What is Vulnerability Management?
Vulnerability management is the continuous process of identifying, assessing, mitigating, and reporting on cyber vulnerabilities across assets within a network/environment. Typical assets can be endpoints, systems, software, and workloads. Cybersecurity teams leverage a vulnerability scanning tools to detect vulnerabilities and to remediate them.
Strong and healthy cybersecurity hygiene and practice entails using vulnerability management alongside other TTPs (Tactics, Techniques, and Procedures). Some of these processes include Open-Source Intelligence, threat intelligence, and attack surface management tools to prioritize risks and address vulnerabilities as quickly as possible.
It is best to have an understanding of Information Technology (IT), business operations, and Information Security to help gauge where to focus efforts to mitigate any attack surface exposure.
Definitions You Need To Know
It is important to understand the differences between what a Vulnerability, a Threat, and a Risk is.
Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (Defined by the Computer Security Resource Center of NIST.gov)
Threat: Someone or something with the ability to exploit a vulnerability.
Risk: The aftermath of a threat exploiting a vulnerability. This includes the damages, inflictions, and losses due to an open vulnerability that were exploited by adversaries, threat actors, and attackers.
Ranking and Categorizing Vulnerabilities
There are reputable, high-quality sources that a majority of cybersecurity organizations use to assess and communicate any impact, severity, and likelihood of compromise through the vulnerabilities discovered. The industry standard systems and databases used are:
Common Vulnerability Scoring System (CVSS v3.0) – The CVSS Base Score ranges from 0.0 to 10.0.
National Vulnerability Database (NVD) – CVSS Scores are given a severity rating.
|CVSS v3.0 Score||Severity Rating|
|0.1 – 3.9||Low|
|4.0 – 6.9||Medium|
|7.0 – 8.9||High|
|9.0 – 10.0||Critical|
The National Vulnerability Database regularly updates their library of common vulnerabilities and exposures (CVEs). Details such as vendor, product name, versions, and ranking are provided.
The MITRE Corporation are the originators of these aggregated CVEs. MITRE is a not-for-profit organization documents CVEs and provides basic information about each vulnerability, which are automatically synced with NVD.
Vulnerability Management vs. Vulnerability Assessment
A vulnerability management is an ongoing, continuous process of identification, validation, mitigation, and documentation of security vulnerabilities and findings.
A vulnerability assessment is a one-off, one-time evaluation of a scope of hosts/network/environment. An assessment is a part of the management process, but not the other way around.
The Vulnerability Management Process
- Define The Scope
- Understand Tasks and Responsibilities
- Choose Vulnerability Assessment Tools
- Perform The Vulnerability Scans
- Assess Vulnerability Risks
- Validate and Prioritize Security Vulnerabilities
- Documentation and Reporting
- Continue Vulnerability Management Cycle
Vulnerability Management 101 Key Takeaways
- Vulnerability Management is a continuous, ongoing process of Vulnerability Assessments. This entails a cycle of discovery, identification, assessment, mitigation, and documentation of security vulnerabilities.
- Vulnerabilities are weaknesses of an asset or group of assets that can be exploited by a threat. Threats are someone and or something that can exploit vulnerabilities. Risks are the aftermath damages and losses of exploited vulnerabilities.
- Security Vulnerabilities are ranked and categorized through CVSS and NVD scores and ratings. This is the industry standard that cybersecurity organizations follow.
- Vulnerability Management contain a series of steps as a process to scan, assess, validate, prioritize, and report on security vulnerabilities within a given scope.
Want To Learn More?
If this article was helpful and insightful for you, check out our other research posts for more information on cybersecurity, cyber threats, technological developments, and more!
Looking to secure your organization? Tactic.ly has your back. Contact us here.