Vulnerability Management

What Is a Vulnerability?
• Vulnerability = (Exposure ) + (Resistance) + (Resilience)
With: Exposure: at risk property and population;
Resistance: Measures taken to prevent, avoid or reduce loss;
Resilience: Ability to recover prior state or achieve desired post-disaster state.
• Vulnerability management is generally defined as the process of identifying, categorizing, prioritizing, and resolving
vulnerabilities in operating systems (OS), enterprise applications (whether in the cloud or on-premises), browsers, and
end-user applications. An ongoing process, vulnerability management seeks to continually identify vulnerabilities that can
be remediated through patching and configuration of security settings.
• Mistakes happen, even in the process of building and coding technology. What’s left behind from these mistakes is
commonly referred to as a bug. While bugs aren’t inherently harmful (except to the potential performance of the
technology), many can be taken advantage of by nefarious actors—these are known as vulnerabilities. Vulnerabilities can
be leveraged to force software to act in ways it’s not intended to, such as gleaning information about the current security
defenses in place.
• Once a bug is determined to be a vulnerability, it is registered by MITRE as a CVE, or common vulnerability or exposure,
and assigned a Common Vulnerability Scoring System (CVSS) score to reflect the potential risk it could introduce to your
organization. This central listing of CVEs serves as a reference point for vulnerability scanners.
• Generally speaking, a vulnerability scanner will scan and compare your environment against a vulnerability database, or a
list of known vulnerabilities; the more information the scanner has, the more accurate its performance. Once a team has a
report of the vulnerabilities, developers can use penetration testing as a means to see where the weaknesses are, so the
problem can be fixed and future mistakes can be avoided. When employing frequent and consistent scanning, you'll start
to see common threads between the vulnerabilities for a better understanding of the full system.
• Vulnerability management is the process of identifying, evaluating, treating, and reporting on security
vulnerabilities in systems and the software that runs on them. This, implemented alongside with other security
tactics, is vital for organizations to prioritize possible threats and minimizing their "attack surface."
• Security vulnerabilities, in turn, refer to technological weaknesses that allow attackers to compromise a
product and the information it holds. This process needs to be performed continuously in order to keep up
with new systems being added to networks, changes that are made to systems, and the discovery of new
vulnerabilities over time.
• Vulnerability management software can help automate this process. They’ll use a vulnerability scanner and
sometimes endpoint agents to inventory a variety of systems on a network and find vulnerabilities on them.
Once vulnerabilities are identified, the risk they pose needs to be evaluated in different contexts so decisions
can be made about how to best treat them. For example, vulnerability validation can be an effective way to
contextualize the real severity of a vulnerability
4 steps to vulnerability management.
• A vulnerability management process can vary between environments, but most should follow four main
stages—identifying vulnerabilities, evaluating vulnerabilities, treating vulnerabilities, and finally reporting
vulnerabilities. Typically, a combination of tools and human resources perform these processes
Vulnerability Assessment: Generally, a Vulnerability Assessment is a portion of the complete Vulnerability
Management system. Organizations will likely run multiple Vulnerability Assessments to get more information
on their Vulnerability Management action plan.
However, while a vulnerability assessment has a specific start and end date, vulnerability management is a
continual process that aims to manage an organization's cybersecurity vulnerabilities long-term
 Vulnerability Assessment
What is vulnerability assessment?
 Vulnerability Assessment refers to a continuous process or plan that:
 Defines what is classified as a vulnerability across the network.
 Identifies and prioritizes vulnerabilities in the network for remediation, based on greatest impact to risk reduction.
 Determine remediation actions for vulnerabilities found in the assessment; this often requires a patch to be applied or an asset be
contained.
Vulnerability assessment is the procedure of examination, identification, and analysis of system or application abilities including security
processes running on a system to withstand any threat. Through vulnerability assessment, you can identify weaknesses and threat to a
system, scope a vulnerability, estimate the requirement and effectiveness of any additional security layer.
