| | AUGUST 20209CIOReviewTechnology's SP 800-40 document ­ Creating a Patch and Vulnerability Management Program.1. ScanStart by using an automated vulnerability scanner to perform a vulnerability scan across your known networks, both external and internal. If you haven't performed vulnerability scan before, conduct a scan without administrative credentials to see exactly what an attacker would­ whether they were scanning your external-facing network from the Internet or had gained a foothold on the internal network.A number of automated vulnerability scanners exist to choose from, including open source, free to use solutions such as OpenVAS and paid versions with more sustainable, enterprise-class solutions from companies such as Tenable, Rapid7, and Qualys.2. PrioritizeThe challenging part of vulnerability management is remediating any discovered vulnerabilities with limited resources. While a scanner can detect vulnerabilities, it's our team members that have to invest their time and effort in fixing discovered issues. Understanding that the time of our team members is limited, we cannot simply fix everything at one time. To help channel our efforts, organizations should focus on addressing those vulnerabilities that present the highest amount of risk (represented by a vulnerability's CVSS score) to the organization first, followed by fixing those issues which present the next highest level of risk and so on. While a base CVSS score might not be perfect for your organization's particular environment, it's a great place to start and can be very effective in helping companies prioritize their remediation efforts.3. RemediateRemediation requires communication between the system owners and those performing vulnerability scans in order to remediate any discovered issues which should be fixed. In certain situations, discovered vulnerabilities might not be fixed at all or resolution could be delayed. If the cost associated with fixing vulnerability outweighs the perceived risk associated with the vulnerability, the business can decide not to fix the issue. In this case, the known risk and the decision not to address it should be documented for future reference.4. VerifyOnce remediation work is completed, any fixed vulnerabilities should be re-tested to ensure it was indeed addressed. Unfortunately, not all remediation work is successful the first time and, if not checked, could still present risk to the environment.Performing vulnerability management can help organizations greatly strengthen their overall cyber security posture by limiting the options hackers have for attacking an organization, while also providing security teams the time needed to detect and defend against such attackers. Make sure to take the time to find your own vulnerabilities and address those that present risk to your organization ­ before an attacker does. Mike HolcombTo help find these vulnerabilities and understand the potential associated impact, organizations can engage outside parties to perform costly vulnerability assessments and penetration tests
< Page 8 | Page 10 >