Table of Contents
Senior Content Marketing Manager at Secureframe
Manager of Compliance at Secureframe
In a survey by CRA Business Intelligence, nearly half of the respondents (45%) said they are very or extremely concerned about vulnerabilities in the next 12 months.
With expanding attack surfaces and an increasing volume of vulnerabilities, organizations must take a more aggressive and proactive stance towards vulnerability management.
Keep reading to learn what vulnerability management is, what steps are involved in the process, and how you can implement a robust vulnerability management program that leverages automation.
Vulnerability management is a process organizations use to identify, analyze, and manage vulnerabilities within their operating environment.
Vulnerabilities are weaknesses in systems, platforms, infrastructure, or even people and processes that can be exploited by threat actors, rendering an entire organization or any of its parts susceptible to attack.
Examples of vulnerabilities include:
Vulnerability management is an important aspect in risk management. Assessing the environment for technical and operations vulnerabilities will help with planning for and determining the appropriate implementation of mitigating controls.
Vulnerability management activities such as discovering, categorizing, and prioritizing vulnerabilities, managing exposure to discovered vulnerabilities, and analyzing the root cause of vulnerabilities, is incredibly important. Vulnerability management can help an organization develop a comprehensive understanding of its risk profile, understand what controls need to be implemented for risk mitigation, and prevent repeat vulnerabilities.
Vulnerability management is therefore an important part of an organization's overall security and compliance program.
A vulnerability management program is a program that a company adopts in order to identify, monitor, and remediate vulnerabilities in their operating environment. The program should clearly define the process, structure, and scope of vulnerability management and the responsibilities and expectations of those responsible for the management of the program as well as everyone else within the organization.
A robust vulnerability management program can help organizations:
To achieve all this, the program should include several aspects, including vulnerability scanning, asset management, patch management, continuous monitoring, and automated solutions.
Let’s take a closer look at these aspects and their role in the vulnerability management process below.
To keep up with emerging threats and technologies, vulnerability management should be a continuous process.
Below we’ll cover some of the steps in the vulnerability management process using insights from the Secureframe Expert Insights webinar featuring Secureframe compliance expert Marc Rubbinaccio, and penetration testing expert Jenny Goldschmidt of Red Sentry.
For all their tips on how to simplify vulnerability management and penetration testing in particular, watch the video replay on demand.
It's impossible to understand how to become secure when you don’t know what you should be protecting in the first place.
So the first step in any vulnerability management process is to inventory and understand the assets within your environment. First ask what is important to your organization. Is it protected health information (PHI)? Or another type of sensitive customer data?
Documenting what data or assets are considered incredibly sensitive or critical versus what could be considered public is the first step to understanding your assets. Next would be mapping out how this data and assets are stored, transmitted, and processed throughout your environment and documenting this flow in a diagram. Finally, you should document all systems, resources, personnel, and services that can impact the security of this data.
Once your assets and resources are accounted for, it is time to protect them.
First, check whether configuration standards were utilized when these resources were spun up. Configuration standards are baseline security best practices when configuring servers, networks, databases and most resources. These standards are usually built by the vendor or through industry best practices such as CIS benchmarks. Utilizing configuration standards is a key control for all compliance frameworks Secureframe supports, and allows you to be confident the resources you are implementing are going to be secure before you spin them up on production.
Configuration standards are just the first step in securing resources. Implementing anti-malware, continuous security patching, and logging and monitoring are also critical for ensuring your resources and environment as a whole are protected against vulnerabilities.
In order to find and prioritize as many vulnerabilities as possible, consider using a combination of the scanning techniques and tools detailed below.
Now that your resources and environment have been implemented using baseline configuration standards and security best practices such as frequent patching and multi-faceted security controls, it’s time to continually test these security controls through vulnerability scanning.
Vulnerability scanning is an important requirement for compliance frameworks such as SOC 2, ISO 27001 and PCI DSS. Each compliance framework requires regular internal and external vulnerability scanning (usually quarterly).
Internal infrastructure vulnerability scanning involves running a vulnerability scanning tool such as Nessus or OpenVAS on a virtual machine or workstation with access to your internal environment and scanning all network devices, servers, and resources for vulnerabilities, like disclosed common vulnerabilities and exposures (CVEs) and outdated operating systems and software.
Same goes for any externally-facing resources. Utilize a workstation running these tools and scan your public-facing resources. Please note if you need to comply with PCI DSS, it does require this external infrastructure scanning to be performed by a PCI DSS council approved scanner or ASV.
If you are utilizing a cloud service provider, it is likely this provider offers a service you can utilize to perform infrastructure vulnerability scanning, such as AWS Inspector or Azure defender for cloud.