Types of Vulnerability Assessment
The following are the types of vulnerability assessment:
1. Active Assessment
2. Passive Assessment
3. Host-based Assessment
4. Internal Assessment
5. External Assessment
6. Network Assessment
7. Wireless Network Assessment
8. Application Assessment
Vulnerability Assessment
Process cycle of vulnerability assessment
 The different types of vulnerability
In the table below four different types of vulnerability have been identified, Human-social, Physical, Economic and Environmental and
their associated direct and indirect losses. The table gives examples of types of losses. The ones indicated in red are those that are most
frequently evaluated.
 The different types of vulnerability
According to the different types of losses, the vulnerability can be defined as physical vulnerability, economic
vulnerability, social vulnerability and environmental vulnerability.
1. Physical Vulnerability: meaning the potential for physical impact on the physical environment - which can
be expressed as elements-at-risk (EaR). The degree of loss to a given EaR or set of EaR resulting from the
occurrence of a natural phenomenon of a given magnitude and expressed on a scale from 0 (no damage)
to 1 (total damage)".
2. Economic vulnerability: the potential impacts of hazards on economic assets and processes (i.e. business
interruption, secondary effects such as increased poverty and job loss) Vulnerability of different economic
sectors.
3. Social vulnerability: the potential impacts of events on groups such as the poor, single parent households,
pregnant or lactating women, the handicapped, children, and elderly; consider public awareness of risk,
ability of groups to self-cope with catastrophes, and status of institutional structures designed to help
them cope.
4. Environmental vulnerability: the potential impacts of events on the environment(flora, fauna,
ecosystems, biodiversity).
Name top 10 vulnerability Vulnerability Management Tools
• Injection • Rapid7
• Network Security Vulnerability • Tenable
• F-Secure
• Broken Authentication
• Tripwire
• Sensitive data exposure • Nessus
• XML External Entities (XXE) • OpenVAS
• Nexpose
• Broken Access control • Retina
• Security misconfigurations • Technet24
• GFI LanGuard
• Cross Site Scripting (XSS) • Qualys FreeScan
• Insecure Deserialization • BreachLock
• Using Components with known • Greenbone
vulnerabilities • SaltStack
• Positive MaxPatrol
• Insufficient logging and monitoring • Beyond Security
• Honorable mentions
 How are vulnerabilities defined?- Vulnerability Scoring Systems
• While security vendors can choose to build their own vulnerability definitions, vulnerability management is
commonly seen as being an open, standards-based effort using the security content automation protocol (SCAP)
standard developed by the National Institute of Standards and Technology (NIST). At a high level, SCAP can be
broken down into a few components:
• Common vulnerabilities and exposures (CVE) – Each CVE defines a specific vulnerability by which an
attack may occur.
• Common configuration enumeration (CCE) – A CCE is a list of system security configuration issues that can
be used to develop configuration guidance.
• Common platform enumeration (CPE) – CPEs are standardized methods of describing and identifying classes
of applications, operating systems, and devices within your environment. CPEs are used to describe what a CVE
or CCE applies to.
• Common vulnerability scoring system (CVSS) – This scoring system works to assign severity scores to each
defined vulnerability and is used to prioritize remediation efforts and resources according to the threat. Scores
range from 0 to 10, with 10 being the most severe.
• Many public sources of vulnerability definitions exist, such as the National Vulnerability Database (NVD) or
Microsoft’s security updates and are freely available. Additionally, several vendors offer access to private
vulnerability databases via paid subscription.
 The vulnerability management process
• At a high level, 6 processes make up vulnerability management—each with their own subprocesses and tasks.
1. Discover: You can’t secure what you’re unaware of. The first process involves taking an inventory of all
assets across the environment, identifying details including operating system, services, applications, and
configurations to identify vulnerabilities. This usually includes both a network scan and an authenticated
agent-based system scan. Discovery should be performed regularly on an automated schedule.
2. Prioritize: Second, discovered assets need to be categorized into groups and assigned a risk-based
prioritization based on criticality to the organization.
3. Assess: Third is establishing a risk baseline for your point of reference as vulnerabilities are remediated and
risk is eliminated. Assessments provide an ongoing baseline over time.
