Skip to content
NGTEdu Logo

NGTEdu

A PRODUCT OF NGTECH.CO.IN

NGTEdu Logo

NGTEdu

  • Home
  • Cyber Attacks
  • Malware
  • Vulnerabilities
  • Data Breach
  • Home
  • Cyber Attacks
  • Vulnerability Management Program Best Practices
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Vulnerability Management Program Best Practices

4 years ago Irfahn Khimji
Vulnerability Management Program Best Practices

An enterprise vulnerability management program can reach its full potential when it is built on well-established foundational goals.  These goals should address the information needs of all stakeholders, tie back to the business goals of the enterprise, and reduce the organization’s risk. Existing vulnerability management technologies can detect risk, but they require a foundation of people and processes to ensure that the program is successful.

One way to approach a vulnerability management project is with a 4-staged approach, each containing its own set of subtasks:

  1. The discovery and inventory of assets on the network.
  2. Asset classification and task assignments:
    • the process that determines the criticality of the asset:
    • the owners of the assets;
    • the frequency of scanning;
  3. The discovery of vulnerabilities on the discovered assets.
    • timelines for remediation of discovered vulnerabilities.
  4. The reporting of remediation of discovered vulnerabilities.

Each stage involves a measurable and repeatable process, as well as a phase of execution.  Of course, the aim is to create a managed, and optimized process for continuous improvement.

Stage One: Asset Discovery and Inventory

According to the CIS Critical Security Controls, as well as all other authorities, asset discovery and inventory are the first step in any vulnerability management system.  After all, you cannot protect what you do not know about.

An accurate inventory of all authorized and unauthorized devices on the network, as well as all  software installed on the assets on the organization’s network go hand-in-hand, as attackers are always trying to identify easily exploitable systems. Ensuring that the information security team is aware of what is on the network allows them to better protect those systems and provide guidance to the owners of those systems to reduce the risks those assets pose.

There have been many cases where systems are deployed without informing the information security team. These could range from test servers, to misconfigured cloud systems hosting company data. Without the appropriate asset discovery and network access control, these types of devices can provide an easy gateway for an attacker into the internal network.

Stage Two: The Vulnerability Scanning Process

Asset classification

Once an inventory is completed, assets should be classified and ranked based on their true and inherent risk to the organization. Many factors need to be considered in developing an asset’s inherent risk rating, such as physical or logical connections to higher classified assets, user access, and system availability. For example, an asset in a production environment is going to have a higher criticality than an asset in a test environment, and an internet-facing web server will have a higher criticality than an internal file server.

However, though an asset is a lower criticality, remediation for that asset should not be ignored.  Attackers can leverage these assets to gain access and then traverse through network by compromising multiple systems until they get to the systems with sensitive data.  The remediation effort should always be based in relation to overall risk.

Asset Ownership

System owners are ultimately responsible for the assets, their associated risks and the liability if those assets become compromised. This step is critical in the success of the vulnerability management program, as it drives the accountability and remediation efforts within the organization. If there is no one to take ownership of the risk, there will not be anyone to drive remediation of that risk.

Scanning Frequency

As part of continuous vulnerability management, an organization should run automated vulnerability scanning tools against all systems on the network on a frequent basis. This frequency can be determined by multiple dynamics, and could occur as broadly as annually, or as narrowly as weekly, depending on the asset classification. Scanning this frequently allows the owners of the assets to track the progress of remediation efforts, identify new risks, as well as reprioritize the remediation of vulnerabilities based on new intelligence.

When a vulnerability is first released, it may have a lower vulnerability score because there is no known exploit. Once it has been around for some time, an automated exploit kit may become available which would increase the risk of that vulnerability. A system that was once thought to be invulnerable may become susceptible to a vulnerability or set of vulnerabilities due to the introduction of new software, or a patch rollback.

There are many factors that could contribute to the risk posture of an asset changing. Frequent scanning ensures that the owner of the asset is kept up to date with the latest information. As an outer limit, vulnerability scanning should take place no less frequently than once per month.

Documented Timelines and Remediation Thresholds

Easily exploitable vulnerabilities should be remediated immediately. This is especially true of those that can yield privileged control to an attacker. Lesser rated vulnerabilities can be remediated according to a timeline agreed by the organizations risk appetite.

In the event of a system owner being unable to remediate a vulnerability within the approved timeframe, a remediation exception process should be available. As a part of this process, there should be a documented understanding and acceptance of the risk by the system owner along with an acceptable action plan to remediate the vulnerability by a certain date. Vulnerability exceptions must always have an expiration date.

