A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005). The main objective of a vulnerability management process is to detect and remediate vulnerabilities in a timely fashion (Qualys, 2008).
Vulnerability management is the way towards recognizing, assessing, treating, and providing details regarding security weaknesses in frameworks and the product that sudden spikes in demand for them. This, implemented along with other security strategies, is imperative for associations to organize potential dangers and limiting their “attack surface.”
Vulnerability management, thus, refers to potential shortcomings that permit hackers to compromise a product and the data it holds. This cycle should be performed consistently so as to stay aware of new frameworks being added to networks, changes that are made to frameworks, and the disclosure of new weaknesses after some time. Different from vulnerability assessment, Rapid 7 describes vulnerability management primarily comprises of the following steps:
- Identifying vulnerabilities
- Evaluating vulnerabilities
- Treating vulnerabilities
- Reporting vulnerabilities
Every company has a different set of process or practices for vulnerability management. In a similar fashion, SANS describes vulnerability management process with the following steps:
- Vulnerability scan
- Define remediating actions
- Implement remediating actions
Even though the steps described by Rapid 7 and SANS differ, the motive behind vulnerability management is the same. In this instance, the breakdown offered by Rapid 7 is easier to understand and manage. The stages have been described in brief below:
Step 1: Identifying Vulnerabilities
The scan usually comprises of four stages which are scan network accessible components, idenitifying open ports, depending on the possibility attempt to login remotely to gather detailed information and finally correlate system with known vulnerabilities
Appropriately managing potential weakness is a basic segment of a vulnerability management. Vulnerability scanners can now and then disturb the organizations and frameworks that they examine. On the off chance that accessible organization data transmission turns out to be exceptionally restricted during an association’s pinnacle hours, at that point weakness outputs ought to be planned to run during off hours.
Step 2: Evaluating Vulnerabilities
After vulnerabilities are identified, they need to be evaluated to understand the risks posed by them so that they are dealt with appropriately and in accordance with an organization’s risk management strategy. Vulnerability management solutions will provide different risk ratings and scores for vulnerabilities, such as Common Vulnerability Scoring System (CVSS) scores.
Like any security apparatus, vulnerability scanners aren’t perfect. Their vulnerability detection false positive rates, while low, are as yet more prominent than zero. The results of vulnerability validation exercises or full-blown penetration tests can often be an eye-opening experience for organizations that thought they were secure enough or that the vulnerability wasn’t that risky.
Step 3: Treating Vulnerabilities
Now that the vulnerabilities have been identified, the next steps is to eliminate out of the system before they could cause any possible damage to any data within the organization.
The stages include remediation, mitigation and acceptance. Remediation includes the patching of the vulnerabilities so that the loophole can’t be exploited. Mitigation refers to the reducing of the likelihood of or an impact of a vulnerability to be exploited. Finally, the acceptance stage refers to no action being taken to fix or reduce the likelihood of a vulnerability to be exploited. This is typically justified when a vulnerability is deemed a low risk, and the cost of fixing the vulnerability is substantially greater than the cost incurred by an organization if the vulnerability were to be exploited.
Step 4: Reporting Vulnerabilities
Performing regular and continuous vulnerability assessments enables organizations to understand the speed and efficiency of their vulnerability management program over time. Vulnerability management solutions typically have different options for exporting and visualizing vulnerability scan data with a variety of customizable reports and dashboards.
In addition to the fact that this helps IT groups effectively comprehend which remediation strategies will assist them with fixing the most weaknesses with minimal measure of exertion, or help security groups screen weakness patterns after some time in various pieces of their organization, however it likewise helps uphold associations’
Without a vulnerability management in place, the administration of an organization is heedless to attacks identified with the security of the IT foundation. Implementing a vulnerability management cycle is all about managing risks and external threats. By having a very much characterized measure set up, an organization can get a persistent perspective on the risks related with the presence of security weaknesses in its IT frameworks. This permits the board to take all around prompted choices concerning remediating activities that could be actualized to minimize the aftermath of cyber threats.