4. Remediate: Fourth, based on risk prioritization, vulnerabilities should be fixed (whether via patching or
reconfiguration). Controls should be in place so that that remediation is completed successfully and
progress can be documented.
5. Verify: Fifth, validation of remediation is accomplished through additional scans and/or IT reporting.
6. Report: Finally, IT, executives, and the C-suite all have need to understand the current state of risk around
vulnerabilities. IT needs tactical reporting on vulnerabilities identified and remediated (by comparing the
most recent scan with the previous one), executives need a summary of the current state of vulnerability
(think red/yellow/green type reporting), and the C-suite needs something high-level like simple risk scores
across parts of the business.
The most common software security vulnerabilities include:
• Missing data encryption
• OS command injection
• SQL injection
• Buffer overflow
• Missing authentication for critical function
• Missing authorization
• Unrestricted upload of dangerous file types
• Reliance on untrusted inputs in a security decision
• Cross-site scripting and forgery
• Download of codes without integrity checks
• Use of broken algorithms
• URL redirection to untrusted sites
• Path traversal
• Bugs
• Weak passwords
• Software that is already infected with virus
Vulnerability management solutions
• Many commercial solutions exist to simplify and automate the process of vulnerability management. Some focus
solely on vulnerability assessment, some perform vulnerability scanning only, while still others look to provide
comprehensive coverage of the entire vulnerability management process.
• Additionally, many security solutions go beyond just offering vulnerability management, adding value by
integrating other security functionality that, in total, helps to protect the environment better, including:
Asset discovery
Data classification
Intrusion detection
Privilege access management
Threat detection and response
SIEM and log data correlation
Compliance auditing and reporting
 Security Vulnerability Examples
• A Security Vulnerability is a weakness, flaw, or error found within a security system that has the potential to be leveraged
by a threat agent in order to compromise a secure network.There are a number of Security Vulnerabilities, but some
common examples are:
• Broken Authentication: When authentication credentials are compromised, user sessions and identities can be hijacked by
malicious actors to pose as the original user.
• SQL Injection: As one of the most prevalent security vulnerabilities, SQL injections attempt to gain access to database
content via malicious code injection. A successful SQL injection can allow attackers to steal sensitive data, spoof identities,
and participate in a collection of other harmful activities.
• Cross-Site Scripting: Much like an SQL Injection, a Cross-site scripting (XSS) attack also injects malicious code into a
website. However, a Cross-site scripting attack targets website users, rather than the actual website itself, which puts
sensitive user information at risk of theft.
• Cross-Site Request Forgery: A Cross-Site Request Forgery (CSRF) attack aims to trick an authenticated user into
performing an action that they do not intend to do. This, paired with social engineering, can deceive users into accidentally
providing a malicious actor with personal data.
• Security Misconfiguration: Any component of a security system that can be leveraged by attackers due to a configuration
error can be considered a “Security Misconfiguration.”
• Cybersecurity Vulnerabilities. In cybersecurity, a vulnerability is a potential weakness in a security architecture that opens
an organization or individual to cyberattacks.
• Cybersecurity Threats. The term "cybersecurity threat" refers to combination of tools and methods involved in a
cyberattack. These threats are not inherent to the network. Instead, they leverage vulnerabilities on the network.
Cybersecurity Exploits. Exploits can be defined as when a cybersecurity threat is applied to a vulnerability to conduct
some form of malicious activity. Impacts of these exploits may vary by threat and vulnerability type.
 What is Vulnerability Management and Scanning?
How Scans Work
One of the most common mechanisms for conducting such an assessment is through scanning. Vulnerability scans include:
• Network-based scans
• Host-based scans
• Wireless scans
• Database scans
• Application scans
These scans may be internal, external, or environmental in nature and may be manual or automated. Scans can quickly
identify issues that need to be fixed. Scanning is often supplemented by penetration testing, both automated and
manual.
