What is Vulnerability Management?

Vulnerability Management is the process of identifying security flaws and vulnerabilities in software and reporting those vulnerabilities so they can be fixed, with the goal of reducing the risk and impact of cyber-attacks. This is a very important aspect of network and computer security because it reduces the attack surface, a term used to describe the number of potential security vulnerabilities that malicious actors could exploit to cause harm to an organization. The process includes the following steps:

Identify – use vulnerability scanners, manual techniques and asset discovery methods to identify and document systems (e.g. servers, desktops, laptops, mobile devices, IoT devices) and any security issues they have and score them based on different factors (see CVSS score).

Reporting - Report these issues to the appropriate stakeholders (e.g. system owners) so that they can be addressed and ultimately resolved.

Fix - Have the system owner or technology owner fix the security issue so that the security hole no longer exists. Vulnerabilities can be remediated using different methods, such as security patches, reconfiguration, or mitigation controls.

Reassessment - Scanning or manual review to ensure that security issues have been successfully remediated.

This is a cyclical process, so assets should be scanned regularly, especially after significant changes. Identifying and fixing vulnerabilities quickly means malicious actors have less time to discover and exploit them.

Why is it useful?

Vulnerabilities are constantly being announced, most of which affect heavily used software. An average of 50 new vulnerabilities were detected per day in 2017. Examples include security vulnerabilities in Google Chrome, the Windows operating system, and other common programs such as Adobe Flash Player and Adobe Shockwave Player.

Being able to stay on top of these issues, and make sure the product is patched as quickly as possible (often after testing to make sure the patch doesn't have unwanted effects), means hackers have less time to try and exploit it.

By securing Internet-facing systems, it's harder for attackers to break in, and by securing internal systems, it's harder for attackers to move around and do what they want, such as privilege escalation or information gathering.

Related roles

The following roles typically include work on vulnerability management, such as vulnerability scanning, exploit knowledge, and system hardening:

Threat Intelligence Analyst

Receive and report intelligence on newly released vulnerabilities or vulnerabilities actively exploited in the wild, as well as threat actors. Intelligence analysts often have access to commercial tools that allow them to observe development activity around the world, as well as underground discussions about vulnerabilities, helping vulnerability analysts prioritize issues that need to be fixed first.

Vulnerability Analyst

Identify, report, and help remediate vulnerable assets to harden assets and reduce the risk of cyberattacks. Daily tasks include vulnerability scanning, analyzing results, performing manual checks, reporting security vulnerabilities, keeping up with the latest public news about vulnerabilities, and receiving threat intelligence reports from intelligence analysts.

Incident responder

Knowledge about vulnerabilities, and how to deal with compromises that result from successful exploitation, is key to understanding how to respond in the most effective manner.

Penetration Tester/Red Team

Knowing how to identify and scan for vulnerabilities and security breaches is key to this role, which allows you to exploit systems for security purposes and gain access, reporting these vulnerability analysts can work with stakeholders to remediate systems.

Soft skills

Communication - this is very important. You will be communicating with many people in this role, including your own team, the wider security team, stakeholders from basically every department, management, and even other organizations. You should have a high level of written and oral communication skills and be able to communicate technical information to non-technical people in a way they can understand.

Analytical - You should be analytical, which means you are good at solving problems and gathering and analyzing information. An example of this is when you receive output from a vulnerability scanner, you should be able to interpret the results and understand what the report is telling you so you can prioritize remediation.

Teamwork - this is a very obvious question, but as mentioned above, you will likely be working with a lot of people and you need to be able to work together effectively, in some situations where the pressure is high and the pace is fast.

Time Management - If you are going to be responsible for conducting vulnerability scans, you need to be very skilled at time management. Not only do you need to find the best time to scan (taking into account factors such as run time, the sensitivity of systems being scanned, and stakeholders who can respond if problems arise), but you also need to make sure that everyone understands what is going on in the wild Vulnerabilities being exploited, coordinating remediation activities (to an extent), and other tasks that take time to plan effectively.

