Vulnerability management
Encyclopedia
"Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities" This practice generally refers to software vulnerabilities in computing systems.
, a prominent IT Analyst company, defines Six steps for vulnerability management programs
Define Policy - Organizations must start out by determining what the desired security state for their environment is. This includes determining desired device and service configurations and access control rules for users accessing resources.
Baseline the Environment - Once a policy has been defined, the organization must assess the true security state of the environment and determine where instances of policy violations are occurring.
Prioritize Vulnerabilities - Instances of policy violations are Vulnerability (computing)
. These vulnerabilities are then prioritized using risk and effort-based criteria.
Shield - In the short term, the organization can take steps to minimize the damage that could be caused by the vulnerability by creating compensating controls.
Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.
Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, as do security policy requirements. In addition, additional security vulnerabilities are always being identified. For this reason, vulnerability management is an ongoing process rather than a point-in-time event.
. These tools look for vulnerabilities known and reported by the security community, and which typically are already fixed by relevant vendors with patches and security updates.
Zero-day vulnerabilities are problems that vulnerability scanners cannot detect, and which also do not have any patches or updates available from vendors. Unknown Vulnerability Management process augments the known vulnerability management by introducing tools and techniques such as network analyzers for mapping attack surface, and fuzzers for finding zero day vulnerabilities.
Vulnerability Management Programs
While program definitions vary in the industry, GartnerGartner
Gartner, Inc. is an information technology research and advisory firm headquartered in Stamford, Connecticut, United States. It was known as GartnerGroup until 2001....
, a prominent IT Analyst company, defines Six steps for vulnerability management programs
Define Policy - Organizations must start out by determining what the desired security state for their environment is. This includes determining desired device and service configurations and access control rules for users accessing resources.
Baseline the Environment - Once a policy has been defined, the organization must assess the true security state of the environment and determine where instances of policy violations are occurring.
Prioritize Vulnerabilities - Instances of policy violations are Vulnerability (computing)
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
. These vulnerabilities are then prioritized using risk and effort-based criteria.
Shield - In the short term, the organization can take steps to minimize the damage that could be caused by the vulnerability by creating compensating controls.
Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.
Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, as do security policy requirements. In addition, additional security vulnerabilities are always being identified. For this reason, vulnerability management is an ongoing process rather than a point-in-time event.
Vulnerability Management for Applications Versus Hosts and Infrastructure
Host and infrastructure vulnerabilities can often be addressed by applying patches or changing configuration settings. Custom software or application-based vulnerabilities often require additional software development in order to fully mitigate. Technologies such as web application firewalls can be used in the short term to shield systems, but to address the root cause, changes must be made to the underlying software.Managing Known Vulnerabilities Versus Unknown Vulnerabilities
Typical tools used for identifying and classifying known vulnerabilities are vulnerability scannersVulnerability scanner
A vulnerability scanner is a computer program designed to assess computers, computer systems, networks or applications for weaknesses. There are a number of types of vulnerability scanners available today, distinguished from one another by a focus on particular targets...
. These tools look for vulnerabilities known and reported by the security community, and which typically are already fixed by relevant vendors with patches and security updates.
Zero-day vulnerabilities are problems that vulnerability scanners cannot detect, and which also do not have any patches or updates available from vendors. Unknown Vulnerability Management process augments the known vulnerability management by introducing tools and techniques such as network analyzers for mapping attack surface, and fuzzers for finding zero day vulnerabilities.
See also
- Full disclosureFull disclosureIn computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Penetration testing
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
- Zero-day attack
External links
- http://denimgroup.typepad.com/denim_group/2009/03/owasp-minneapolis-st-paul-slide-deck-and-video-online.html
- Q&A on vulnerability management with QualysGuard product manager Eric Perraudeau
- Webcasts on Unknown (Zero-Day) Vulnerability Management Process