Vulnerability Lifecycle Management
 Vulnerability Management
• The vulnerability management process can be broken down into the following four steps:
1. Identifying Vulnerabilities
2. Evaluating Vulnerabilities
3. Treating Vulnerabilities
4. Reporting Vulnerabilities
Step 1: Identifying Vulnerabilities
At the heart of a typical vulnerability management solution is a vulnerability scanner. The scan consists of four stages:
 Scan network-accessible systems by pinging them or sending them TCP/UDP packets
 Identify open ports and services running on scanned systems
 If possible, remotely log in to systems to gather detailed system information
 Correlate system information with known vulnerabilities
Vulnerability scanners are able to identify a variety of systems running on a network, such as laptops and desktops, virtual and physical servers,
databases, firewalls, switches, printers, etc. Identified systems are probed for different attributes: operating system, open ports, installed
software, user accounts, file system structure, system configurations, and more. This information is then used to associate known
vulnerabilities to scanned systems. In order to perform this association, vulnerability scanners will use a vulnerability database that contains a
list of publicly known vulnerabilities.
Properly configuring vulnerability scans is an essential component of a vulnerability management solution. Vulnerability scanners can
sometimes disrupt the networks and systems that they scan. If available network bandwidth becomes very limited during an organization’s
peak hours, then vulnerability scans should be scheduled to run during off hours.
If some systems on a network become unstable or behave erratically when scanned, they might need to be excluded from vulnerability scans,
or the scans may need to be fine-tuned to be less disruptive. Adaptive scanning is a new approach to further automating and streamlining
vulnerability scans based on changes in a network. For example, when a new system connects to a network for the first time, a vulnerability
scanner will scan just that system as soon as possible instead of waiting for a weekly or monthly scan to start scanning that entire network.
Vulnerability scanners aren’t the only way to gather system vulnerability data anymore, though. Endpoint agents allow vulnerability
management solutions to continuously gather vulnerability data from systems without performing network scans. This helps organizations
 Vulnerability Management
Step 2: Evaluating Vulnerabilities
After vulnerabilities are identified, they need to be evaluated so the risks posed by them are dealt with appropriately and in accordance with an
organization’s risk management strategy. Vulnerability management solutions will provide different risk ratings and scores for vulnerabilities,
such as Common Vulnerability Scoring System (CVSS) scores. These scores are helpful in telling organizations which vulnerabilities they should
focus on first, but the true risk posed by any given vulnerability depends on some other factors beyond these out-of-the-box risk ratings and
scores.
Here are some examples of additional factors to consider when evaluating vulnerabilities:
Is this vulnerability a true or false positive?
Could someone directly exploit this vulnerability from the Internet?
How difficult is it to exploit this vulnerability?
Is there known, published exploit code for this vulnerability?
What would be the impact to the business if this vulnerability were exploited?
Are there any other security controls in place that reduce the likelihood and/or impact of this vulnerability being exploited?
How old is the vulnerability/how long has it been on the network?
Like any security tool, vulnerability scanners aren’t perfect. Their vulnerability detection false-positive rates, while low, are still greater than zero.
Performing vulnerability validation with penetration testing tools and techniques helps weed out false-positives so organizations can focus their
attention on dealing with real vulnerabilities. The results of vulnerability validation exercises or full-blown penetration tests can often be an eye-
opening experience for organizations that thought they were secure enough or that the vulnerability wasn’t that risky.
Step 3: Treating Vulnerabilities
Once a vulnerability has been validated and deemed a risk, the next step is prioritizing how to treat that vulnerability with original stakeholders
to the business or network. There are different ways to treat vulnerabilities, including:
Remediation: Fully fixing or patching a vulnerability so it can’t be exploited. This is the ideal treatment option that organizations strive for.
Mitigation: Lessening the likelihood and/or impact of a vulnerability being exploited. This is sometimes necessary when a proper fix or patch
isn’t yet available for an identified vulnerability. This option should ideally be used to buy time for an organization to eventually remediate a
vulnerability.
 Vulnerability Management
Acceptance: Taking no action to fix or otherwise lessen the likelihood/impact of a vulnerability being exploited. This is typically justified when
a vulnerability is deemed a low risk, and the cost of fixing the vulnerability is substantially greater than the cost incurred by an organization if
the vulnerability were to be exploited.