Scanning your underlying infrastructure is likely not enough to ensure you are discovering all critical vulnerabilities within your environment as a whole or to meet vulnerability scanning requirements for compliance frameworks.
If you provide a public-facing application or API, these services will need to be scanned in depth as well. Utilizing dynamic application security testing (DAST) tools such as SOOS or Netsparker, you can simply enter your public-facing domain and credentials for authentication, then these scanners will spider your application to find all directories, input fields, and functions. They will also scan for OWASP top 10 vulnerabilities, including injection, broken access control, and sensitive data leakage.
Another aspect of securing applications against vulnerabilities is implementing security scanning within the code review process. You can do so using static application security testing (SAST) tools such as Sudoviz or SonarQube. They will review your code repository and source code prior to you implementing the code changes into production. This will help you avoid critical security issues and vulnerabilities being released into your application. A combination of DAST and SAST scanning is highly recommended for protecting your production applications.
Another critical step in the vulnerability management process is determining the risk of your solution and service as a whole. To do so, you should complete a risk assessment annually. This is also a compliance requirement.
To complete a risk assessment, you should use a risk management framework like NIST 800-37. Or, if you’re a Secureframe customer, you can complete our risk assessment questionnaire.
Risk assessment and management involves:
The next step is to focus your security efforts on what’s likely your most vulnerable asset: employees and personnel.
Phishing and other types of social engineering attacks are still one of the most prevalent ways that sensitive data is stolen. That’s why most compliance frameworks require some sort of security awareness training.
Some frameworks such as PCI DSS require focused training based on the data the organizations support as well as specific training related to the actual job function for users. For example, software developers must complete secure code training related to coding best practices and common vulnerabilities such as those in the OWASP Top Ten.
Frameworks such as FedRAMP go even further and require a social engineering engagement, such as an email phishing campaign, as part of a penetration test, which we’ll discuss next.
Now the best way to ensure you have all of the above correctly implemented would be to have a trained ethical hacker try and break into all of those security controls. That’s where penetration testing comes in.
Penetration testing is the testing of an organization’s configuration standards, vulnerability scanning, risk management, and security awareness training. This needs to be performed by a qualified penetration tester. This is either a professional that has been certified to perform penetration tests by certification bodies such as Offensive Security, SANS, or eLearnSecurity, or a professional with experience performing penetration testing.
The scope of the penetration test is determined by the organization and can be based on compliance requirements. Frameworks such as SOC 2, ISO 27001, and PCI DSS require the following to be included in the penetration test:
Penetration tests usually involve a combination of gray box and white box testing. Gray box means the tester has access to certain information such as a specific range of IP addresses, domains, or a list of personnel to target. These tests are kicked off externally with no granted access to systems or applications. The penetration tester will try to find vulnerabilities and perform exploits to gain access to systems from the internet or exfiltrate data.
Once gray box testing is exhausted, the tester will then use granted credentials to perform testing from within networks and applications using a variety of access if there are different levels of privilege. Using this access, the tester will try and escalate privilege and discover vulnerabilities throughout the full environment.
Penetration test results will be in the form of a report that describes the penetration testing methodology, proof of concepts for all vulnerabilities found, and remediation guidance.
Learn everything you need to know about the requirements, process, and costs of getting PCI certified.
To ensure your vulnerability management program is set up for success, here are a few best practices to keep in mind:
Penetration Testing 101: A Guide to Testing Types, Processes, and Costs
A vulnerability management policy defines an approach for vulnerability management to reduce system risks and processes to incorporate security controls. To help you get started creating a policy for your organization, we’ve created a customizable template that you can download below.
Automating the vulnerability management process can help your organization save time and respond to threats faster.
Automation can be applied to several aspects of vulnerability management, including:
When looking for an automated vulnerability management product, look for one that offers an easy-to-use platform in addition to a team of security and compliance experts that can guide your organization through every step of the vulnerability management process.
Secureframe provides a one stop shop for you to be able to manage and organize all of your compliance framework requirements in one place, including your vulnerability management program.
With Secureframe you can:
Learn more about how Secureframe can help you manage vulnerabilities by scheduling a personalized demo today.
What are the steps of vulnerability management?
The steps of vulnerability management are: inventory,
What is vulnerability management in cybersecurity?
In cybersecurity, vulnerability management is the process of identifying, analyzing, and managing vulnerabilities within an operating environment in order to keep your organization's systems, networks, and enterprise applications safe from cyberattacks and data breaches.
How to build a vulnerability management program?
Building a vulnerability management program requires several steps, such as:
What are vulnerability management tools?
Vulnerability management tools use automation to make vulnerability management more effective and faster. An example is automated vulnerability scanning tools. These automatically scan for common vulnerabilities and exposures and monitor the health of IT assets.