Vulnerability Management

What is Vulnerability Management?

Vulnerability Management is the on-going process of identifying, assessing, prioritising, and mitigating vulnerabilities within an organisation’s IT infrastructure. Vulnerabilities are weaknesses or flaws in software, hardware, networks, or configurations that can be exploited by cyber criminals to gain unauthorised access, disrupt operations, or steal sensitive data.

The objective of Vulnerability Management is to proactively identify and address these vulnerabilities before they can be exploited by attackers. It involves a systematic and continuous approach to minimise security risks and maintain the security posture of an organisation’s digital assets.

What is the Vulnerability Management Process?

The vulnerability management process is made up of the following steps:

1. Vulnerability scanning: This involves scanning and examining the IT infrastructure to identify vulnerabilities. Vulnerability scanning tools and techniques are used to discover known vulnerabilities in systems, networks, applications, and devices.
2. Vulnerability assessment: Once vulnerabilities are identified, they need to be prioritised based on their severity and potential impact on the organisation. This helps allocate resources and focus efforts on addressing the most critical vulnerabilities first.
3. Remediation planning: A remediation plan is developed to address identified vulnerabilities. This plan may involve patching or updating software, configuring security settings, implementing additional controls, or applying other mitigation measures.
4. Remediation: The identified vulnerabilities are addressed according to the remediation plan. This may involve applying software patches, implementing configuration changes, or deploying additional security measures to mitigate the identified risks.

By implementing effective vulnerability management practices, organisations can reduce the likelihood of successful cyber attacks, minimise potential damages, and ensure the overall security and resilience of their IT infrastructure. It is an essential component of a comprehensive cyber security strategy in today’s threat landscape.

We already have a Patch Management program. Do we also need a Vulnerability Management program?

Vulnerability Management and Patch Management, while closely related, each provide very distinct functions within an organisation:

Vulnerability Management programs enable the identification, assessment, and remediation of vulnerabilities. In many cases, remediation of vulnerabilities involves applying patches – and that is where Patch Management comes in. A robust Patch Management program allows for the controlled procurement, testing, and application of patches. In these cases, the Vulnerability Management program feeds into the Patch Management program.

So why do you need both? Here are two reasons:

Not all security vulnerabilities are caused by missing patches

Security vulnerabilities have a range of causes, not all of which are the absence of the latest patches, such as:

• The vulnerable asset was misconfigured.
  In this case, the remediation strategy may be to harden the asset by following best practices outlined by the vendor.
  
• The vulnerable asset was never designed securely.
  In this case, remediation strategies may include applying compensating controls such as network segmentation, or replace the asset with a secure alternative.
  
• Patches are not available – as the vulnerable asset is at end-of-life or end-of-support, or you don’t have a support contract.
  In this case, remediation strategies may include applying compensating controls such as real-time security monitoring.

Not all patches actually address security vulnerabilities

Many patches are applied to fix non-critical bugs, enhance performance, add additional functionality, or change the look-and-feel of an asset. These quality-of-life patches are separate to the security patches prescribed by the Vulnerability Management program. Without a Patch Management program to ensure that these patches are being applied, users may be stuck with out-dated, inefficient IT infrastructure and applications.

---