Vulnerability management solutions provide recommended remediation techniques for vulnerabilities. Occasionally a remediation
recommendation isn’t the optimal way to remediate a vulnerability; in those cases, the right remediation approach needs to be determined
by an organization’s security team, system owners, and system administrators. Remediation can be as simple as applying a readily-available
software patch or as complex as replacing a fleet of physical servers across an organization’s network.
However, not all vulnerabilities need to be fixed. For example, if an organization’s vulnerability scanner has identified vulnerabilities in Adobe
Flash Player on their computers, but they completely disabled Adobe Flash Player from being used in web browsers and other client
applications, then those vulnerabilities could be considered sufficiently mitigated by a compensating control.
Step 4: Reporting vulnerabilities
• Performing regular and continuous vulnerability assessments enables organizations to understand the speed and efficiency of their
vulnerability management program over time. Vulnerability management solutions typically have different options for exporting and
visualizing vulnerability scan data with a variety of customizable reports and dashboards. Not only does this help IT teams easily
understand which remediation techniques will help them fix the most vulnerabilities with the least amount of effort, or help security teams
monitor vulnerability trends over time in different parts of their network, but it also helps support organizations’ compliance and
regulatory requirements.
• Staying Ahead of Attackers through Vulnerability Management
• Threats and attackers are constantly changing, just as organizations are constantly adding new mobile devices, cloud services, networks,
and applications to their environments. With every change comes the risk that a new hole has been opened in your network, allowing
attackers to slip in and walk out with your crown jewels.
• Every time you get a new affiliate partner, employee, client or customer, you open up your organization to new opportunities, but you’re
also exposing it to new threats. Protecting your organization from these threats requires a vulnerability management solution that can
keep up with and adapt to all of these changes. Without that, attackers will always be one step ahead.
Vulnerability Management -Building a Vulnerability Management Program
• What can you do to create or establish an IT vulnerability management framework in your own organization?
There are a couple of ways to build out a vulnerability management program: creating the program internally
or using a vulnerability management service from a managed security service provider (MSSP).
• When building a vulnerability management program internally, there are several factors that you will need to
account for:
Inventory Management. You can’t patch what you don’t know you have. Tracking your inventory of assets is
crucial for verifying that you have addressed all vulnerabilities in your network. If you have an unknown asset on
the network, then you will have unpatched vulnerabilities from that asset.
Patch Management. How will you deliver security patches to your network assets? When will patches be
applied? Will you have to disable some or all of your network to apply fixes to your major vulnerabilities?
Vulnerability Scanning Solutions. How will you check for vulnerabilities? It’s important to have a comprehensive
suite of vulnerability scanning tools for detecting weaknesses and logging them for future fixes. Checking
external network assets (such as vendor networks, cloud-based applications, and external servers) with
vulnerability scanners is also crucial for modern vulnerability testing.
Risk Assessment. What are the biggest security risks revealed during penetration testing? When allocating
resources to patch management, it is important to prioritize the easiest to fix vulnerabilities that have the
biggest impact on your network security. For example, if there was a vulnerability that could be fixed with less
than 15 minutes of work, but would cost you $1 million if an attack leveraged it, that would take priority over a
minor bug that would take hours to fix and not affect any critical systems if exploited.
Vulnerability Assessment vs. Penetration Testing
Vulnerability assessments share many of the same characteristics as penetration tests, as both allow
organizations to rigorously probe their defenses. Pen tests may be manual or automated. In manual
scenarios, human testers play the role of “ethical hackers” and use their expertise to try and breach an
organization’s defenses and exfiltrate critical assets. In doing so, penetration testers assume the perspective
of attackers and help defenders understand not only if vulnerabilities exist, but also how they may be
exploited and the cost of such an event.
.
