Vulnerability Management is the cornerstone of information security programs. Cybersecurity practitioners leverage vulnerability management programs to identify, classify, prioritize, remediate, and mitigate vulnerabilities most often found in software and networks. Vulnerability assessments, while not mutually exclusive with vulnerability management, are generally part of a vulnerability management program in order to identify, quantify, and prioritize vulnerabilities in a system. An assessment finds vulnerabilities, how many there are, and then decides in what order they should be fixed. The management program classifies the vulnerabilities, dictates the remediation plan, and enforces the mitigation strategy.

What is Vulnerability?

Vulnerabilities can take many shapes. Most often, vulnerabilities in systems are represented by open ports, poorly written code, unpatched applications, and dependencies on insecure libraries. Vulnerabilities are a constant in information security and nearly every system will eventually have one. It isn’t necessarily a vulnerability that is the problem in information security. If there were no one attacking a system, it wouldn’t matter if it wasn’t patched or had open ports. The threat introduced by vulnerabilities comes down to the fact that there are those that want to exploit the system and use vulnerabilities as the path to entry.

The Vulnerability Management Program Examined

An organization looking to adopt or enhance its vulnerability management program thankfully has a blueprint in which to draw inspiration from. Most programs outline vulnerability management with several key pillars:

Identify – Vulnerabilities present in the network, servers, operating systems, databases, applications, websites, and cloud. Identification is critical for an organization to know what vulnerabilities are a potential threat.

Classify – Organize detected vulnerabilities into groups for classification. The ability to classify vulnerabilities helps with the remaining pillars by making prioritization, remediation, and mitigation easier.

Prioritize – Rank vulnerabilities by severity and prioritize actions. The criticality of a vulnerability should dictate how quickly it is remediated.

Remediate – Take action to fix the vulnerability by closing ports, patching software, or through a detailed process exception. Most organizations remediate vulnerabilities once the risk is understood and a priority is assigned.

Mitigate – Implement preventative controls to prevent the same vulnerability or type of vulnerability from happening again. Examples of mitigating controls include threat intelligence feeds, entity behavior analytics, and intrusion detection with prevention. The ultimate goal is to reduce the attack surface of systems.

Common Vulnerabilities and Exposures (CVE) are the canaries in the coal mine for Vulnerability Management programs. CVE’s reported by a variety of systems will give important information on how to address and remediate the detected vulnerability. There are several great vulnerability scanners that aid in all aspects of the lifecycle, especially with the identification of vulnerability data. Many looks at vulnerability management in the same way that they see the Software Development Lifecycle (SDLC) and risk management. Just because you are able to identify, classify, prioritize, remediate, and mitigate a vulnerability once does not mean that the process is complete. As with the SDLC, there will always be something to patch or fix. True protection comes from the continuous lifecycle management of vulnerabilities.

Vulnerability Assessments

Vulnerability assessments are great for identifying, quantifying, and prioritizing vulnerabilities. The assessment is typically the tip of the spear before a full-blown program is implemented. Often, an assessment will lead to the allocation of funds for a vulnerability management program because of the severity of the items found. Vulnerability assessments should be conducted on an ongoing basis with most organizations opting for a quarterly or yearly assessment.

Penetration Testing

Penetration testing is another key to vulnerability management and is a critical component in an organization’s arsenal to prevent data breaches. A penetration test will often dictate where remediation efforts will be spent. Penetration testing also called pen testing or ethical hacking is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. Penetration testing can be automated with software applications or performed manually. Either way, the process involves gathering information about the target before the test, identifying possible entry points, attempting to break in — either virtually or for real — and reporting back the findings.

A risk assessment is often performed after a penetration test to help prioritize where mitigation efforts need to be spent. Penetration testing is often conducted on a quarterly basis but can occur yearly based on the size of the organization of the criticality of the application being tested.

Vulnerability management is an important part of an overall cybersecurity program. Vulnerability management should not be mistaken as the same thing as vulnerability assessments or penetration testing. Instead, assessments and penetration testing should be looked at as crucial parts of an overall information security program. Vulnerability management is ultimately all about managing vulnerabilities. There are several critical supporting systems to make a vulnerability management program successful like patch management, asset management, and network security. With support from the business and security leadership, a successful vulnerability management program continuously reduces information security risk within the environment and aligns with the business strategies.