Introduction
Vulnerability management is the process of identifying, evaluating, treating, and reporting potential risk areas identified within a system or software.
Modern software can be very complex. Interactions with different applications, operating systems, and firmware often leave small gaps through which hackers can access and exploit a system. In this reading, you’ll discover some of the testing methods used to assess and mitigate risk.
Let’s begin with the Network Testing method as the first of four methods that you’ll familiarize yourself with.
Network Testing
Identifying vulnerabilities is done by conducting what is known as a network scan. Network scanning involves pinging all devices on a network and identifying if some open ports or services can act as potential gateways for cybercriminals to access.
Potential vulnerabilities are listed and ranked according to the threat level. Upon this, mitigating actions are determined. It’s important to note that an open port is not necessarily dangerous. Some ports are always open such as HTTPS, which allows you to connect and interact with the internet. To say a port is open means it listens for requests and then sends a response when pinged. Then, the system configuration and software that runs on that port are assessed and compared with known vulnerabilities. For example, WannaCry used port 445, which accepts data from the internet to inject some code to lock the users out of the system. Configuring a system might include closing this port to traffic outside a company’s firewall.
Now examine the following couple of methods as defensive strategies.
Penetration Testing
The next testing method is Penetration Testing. Companies carry out penetration tests to test a system’s security. A penetration test is a real-world simulated attack on your system. Microsoft’s Assume Breach philosophy means they approach defense from the mindset that the hacker has already breached the system. This leads to the question of “What damage is possible once the cybercriminal is inside the system?
Microsoft has implemented a testing protocol that employs two teams on a full-time basis to test the strength of their defenses. A red team simulates attacks to the system and a blue team defends against these attacks. Once the red team concludes the attack, a review is done on the measures used and which vulnerabilities are exposed. The system is updated, and the teams reverse their roles. So, now the members of the blue team are designated red and must overcome the system. This mindset gave rise to the recent policy of Always Enclave, where data stored inside a company’s network is encrypted from all nonauthorized personnel. Essentially, it presents another obstacle for cybercriminals to overcome. Encryption and segmenting of access will be explored in detail a bit later on.
Vulnerability verification
Another testing method is Vulnerability Verification. Here, a security risk is ranked according to the Common Vulnerability Scoring System (CVSS). This is a standardized metric used to assess threat levels. However, with some systems, a combination of issues that arise tend to expose the network.
While CVSS can indicate some dangers, the flaw in a company’s system may be the combination of outdated software associated with an open port and some other misconfigurations. Therefore, the IT professional assesses each incident on a case-by-case basis. Analysis tools can only give indications; they do not guarantee a system’s security.
Treating vulnerabilities
Finally, let’s discuss how to treat vulnerabilities to mitigate risk.
Having tested a system and compiled a list of ranked threats, the next step is to mitigate these issues. The ideal solution is remediation. Remediation removes the threat to a system and is achieved by changing configurations or applying a particular patch. Failing this, a company may choose to mitigate the situation.
Mitigation sets out to reduce the likelihood of exploitation or, in some other way, reduce the risk or fallout from a flaw.
A company can also choose acceptance. This approach means that the company has identified a possible weakness or flaw. However, they leave the issue unresolved. This might be done because the fix is too large, or the damage that might be done is not large enough to warrant taking time to fix it.
Conclusion
In this reading, you explored four aspects of security. First, you gained some insight into network testing and the types of vulnerabilities one might find. Next, some defensive strategies were discussed, like penetration testing and Vulnerable verification. Finally, you examined how to treat the vulnerabilities as well as the mitigation steps you can apply.