Vulnerability Management vs. Risk Management
While vulnerability management is an ongoing process of managing security gaps,
risk management takes a broader view of anything that could pose a threat to an
organization. A sound risk management strategy allows risks to be identified,
analyzed, and mitigated effectively. This approach helps organizations understand
not only the vulnerabilities that exist but the scale of the damage that could occur
should they be exploited. A risk and vulnerability assessment, conducted under the
umbrella of risk management, can provide an especially broad perspective on the
strength of an organizational security posture.
Threat Assessment vs. Vulnerability Assessment
Vulnerability assessments attempt to identify the gaps of weaknesses that
undermine an organization’s security. Threat assessments study the entities and
tactics and techniques used to threaten an organization. Risk, meanwhile, is a
calculated assessment of both threats and vulnerabilities
 Vulnerability Management - Preparation phase
Vulnerability Management Process: Step-by-Step
A vulnerability management process consists of five phases:
• Preparation
• Vulnerability scan
• Define remediating actions
• Implement remediating actions
• Rescan
 Vulnerability life cycle
• The Vulnerability
Management Life Cycle
is intended to allow
organizations to identify
computer system
security weaknesses;
prioritize assets; assess,
report, and remediate
the weaknesses; and
verify that they have
been eliminated.
 Vulnerability Management Cycle:
Creating Baseline: Vulnerability Assessment:
• In this phase, Critical assets are In this phase, Vulnerability scan will be performed to identifying
identified and prioritized to define vulnerability in the OS, web application, webserver, and other
vulnerability management scope,
define the policy and standards and services. This phase helps to identify the category and criticality of
define information protection Vulnerability and minimizes the level of risk.
procedure. Vulnerability Assessment Tasks:
There is a list of things that you need
to follow:  Examine and evaluate current physical Security .
Identify business process.  Identify miss-configuration.
Identify services, application, and data.  Identify Human errors.
Create a list of all assets.  Perform vulnerability scanning through a tool.
 Prioritize the vulnerabilities.
Prioritize the critical assets.
 Validate the vulnerabilities.
Create Network infrastructure’s map.  Create Vulnerability report.
Identify previous control systems.
Identify policy and standards.
Define the assessment scope and
create information protection
procedures.
 Vulnerability Management Cycle
Risk Assessment:
In this phase risk are identified, characterized and classified with risk control techniques. Vulnerabilities
are categorize based on impact level (like Low, Medium, High).
Remediation:
Its refer to perform the steps that use to mitigate the founded vulnerabilities according to impact level. In
this phase response team design mitigation process to cover vulnerabilities.
Remediation tasks:
•Prioritize recommendations
•Design a action plan to execute the recommendations
•Perform Root cause analysis
•Apply the solutions
Verification:
This phase help to verify all the previous phases are properly employed or not and also perform the
verification of remedies
Task perform in this phase:
•Run Dynamic analysis
•Attack Surface verification
Monitor:
Incident monitoring is performed using firewall, IDS/IPS or SIEM tools.
 Key risk-based vulnerability management strategies
If vulnerability management is aimed at detecting, removing, and controlling the inherent risk of
vulnerabilities to an organization, then vulnerabilities in need of fixing must be prioritized based on
which ones post the most immediate risk.
These can stem from unpatched operating systems, or programs and apps running old software
versions, or siloed applications plugged into a modern network. They can also include users who might
bring infected devices into the network or share sensitive data inappropriately.
4 basic risk-based vulnerability management building blocks
• Visibility into everything (all assets) on the network or in the environment – managed and
unmanaged (BYOD) devices, apps, users, and data.
• Scanning and monitoring across a broad range of attack vectors for each asset.
• Prioritizing results based on context – for each asset, this means knowing how critical it is to your
business (the value of the asset); how vulnerable it is (the severity of the vulnerability); any existing
security controls already in place; and any ongoing global threats.
• Guidance on the best approach as you work to mitigate identified vulnerabilities.
Patch Management: Benefits and Best Practices
What is patch management?
Patch management is the process of distributing and applying updates to software.
These patches are often necessary to correct errors (also referred to as “vulnerabilities”
or “bugs”) in the software.
Why do we need patch management?
Patch management is important for the following key reasons:
• Security: Patch management fixes vulnerabilities on your software and applications
that are susceptible to cyber-attacks, helping your organization reduce its security risk.

