures (CVE) standard for cataloguing vulnerabilities.

Easy to compare results.

Vulnerability Scan provides a quick high level view of some of the vulnerabilities. Beside this scan, it is important to supplement with manual assessment such as Attack and Penetration assessment, Web Application assessment. This is because the scanners do not have the ability to think as an attacker would. Vulnerability Remediation** Remediation Details. Vulnerability Prioritisation. False Positive Removal. Re-Scan** Verify vulnerabilities are remediated. Verify compensating control effectiveness. Verifiy remediation did not create new issues.

References * Veracodes Vulnerability Management. ** SecureStates Vulnerability Management Program