"Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities"[1] This practice generally refers to software vulnerabilities in computing systems.
Contents |
While program definitions vary in the industry, Gartner, a prominent IT Analyst company, defines Six steps for vulnerability management programs[2]
Define Policy - Organizations must start out by determining what the desired security state for their environment is. This includes determining desired device and service configurations and access control rules for users accessing resources.
Baseline the Environment - Once a policy has been defined, the organization must assess the true security state of the environment and determine where instances of policy violations are occurring.
Prioritize Vulnerabilities - Instances of policy violations are Vulnerability (computing). These vulnerabilities are then prioritized using risk and effort-based criteria. Shield - In the short term, the organization can take steps to minimize the damage that could be caused by the vulnerability by creating compensating controls.
Mitigate Vulnerabilities - Ultimately, the root causes of vulnerabilities must be addressed. This is often done via patching vulnerable services, changing vulnerable configurations or making application updates to remove vulnerable code.
Maintain and Monitor - Organizations' computing environments are dynamic and evolve over time, as do security policy requirements. In addition, additional security vulnerabilities are always being identified. For this reason, vulnerability management is an ongoing process rather than a point-in-time event.
Host and infrastructure vulnerabilities can often be addressed by applying patches or changing configuration settings. Custom software or application-based vulnerabilities often require additional software development in order to fully mitigate. Technologies such as web application firewalls can be used in the short term to shield systems, but to address the root cause, changes must be made to the underlying software.
Typical tools used for identifying and classifying known vulnerabilities are vulnerability scanners. These tools look for vulnerabilities known and reported by the security community, and which typically are already fixed by relevant vendors with patches and security updates.
Zero-day vulnerabilities are problems that vulnerability scanners cannot detect, and which also do not have any patches or updates available from vendors. Unknown Vulnerability Management process augments the known vulnerability management by introducing tools and techniques such as network analyzers for mapping attack surface, and fuzzers for finding zero day vulnerabilities. [3]