AI, ML & Data Science Bootcamp Insights

vulnerability Management Theory

Vijay Gupta's photo
Vijay Gupta
·

4 min read

One common question you will hear in interviews, can you define a vulnerability, risk, and threat?

A vulnerability is a weakness in software that can be exploited, we know that. But a vulnerability is insignificant without a corresponding threat.

A threat is a group of malicious hackers or individual hackers that are looking for ways to exploit vulnerabilities to achieve their objectives, such as stealing data, disrupting operations, or extorting victims. Whether or not a vulnerability is exploited depends on the threat group and their motivations.

A risk, on the other hand, is the potential impact or likelihood of the threat successfully exploiting the vulnerability, resulting in harm to the organization. Understanding these distinctions is crucial for effective cybersecurity management.

For example, the vulnerability could be a remote code execution flaw on the server, and the threat is a ransomware gang. The risk is the potential financial loss due to downtime and recovery.

When it comes to categorizing and ranking vulnerabilities, the Common Vulnerabilities and Exposures (CVE) & CVSS system is widely regarded as the best standard, providing a clear framework for identifying and prioritizing vulnerabilities.

Microsoft has found a flaw in Microsoft Exchange that allows for authentication bypass. Once this vulnerability is identified, it will receive a CVE identifier. The CVE structure starts with the three letters "CVE," which are universal. The next part includes the year it was published. The final part is a unique number, at least four digits long, for that year. Each CVE is assigned a CVSS score, which rates the severity of the vulnerability. This score ranges from 0 to 10 and is determined by the National Vulnerability Database (NVD), which we will explore further soon.

CVSS scores are calculated based on three metric groups: base, temporal, and environmental. The base metric group represents the inherent characteristics of a vulnerability that remain constant over time and across different user environments. It consists of two sets of metrics: exploitability metrics and impact metrics.

The exploitability metrics show how easy it is to exploit the vulnerability and the technical methods used. They describe the features of the item that is vulnerable, which we formally call the vulnerable component.

The impact metrics reflect the direct consequece of a successful exploit. They represent the consequence to the thing that suffers the impact, which we refer to formally as the impacted component. The temporal metric group reflects the characteristics of a vulnerability that may change over time but not across environments.

For example, the presence of a simple-to-use exploit like Metasploit would increase the CVSS score, while the creation of an official patch would decrease it. The environmental metric group represents the characteristics of a vulnerability that are relevant and unique to a particular user's environment. Considerations include the presence of security controls which may mitigate some or all consequences of a successful attack, and the relative importance of a vulnerable system within a technology stack.

The National Vulnerability Database, or NVD, is the entity responsible for calculating CVSS scores for vulnerabilities. The NVD is ran by NIST, the National Institute of Standards and Technology, which is a non-regulatory federal agency within the U.S. Department of Commerce. NIST's mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science standards and technology in ways that enhance economic security and improve our quality of life.

Steps for Effective Vulnerability Management

  1. Discover Vulnerabilities:

    • Perform remote scans (demonstrated in this process) or use agent-based scans.

    • Agent-based scans involve installing agents on endpoints to analyze internal configurations, registry keys, and more, providing a deeper view of potential vulnerabilities.

  2. Prioritize Assets:

    • Consider factors such as:

      • Whether assets are located in the DMZ or are public-facing.

      • Whether they host crown jewels (critical data or applications).

      • The presence of mission-critical applications.

    • Business Continuity Teams or IT Risk Management Programs typically identify and assess critical assets.

  3. Assess and Triage Scan Results:

    • Focus on vulnerabilities with:

      • CVSS scores of 7 or above.

      • Known exploits actively used in the wild.

    • Prioritize these vulnerabilities for remediation first, followed by lower-priority ones.

  4. Report:

    • Create clear, concise reports summarizing scan results and priority vulnerabilities.

    • Ensure reports are digestible and highlight which vulnerabilities and assets require immediate attention.

  5. Remediate:

    • Distribute the reports to remediation teams.

    • Implement fixes through software patches, upgrades, or other mitigation measures.

  6. Verify:

    • Conduct remediation scans to confirm vulnerabilities have been resolved.

    • Some vulnerabilities may require manual verification due to scanner limitations.

  7. Repeat the Process:

    • Reassess and refine the cycle to maintain robust vulnerability management.
Securitysecurity testing