Vulnerability Management – Overview

According to Gartner, “Enterprises that implement a vulnerability management process will experience 90 percent fewer successful attacks.”

T.J. Maxx and Marshalls clothing chains recently suffered an online intrusion of its processing networks that the company admits resulted in the theft of data connected to at least 45.6 million credit and debit cards.  TJX agreed to pay up to $40.9 million in a settlement with three bankers’ associations.  As compliance demands grow and headline-making attacks increase, executives are demanding a new type of CISO. One who understands how IT risks play into the bottom line and can justify security spending.

The fastest way become that person is to get a handle on vulnerabilities.  Visionary security players are warming up to the notion that vulnerability assessment does not mean merely probing the network for flaws.  It means examining every aspect of the organization’s attack surface, networking and application environment, even their physical and information security stance, and transforming those findings into actionable results.

According to the NIST publication SP 800-30, Risk Management Guide for Information Technology Systems: “Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.”

Vulnerabilities are an essential part of the basic risk equation.  Threat is very difficult to determine as it is a constantly fast moving target, but vulnerabilities are something that’s fairly straightforward to measure, and to address.  When you’re talking about risk, vulnerabilities are generally the easiest factors to assess.


  • Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
  • Threat: The potential for a threat-source to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
  • Threat-source: Either (1) intent and method targeted at the intentional exploitation of a vulnerability or (2) a situation and method that may accidentally trigger a vulnerability.
  • Threat Analysis: The examination of threat-sources against system vulnerabilities to determine the threats for a particular system in a particular operational environment.

Simple Vulnerability Assessment: 

As IT becomes aware of and interested in managing its vulnerabilities and attack surface, it will introduce rudimentary measures to gauge and improve these areas:

  • Create a spreadsheet to map, assess and prioritize vulnerabilities.
  • Perform regular penetration tests.
  • Ensure compliance with government regulations.
  • Produce metrics & reports to show progress.

Metrics are a new trend in vulnerability assessment products because they provide the type of information that people can use to express the IT department’s risk posture to the C-level suite  and demonstrate progress — in easy-to-understand language.  It’s always a struggle to find funding inside an organization for IT and especially security projects.  When the CISO can actually demonstrate the risk to an organization they will look like they are in control.

Basic Vulnerability Management:

As the vulnerability management process matures, it generally includes these steps:

  • Policy definition is the first step, defining the desired state for device configurations, user identity and resource access.
  • Baseline the environment to identify vulnerabilities and policy compliance.
  • Prioritize mitigation activities based on external threat information, internal security posture and asset classification.
  • Shield the environment, prior to eliminating the vulnerability, by using desktop and network security tools.
  • Mitigate the vulnerability and eliminate the root causes.
  • Maintain the environment for deviations from policy.
  • Monitor the environment to identify new vulnerabilities and access attempts.

Mature Vulnerability Management:

A fully mature vulnerability management program will introduce vendor products that can be used to automate various aspects of the vulnerability management process. The four main technology categories are:

  • Vulnerability scanning & assessment.
  • Security configuration management and policy compliance measurement.
  • IT security risk management.
  • Security information and event management (SIEM).

Vulnerabilities are on the rise

Risk is potential damage to an organization’s value, often from inadequate management of processes and events.  IT touches all areas of the business.  IT simultaneously reduces and introduces new risk to the organization.  IT risk is emerging as a significant component of total business risk as IT assumes a more prominent role, and can account for more than 50% of total capital expenditure at some companies.  If a business has a handle on IT risk, chances are it is meeting compliance demands.

MITRE, a nonprofit organization, has been working since 1999 to maintain a standard for gauging risk in the context of network vulnerabilities.  2008 gave rise to about 7,000 unique vulnerabilities captured within the Common Vulnerabilities and Exposure  (CVE) list, a dictionary that provides the common names and ratings for known security vulnerabilities.  Since 1999, MITRE has tracked some 28,000 vulnerabilities in packaged software.  While the sheer number of bugs is certainly cause for concern, these flaws do have one positive attribute: they provide a tangible way to assess risk.  When you get to the board room, you can’t talk tech, but the numbers are understandable.  Each CVE listing in the National Vulnerability Database supports the Common Vulnerability Scoring System (CVSS), an open framework that standardizes the severity of vulnerabilities across heterogeneous platforms.  Version 2.0 of the CVSS, managed by the Forum of Incident Response and Security Teams (FIRST), was released in 2008.  It rates the severity of weaknesses on a scale of 0 to 10. 

CVSS takes into account three factors:

  • The base score represents the constant characteristics of the vulnerability.
  • The temporal score measures the possibility that the bug could change over time.
  • The environmental score accounts for characteristics in a particular environment.

CVSS scoring provides a consistent risk metric.  All vulnerability scanning tools, IDS’ and other alerting tools will use some form of risk definition, so if they’re not using CVSS, you might get multiple interpretations of how significant a single vulnerability is.

Listing vulnerabilities in the network, both client-side and server-side, may be one of the easiest ways security administrators can get a handle on the health of their operating infrastructure.  But they are not the only places to look.
The SANS Top 20 consistently lists four other major risk categories:

  • Security policy and personnel, including excessive user rights, phishing and unencrypted portable devices.
  • Application abuse, including instant messenger and peer-to-peer programs.
  • Network devices, including VoIP phones and servers.
  • Zero-day attacks, for which there is no patch.

Change & Configuration Management

These days, any robust vulnerability management platform is able to flag unauthorized network alterations and ensure critical network components are properly configured.  As the flaws increase, making it more and more difficult to catch every network weakness, many organizations are turning to change and configuration management as part of their defense-in-depth strategy.

A configuration management program sets the standard for what’s acceptable for systems, providing cost and time savings.  You don’t have to re-assess to find out there’s ‘x’ number of vulnerabilities.  You have a baseline for what’s already acceptable, and an understanding of the organization’s compliance.

Protecting against known vulnerabilities is important to defend against targeted attacks, but focusing on system configuration is equally critical.  For example, a company may have deployed all the latest patches, but if a user’s machine is inappropriately running as an IIS server, the unauthorized services could permit an attacker to drop a piece of malware for which there is no signature, and possibly take advantage of the non-standard configuration weaknesses due to the lack of hardening performed on the system.

Benefits of Change Control

Change Management is a process that seeks to review and approve changes that are known.  It relies on the change requestor to submit changes to be reviewed for strategic, tactical, technical, and security concerns.  Change Control is a more mature control, allowing security teams to learn whether any changes — either by a malicious outsider or, more likely, an accidental insider — created a vulnerability or exposure within the organization’s controls.  Change Control looks at the last known configuration for all of the devices under its view, identifies changes that have been made, compares the found changes to records within Change Management, and flags those that do not match for review, investigation and potential reversal.