22 Oct What are the Key Elements in Vulnerability Management?
While every organization takes a slightly different approach to the vulnerability management process, it largely revolves around three main elements or phases. Skipping any of these will render your entire process incomplete and ineffective.
1. Identifying vulnerabilities: This step usually involves a vulnerability scanner that identifies a variety of systems on a network and probes them for different attributes — operating system, open ports, installed software, file system structure and more. Once obtained, this information is used to associate known vulnerabilities to the scanned systems to identify the systems with vulnerabilities. The final data is demonstrated in the form of reports, metrics and/or dashboards.
2. Evaluating vulnerabilities: After having identified the vulnerabilities, the next step is to evaluate them to assign different risk ratings and scores to determine the level of priority each vulnerability deserves. A few questions that can be considered while evaluating each vulnerability are:
- Is the vulnerability a true or false positive?
- Could the vulnerability be directly exploited from the internet?
- How difficult or easy would it be to exploit the vulnerability?
- What would be the potential impact on the organization if the vulnerability is exploited?
- Do any security controls already exist to protect the vulnerability from being exploited?
- For how long has the vulnerability existed on the network?
3. Treating Vulnerabilities: Once a vulnerability has been evaluated and validated, an organization must decide how it should treat it by involving the relevant stakeholders. The ways to treat vulnerabilities include:
- Remediation: Deemed as the ideal treatment of a vulnerability, remediation involves fully fixing or patching the vulnerability so that it can’t be exploited.
- Mitigation: Organizations can opt for mitigation when a proper fix or patch isn’t yet available for the vulnerability. This method will reduce the likelihood and/or impact of a vulnerability being exploited, buying an organization time to eventually remediate the vulnerability.
- Acceptance: Organizations can also decide neither to fix the vulnerability nor reduce its likelihood/impact. This is justified when the vulnerability is considered low risk and the cost of fixing it is greater than the potential cost the organization would incur upon its exploitation. You must know the requirements in cyber insurance policies, contracts and regulations before deciding to leave a vulnerability unfixed.
VulScan delivers all the features you need for both internal and external vulnerability management, and even includes an optional portable scanner that you can tote from one location to another for ad hoc scans without consuming additional licenses.
For more information or to request a demo click here.