Stage Three: Vulnerability Detection

Vulnerabilities can be identified through an unauthenticated or authenticated scan, or by deploying an agent to determine the vulnerability posture. Typically, an attacker would view a system with an unauthenticated view. Therefore, scanning without credentials would provide a similar view to a “primitive” attacker.

An unauthenticated scan is good for identifying some extremely high-risk vulnerabilities that an attacker could detect remotely and exploit to gain deeper access to the system. However, there are often vulnerabilities that can be exploited by an unwitting download of an attachment or  malicious link execution that can remain undetected.

A much more comprehensive and recommended method for vulnerability scanning is to scan with credentials, or deploy an agent. This allows for increased accuracy in the determination of the vulnerability risk to the organization. Vulnerability signatures specific to the operating system and installed applications that were detected in the discovery and inventory stage are run to identify which vulnerabilities are present.

Stage Four: Reporting and Remediation

It is not uncommon for an organization to have a very high average vulnerability score with lengthy remediation cycles in the initial stages of building the vulnerability management program. The key is to show progress month by month, quarter by quarter and year by year.

The vulnerability risk scores and time to remediation should be decreasing as teams become more familiar with the process and become more educated on the risks that the attackers pose.

To drive remediation, system owners need empirical vulnerability data to outline which vulnerabilities should be remediated along with instructions of how to conduct the remediation. Reports should outline the most vulnerable hosts, the highest scoring vulnerabilities and/or reports targeting specific highly vulnerable applications. This will allow the system owners to prioritize their efforts with a focus on the vulnerabilities that will reduce the most amount of risk to the organization.

As new vulnerability scans are run, the metrics from the new vulnerability scans can be compared to the previous scans to show trending analysis of the risk as well as remediation progress.

Vulnerability and risk management is an ongoing process. The most successful programs continuously adapt and are aligned with the risk reduction goals of the cybersecurity program within the organization. The process should be reviewed on a regular basis, and staff should be kept up to date with the latest threats and trends in information security. Ensuring that continuous development is in place for the people, processes, and technology will ensure the success of the enterprise vulnerability and risk management program.

Interested in learning more about building a mature vulnerability management program? Click here to discover more.

The post ” Vulnerability Management Program Best Practices” appeared first on TripWire

Source:TripWire – Irfahn Khimji

Tags: Cloud, Critical Severity, Exploit, High Severity, TripWire

Continue Reading

Previous Juniper Releases Patches for Critical Flaws in Junos OS and Contrail Networking
Next Hackers Distributing Password Cracking Tool for PLCs and HMIs to Target Industrial Systems

More Stories

  • Cyber Attacks
  • Data Breach

AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack

6 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories

10 hours ago [email protected] (The Hacker News)
  • Data Breach

The Buyer’s Guide to AI Usage Control

12 hours ago [email protected] (The Hacker News)
  • Cyber Attacks
  • Data Breach
  • Malware
  • Vulnerabilities

Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends

13 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

17 hours ago [email protected] (The Hacker News)
  • Critical Vulnerability
  • Cyber Attacks
  • Data Breach
  • Vulnerabilities

Malicious NGINX Configurations Enable Large-Scale Web Traffic Hijacking Campaign

18 hours ago [email protected] (The Hacker News)

Recent Posts

  • AISURU/Kimwolf Botnet Launches Record-Setting 31.4 Tbps DDoS Attack
  • ThreatsDay Bulletin: Codespaces RCE, AsyncRAT C2, BYOVD Abuse, AI Cloud Intrusions & 15+ Stories
  • The Buyer’s Guide to AI Usage Control
  • Infy Hackers Resume Operations with New C2 Servers After Iran Internet Blackout Ends
  • Critical n8n Flaw CVE-2026-25049 Enables System Command Execution via Malicious Workflows

Tags

Android APT Bug CERT Cloud Compliance Coronavirus COVID-19 Critical Severity Encryption Exploit Facebook Finance Google Google Chrome Goverment Hacker Hacker News High Severity Instagram iPhone Java Linux Low Severity Malware Medium Severity Microsoft Moderate Severity Mozzila Firefox Oracle Patch Tuesday Phishing Privacy QuickHeal Ransomware RAT Sim The Hacker News Threatpost TikTok TripWire VMWARE Vulnerability Whatsapp Zoom
Copyright © 2020 All rights reserved | NGTEdu.com
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Read More here.Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT