What Is Vulnerability Management?

Security vulnerabilities. We'll always talk about them. They're part of our raison d'être at Fluid Attacks. On behalf of our customers, our initial goals with them are to identify, describe and report these security issues. But our mission doesn't end there. In our previous post, we mainly discussed vulnerability assessment, a procedure covering the goals above. On this occasion, we will focus on explaining a term we already related to the previous one: vulnerability management. This concept covers a broader range of activities concerning vulnerabilities, which we also provide to our clients. Before getting down to business, let's start by contextualizing for those who are unclear about what a vulnerability in cybersecurity is.

A security vulnerability refers to a weakness in an IT system that is usually the result of software bugs, design errors, or misconfigurations. Being exploited by attackers, a vulnerability can function as a way to allow them unauthorized access to and control over the system for the theft of information or other assets or the disruption of operations.

Vulnerability management is a process of identifying, evaluating, prioritizing, reporting and dealing with security vulnerabilities. Although it doesn't have to be seen as continuous, ideally, it should be. In fact, that is how it's usually offered. But why does it need to be an ongoing process or cycle? The cyber environment is constantly changing. New systems emerge, evolve, become more complex, and expand; with them, new vulnerabilities and, alas, new threats appear. The continuous vulnerability management process, with a stable repetition of different stages as a cycle, seeks to attend to this situation. Evaluating systems and their vulnerabilities at a single point in time, or only occasionally, is to lag behind the gargantuan leaps of information technology. And this could mean high exposure to the risk of suffering from cyberattacks.

Security vulnerability management can be part of an overall security program, which could also include strategies such as implementing defenses and traffic review, security training for different groups of employees, developing incident response plans, etc. Vulnerability management is a preventive approach. This procedure aims to help bring and keep an organization's risk exposure to a minimum. Vulnerability management tools streamline and facilitate the operations within the cycle and often allow everything to take place from a single dashboard.

When we talk about vulnerability management, vulnerability assessment must necessarily enter into the equation. Conversely, the latter could occur independently. Vulnerability assessment is part of the vulnerability management process because it's when security issues are identified, classified, and reported. This assessment can be carried out either by automated tools (i.e., vulnerability scanning) or humans (usually through penetration testing or ethical hacking); still, there should be a complement between the two. Thus, vulnerability assessment is integrated into a cycle where vulnerabilities are also prioritized and treated.

First, we can refer to a few steps before the vulnerability management cycle. The organization that intends to implement this solution should start by defining the scope of the process. It should be clear which of its systems and components will be assessed for vulnerability detection. (This may require asset inventory services.) In relation to the assets involved in that scope, the organization in question should assign values to them in order to determine which are most critical to protect. In addition, the organization should define roles and responsibilities, such as who would be in charge of monitoring, who would address vulnerabilities, and who would authorize strategies and reports. It should also choose the tools and services for vulnerability assessment and, in general, all stages of vulnerability management. Finally, the organization should establish vulnerability assessment and treatment policies (e.g., review frequency, temporary and absolute acceptance parameters, and remediation deadlines).

Although this is not a strict model, these are usually the stages of the vulnerability management cycle:

This stage can start with vulnerability scanning. Automated tools scan the organization's chosen systems to detect whether any or all of the security issues they have in their databases of publicly known vulnerabilities are present in those systems. Accurate configuration of the scanners and their scans can help avoid disrupting or altering functions in the evaluated technology and very high false positive rates. Then, the human intervention comes in the form of manual pentesting, which is assisted by other tools. The so-called pentesters, with a methodology oriented towards the in-depth assessment of IT systems, endeavor to detect anything that escapes the radar of automated tools. Often these are more severe, more complex and previously unknown (zero-day) vulnerabilities.

At one point in this stage, the pentesters or security professionals seek to minimize false positive and false negative rates. To achieve this, they validate scanners' reports and fix their errors. That is, they remove from the lists of identified vulnerabilities those reports that do not actually constitute vulnerabilities and include in them the vulnerabilities that the tools should have reported but did not. (These are separate lists from those delivered from penetration testing in the previous stage).

Both scanners and pentesters generally rate their findings based on well-known metrics such as the Common Vulnerability Scoring System (CVSS). This system scores the severity of vulnerabilities from 0.0 to 10.0. From 0.1 to 3.9, the severity is low; from 4.0 to 6.9, it is medium; from 7.0 to 8.9, it is high; and from 9.0 to 10.0, it is critical. Then, vulnerabilities can be prioritized by metrics such as this one. That is, they can be ranked in order of importance according to the risk they pose. The usefulness of these values is that, at the time of the report, the organization under evaluation can know which security issues to deal with first.

One of the influential factors in the evaluation and prioritization of vulnerabilities is their exploitability. At this stage, questions such as the following arise: Is this vulnerability exploitable? How easy is it to exploit? Is there already an exploit for this vulnerability floating around the web? (An exploit is a specialized code that allows taking advantage of a security issue.) What would be the impacts of its exploitation? Pentesters are crucial to answering questions such as the latter. From their offensive security approach, i.e., by simulating "real-world" attacks, these experts are responsible for testing the exploitability of specific vulnerabilities in order to provide evidence of the potential impacts.