• System uptime: Patch management ensures your software and applications are kept
up-to-date and run smoothly, supporting system uptime.

• Compliance: With the continued rise in cyber-attacks, organizations are often required
by regulatory bodies to maintain a certain level of compliance. Patch management is a
necessary piece of adhering to compliance standards.

• Feature improvements: Patch management can go beyond software bug fixes to also
include feature/functionality updates. Patches can be critical to ensuring that you have
the latest and greatest that a product has to offer.
 How your organization benefits from an efficient patch management program
Benefit from patch management in a variety of ways:
• A more secure environment: When you’re regularly patching vulnerabilities, you’re helping to manage and reduce the risk that exists in your
environment. This helps protect your organization from potential security breaches.
• Happy customers: If your organization sells a product or service that requires customers to use your technology, you know how important it
is that the technology actually works. Patch management is the process of fixing software bugs, which helps keep your systems up and
running.
• No unnecessary fines: If your organization is not patching and, therefore, not meeting compliance standards, you could be hit with some
monetary fines from regulatory bodies. Successful patch management ensures that you are in compliance.
• Continued product innovation: You can implement patches to update your technology with improved features and functionality. This can
provide your organization with a way to deploy your latest innovations to your software at scale.
The patch management process
• It would be a poor strategy to just install new patches the second they become available for all assets in your organization's inventory without
considering the impact. Instead, a more strategic approach should be taken. Patch management should be implemented with a detailed,
organizational process that is both cost-effective and security-focused.
• Key steps to the patch management process include:
• Develop an up-to-date inventory of all your production systems: Whether this be on a quarterly or monthly basis, this is the only way to
truly monitor what assets exist in your ecosystem. Through diligent asset management, you’ll have an informed view of operating systems,
version types, and IP addresses that exist, along with their geographic locations and organizational “owners.” As a general rule, the more
frequently you maintain your asset inventory, the more informed you're going to be.
• Devise a plan for standardizing systems and operating systems to the same version type: Although difficult to execute on, standardizing
your asset inventory makes patching faster and more efficient. You’ll want to standardize your assets down to a manageable number so that
you can accelerate your remediation process as new patches are released. This will help save both you and technical teams time spent
remediating.
• Make a list of all security controls that are in place within your organization: Keep track of your firewalls, antivirus, and vulnerability
management tool. You’ll want to know where these are sitting, what they’re protecting, and which assets are associated with them.
How your organization benefits from an efficient patch management program
---The patch management process
• Compare reported vulnerabilities against your inventory: Using your vulnerability management tool to assess which vulnerabilities exist for which assets
in your ecosystem is going to help you understand your security risk as an organization.
• Classify the risk: Through vulnerability management tools you can easily manage which assets you consider to be critical to your organization and,
therefore, prioritize what needs to be remediated accordingly.
• TEST! Apply the patches to a representative sample of assets in your lab environment. Stress test the machines to ensure that the patches will not cause
issues in your production environment.
• Apply the patches: Once you’ve prioritized what needs to be remediated first, start patching to actually reduce the risk in your environment. More
advanced vulnerability management tools also offer the ability to automate the time-consuming parts of the patching process. Consider rolling the
patches out to batches of assets; although you already tested in your lab environment (you did do that right!?) there may still be unexpected results in
production. Dip a few toes in before jumping in all the way to make there won’t be any widespread issues.
Track your progress: Reassess your assets to ensure patching was successful.
Patch management best practices
• Some best practices to keep in mind when implementing patch management include:
• Set clear expectations and hold teams accountable: Leveraging organizational agreements, such as service-level agreements, can keep teams in check,
and ensure that the work of reducing risk is actually being done.
• Work collaboratively with technical teams to ensure a common language: Security teams often refer to software errors as a “risk,” whereas IT/DevOps
teams may use the term “patch.” Making sure that everyone is on the same page and recognizes the importance of patching is key to a successful patch
management process.
• Establish a disaster recovery process: In case your patch management process does fail and causes issues, it’s always a good idea to have a backup plan.
