I recently started a nanodegree in "Ethical Hacking" at Udacity. At the same time, I decided it would be a good time to start writing my dev blog, so to keep myself accountable and motivated to finish this online course and delve into blogging, I decided to log my progress on a (bi-)weekly basis.
This first post is about vulnerability management. Like some concepts in cybersecurity, there are three enablers to hack a system:
- Vulnerability - a weakness in the system
- Advantage - Any exploit to trigger a vulnerability (usually a piece of code or malware)
- Interface - provides a physical or digital attack surface for an attacker to gain access to the system
Since weaknesses in a system and exploits taking advantage of them are hard to predict, the main focus of information security is to reduce the attack surface as much as possible through a vulnerability management program.
Vulnerability management is a continuous cybersecurity process that includes identifying, assessing, fixing and reporting software and network vulnerabilities. The basic goal is preventing a security breach.
Because ongoing risks and new vulnerabilities are unavoidable, vulnerability management has to become a fundamental part of the software delivery lifecycle, being not just a gatekeeping process before release but a proactive framework integrated into the release process.
The main stages of vulnerability management are:
The objective of this step is to identify assets that require continuous vulnerability scanning; after all in order to protect a system you need to know what are its building blocks. This include local, remote (public or private cloud), networks, containerised and virtual infrastructure. The discovery process needs to dynamically identify new assets and extends the visibility of the system according to their interfaces.
Identified assets need to be constantly scanned and tested to detect and log new and existing vulnerabilities in order to take remediation or risk mitigation actions.
It is not only important to detect vulnerabilities but also to categorise them according to their risk of potential impact to the system. A corresponding risk profile is established using a rating level such as:
CRITICAL. Moreover, an estimation of the business context, the time and resources needed to repair these vulnerabilities may adapt the criticality of certain assets to make informed decisions about when and how to proceed.
Vulnerabilities may be resolved or mitigated; ideally the former. An action plan is documented at this stage, if not currently possible to resolve each and every vulnerability found, this plan should cover how to mitigate the risks the system is exposed and how to address weaknesses with significant potential damage to your system.
This has been a brief introduction to vulnerability management and why it is important to incorporate this framework to your system. In the following post I will go deeper into vulnerability scanning.