The Center for Internet Security (CIS) is responsible for identifying and developing standards, tools, and solutions in the information security field. The continuous vulnerability management process is included in the list of CIS recommendations and is an integral part of cybersecurity and network security. It is the responsibility of organizations to regularly collect, evaluate information regarding vulnerabilities and take prompt action to correct or minimize «opportunities» for criminal activity. This is due to the rapid growth of cybercrime, that forces organizations to pay more attention to information security. Vulnerability management should be part of an overall information risk management strategy.
A vulnerability is a certain flaw in an organization’s information system that can be used by a cybercriminal to gain access and perform unauthorized actions (running codes, gaining access to system memory, installing malware, stealing, destroying or changing company corporate data).
The most dangerous for the system security are computer worms. It is a malicious software that self-replicates, infects other computers, and remains active on infected systems. Vulnerabilities in network protocols, operating systems, and backdoors are often exploited to distribute such software.
Vulnerability management is the process of identifying, assessing, prioritizing, remediating (eliminating and preventing potential attacks, or minimizing attacks impact and scale), and reporting on security vulnerabilities in web applications, mobile devices, and software. As a result, organizations have the opportunity to receive up-to-date data on the state of the IT environment, the presence of vulnerabilities and the risks associated with them. Vulnerabilities cannot be ignored. The only way to reduce the risk of a cyberattack is to identify and fix each vulnerability.
The Vulnerability Management process is a cyclical process of identifying, classifying, fixing, and mitigating security vulnerabilities. Vulnerability discovery, assessment and reporting are important elements of the program.
Vulnerability detection is performed using a scanner, software that scans computers, networks, and applications for known vulnerabilities. The scan detects vulnerabilities that result from misconfiguration and erroneous network programming, and scans with or without authentication.
The essence of authenticated scanning is to provide access to low-level data (certain services, configuration details, precise information about operating systems, software, configuration issues, access controls, security controls, and patch management. Unauthenticated scanning does not provide access to network resources, that can lead to inaccurate information about operating systems and installed software.
Scanners can make mistakes and miss vulnerabilities, penetration testing (automated testing with software or mechanical testing of information technology to find vulnerabilities) should be used. The testing process involves collecting information, identifying possible attack vectors, making attempts to use them, and generating conclusions. Testing can also be used to test local security controls, compliance with security policies, employee susceptibility to social engineering attacks, and incident response strategies.
The vulnerability assessment process includes 5 steps:
- Vulnerability detection (analysis of network scans, penetration test results, firewall logs, etc.);
- Checking vulnerabilities (determining the possibility of vulnerability using, its severity to determine security risk level);
- Prioritization of vulnerabilities (vulnerability assessment, determination of the procedure for eliminating vulnerabilities);
- Planning for vulnerabilities elimination (determining the plan and measures of action to eliminate vulnerabilities, determining their effectiveness);
- Elimination of vulnerabilities (removal and correction of vulnerabilities to prevent possible use by cybercriminals).
The vulnerability remediation phase involves several options:
- correction – complete vulnerability elimination without the possibility of its exploitation;
- mitigation – minimizing the likelihood or consequences of vulnerability exploiting;
- acceptance – no action taken due to the low risk of the vulnerability or the significant excess of the cost of fixing over the cost of exploiting it.