Embedding patch management into your vulnerability management efforts
• Patch management is a vital part of every vulnerability management program. However, having a consistent approach to patch management doesn’t
always mean slapping a fix on everything in sight. When a vulnerability is identified, you essentially have three options:
• Install a patch for the vulnerability, if available, to fix the issue.
• Implement compensating controls so the vulnerability is mitigated without being fully patched. This route is common when a proper fix or patch is not yet
available, and can be used to buy time before eventual remediation.
 How your organization benefits from an efficient patch management program
(Continue)…Embedding patch management into your vulnerability management efforts
• Accept the risk posed by that vulnerability and do nothing.
• It’s up to organizations to decide which option is best for them in specific situations, though patching is the ideal treatment to ultimately
strive for.
• The terms “patch management” and “vulnerability management” are sometimes used interchangeably, but it is important to understand the
difference. Though both strategies aim to mitigate risk, patch management (the process of managing software updates) is limited in scope.
To gain a deeper understanding of your environment and make informed, impactful decisions, you need to move to a more holistic approach
through vulnerability management. Vulnerability management is a continuous process of identifying, prioritizing, remediating, and reporting
on security vulnerabilities in systems and the software that runs on them.
• Patch management is a critical component of vulnerability management, but it’s just one piece of the puzzle. To successfully embed patch
management into your vulnerability management program, the following steps should be implemented:
• Establish asset management. Your ability to reduce risk is only as good as the visibility you have into your environment. An asset
management solution helps you gain a full understanding of the assets you have and the vulnerabilities associated with each asset. With that
knowledge, you are equipped to prioritize vulnerabilities, remediate issues, and communicate effectively with stakeholders.
• Prioritize vulnerabilities. With limited time and resources and an ever-changing threat landscape, it’s unrealistic to think that you can fix
every vulnerability as soon as it appears. Consequently, prioritization is one of the most critical aspects of vulnerability management.
• Remediate vulnerabilities to reduce risk. Identifying and prioritizing vulnerabilities is important, but you’re not actually reducing risk unless
you’re remediating the issues.
• Measure the success of your vulnerability management program. No matter how many fancy features a vulnerability management solution
has, it’s only worth the investment if it meets your organization’s unique needs and adds value for you and your team. To determine if you’re
achieving a good ROI—and justify the purchase to senior leadership—you’ll have to determine how to measure success.
• Develop partnerships and support. When something goes wrong, you want to know you have a team of people you can rely on to help
troubleshoot.

Network Security Vulnerability
 Network Security Vulnerability
Network security vulnerability refers to the possible unprotected points within the network that can be exploited by an
attacker for unauthorized access. Vulnerabilities allow attackers to eavesdrop, access a system, install malware, and steal,
destroy, or modify sensitive data.
Different Types of Vulnerabilities
 Missing data encryption
 Old command injection
 SQL injection
 Buffer overflow
 Missing authentication for critical function
 Missing authorization
 Unrestricted upload of dangerous file types
 Weak password
 Cross-site scripting and forgery
 Download of codes without integrity checks
 Use of broken algorithms
 URL redirection to untrusted sites
 Path traversal
 Bugs
 Reliance on untrusted inputs in a security decision
Network Vulnerability Assessment Methodology
Network Vulnerability Assessment is an examination of possibilities of an attack & vulnerabilities to a network. The following
are the phases of Vulnerability Assessment:
1. Acquisition
2. Identification
3. Analyzing
4. Evaluation
 Network Vulnerability Assessment Methodology
Network Vulnerability Assessment is an examination of possibilities of an attack & vulnerabilities to a network. The following
are the phases of Vulnerability Assessment:
1. Acquisition
2. Identification
3. Analyzing
4. Evaluation
5. Generating Reports
 Network Vulnerability Assessment Methodology
Network Vulnerability Assessment is an examination of possibilities of an attack & vulnerabilities to a network. The following
are the phases of Vulnerability Assessment:
1. Acquisition
2. Identification
3. Analyzing
4. Evaluation
5. Generating Reports