After evaluation and validation, each finding by the tools and experts can be reported through a vulnerability management tool or platform. Ideally, each vulnerability should be able to reach this stage or, better, complete the cycle independently. We mean that solution providers shouldn't expect to have a massive accumulation of vulnerabilities before reporting their existence to those who, in the next stage, will be in charge of their treatment. As teams receive small numbers of prioritized vulnerabilities, they can easily decide what actions to take. Among the various details about each identified and assessed security issue that can be provided to the organization under assessment are the following: type, severity, location, identification date, current status, description, evidence of existence and exploitation, and treatment recommendations.

After obtaining details on each vulnerability, including those treatment recommendations, the team responsible for this stage must take action. The ideal treatment option is vulnerability remediation, especially if the vulnerability involves high-risk exposure. Remediation is the patching or complete repair of the security issue to prevent exploitation. We should keep in mind that sometimes suggestions from automated tools or novice individuals may not be the best. Hence, the intervention of specialized cybersecurity staff is a sine qua non for appropriate vulnerability treatment.

Another treatment option, mainly when, for one reason or another, there's still no opportunity for remediation, is vulnerability mitigation. This is about reducing the likelihood of exploitation of the vulnerability (e.g., applying a technique that makes it more tricky for an attacker) and the potential impacts. It may be a quick temporary treatment while a patch or other form of vulnerability remediation is being developed.

Finally, there is the option of vulnerability acceptance, which may be temporary or permanent. Choosing this option may depend on the internal policies of the organization in question. One security issue may be accepted by this organization simply because the risk it represents is very low, and the remediation costs are higher than those associated with its exploitation. In any case, it is usually advisable that there is no permanent acceptance and, regardless of how low the risk is, to achieve remediation of the vulnerability in the near future. Another thing is when what needs to be remediated is an issue that, for instance, is found in an application that the organization plans to disable in the very short term. In this case, permanent acceptance is more justifiable.

Vulnerability remediation should always be verified for the stakeholders' peace of mind. In this stage, rescans and reattacks are performed to validate that the solution given to each vulnerability was effective, thus indicating its closing. In addition, reassessment is recommended to discover whether new vulnerabilities have arisen due to the previous treatments. Once this is accomplished, the reporting information can be updated. For example, the security status of a vulnerability can shift from "open" to "closed."

Vulnerability reports that accumulate in vulnerability management platforms can be used by managers or administrators of the organization to evaluate efforts, achievements, and progress. A good platform allows the delivery, customization, and downloading of reports in different formats and adjusted for both executive and technical staff. When the platform contains a wide variety of charts and figures, the organization's teams can properly monitor trends in the emergence and remediation of vulnerabilities and mitigation of risk exposure. Moreover, if the platform allows, they can be aware of their compliance with multiple international security standards requirements.

At Fluid Attacks, we offer a Vulnerability Management solution within our Continuous Hacking service, which we can integrate into your software development lifecycle from the beginning. We connect all stages of the previously described vulnerability management process from a single place, i.e., our Attack Resistance Management (ARM) platform. We develop our own automated tools or security scanners, which apply methodologies such as SAST, DAST and SCA for vulnerability scanning on your systems. We also have a large group of penetration testing experts who, with their skills as hackers (see here their multiple certifications), verify the findings of the scanners and identify those vulnerabilities that these machines could not detect. Their goal here is to minimize false positive and false negative rates. Of note, we use artificial intelligence to prioritize the assessment of those portions of systems that may be more likely to contain security issues.

For vulnerability scoring, we go beyond CVSS, adding a version modified by us: "CVSSF." With this metric, as you can learn in detail in another blog post, we overcome several drawbacks, such as that one that makes us mistakenly believe that a vulnerability of severity 10.0 means the same risk as ten vulnerabilities of severity 1.0. In our ARM platform, we continuously report vulnerabilities to you as we discover and evaluate them in ongoing security testing. In addition to providing you with many details about each finding, we include tangible evidence of vulnerability exploitations carried out by our red team and recommendations for treatment. Also, from the ARM platform, you can assign remediation activities to your team members. After they apply the necessary corrective measures (for which our experts can advise them), you can ask us as many times as you want to reassess or reattack vulnerabilities to verify that they were effectively closed.

Using our ARM platform, you can choose specific vulnerability treatment policies, determine which security requirements to comply with (covering more than 60 security standards), and ensure compliance. Additionally, you can keep track of vulnerability remediation times and changes in risk exposure within your organization. Of course, you can customize reports and download them in different formats. You can enjoy this and more within a service that, from a preventive perspective, seeks to help you continuously improve your organization's security. Being one step ahead of cybercriminals, your organization can avoid falling victim to cyberattacks and seeing its assets, operations, and even reputation seriously damaged.

Are you interested in our service? Don't hesitate to contact us.