Security-Related Knowledge

If you haven’t already worked in a security position, there are some things you can do to really boost your knowledge, and skills, and look better in a hiring manager’s eyes. For this specific role, the best experiences I can recommend are:

• Getting hands-on with vulnerability scanners such as Nessus, OpenVAS, and Nikto. This shows that you understand how these tools work, how to conduct vulnerability scans, and what their outputs look like. You can get an experience like this by downloading the Metasploitable 2 intentionally vulnerable virtual machine (covered later in this course), downloading other vulnerable virtual machines from VulnHub, or scanning machines on penetration testing platforms such as Hack The Box.
• Show that you keep up-to-date with the latest security news, especially surrounding vulnerabilities. You can do this by using platforms such as TweetDeck to monitor for terms such as “vulnerability”, “CVE”, and other phrases that will show tweets regarding vulnerabilities and exploitation (Read my Reddit post about using TweetDeck)
• Have a blog (This is my blog) with hacking write-ups or a Github (This is my GitHub account) with custom tools. These will both go a LONG way when trying to get your first job in security or even move up the ladder. By running a blog, it shows that you are really motivated and driven, something that is very attractive to employees. Writing up how you hacked or ‘owned’ machines on HackTheBox is a great activity, and shows that you understand how to identify and exploit vulnerabilities. With custom tools, it shows that you’re a problem solver, and you can create tools to help overcome problems, or speed up tasks. Creating your own GitHub account, cloning an open-source tool, and starting to make your own changes or additions is a great places to start.

CVEs and CVSS Scores

Common Vulnerabilities and Exposures

CVE, which stands for Common Vulnerabilities and Exposures, is a way to standardize names for publicly-known vulnerabilities. I like to think of CVEs working like domain names. Everyone knows www.Google.com, but most people don’t know the website's IP. We use www.Google.com because it’s convenient, easy to remember, and easy to use. The same goes for CVEs. we know that CVE-2019-0708 is assigned to the Remote Desktop Protocol (RDP) zero-day remote code execution vulnerability named ‘BlueKeep’. It makes life easier when talking about vulnerabilities, or sharing information between different vulnerability databases, tools, and services. The term CVE, which is copyrighted by MITRE (to ensure it remains free and usable by the security community), is stated that “CVE Entries are comprised of an identification number, a description, and at least one public reference.”

https://CVEDetails.com is a security vulnerability database that has lots of information and can allow us to search for specific CVEs, or even look at vulnerabilities sorted by release date.

https://nvd.nist.gov is the National Vulnerability Database, created by the National Institute of Standards and Technology. NIST states “The NVD is the U.S. government repository of standards-based vulnerability management data”. This is a website I used every day at work because it provides valuable information about vulnerabilities.

CVSS:3.0 = This score is generated using CVSS 3.0 (as opposed to version 2.0)

AV:N = Attack Vector: Network (Exploitation can occur over a network, such as the Internet)

AC:L = Attack Complexity: Low (This attack is easy to conduct, and requires little technical sophistication)

PR:N = Privileges Required: None (The attacker does not need an account with any specific permissions for successful exploitation)

UI:R = User Interaction: None (Exploitation does not rely on a legitimate user doing something, such as clicking something or opening a malicious file)

S:U = Scope: Unchanged (The scope for this vulnerability has not been changed)

C:H = Confidentiality Impact: High (Confidentiality is broken, meaning the attack will gain access to files or information that should be restricted)

I:H = Integrity Impact: High (Integrity is broken, meaning the attack is able to modify files or information)

A:H = Availability Impact: High (Availability is broken, meaning the attack can restrict legitimate access to a system)

Reference :-

Cyber Security Training : HTB Academy (hackthebox.com)

Security Blue Team - eLearning Platform

Course | Dashboard | CodeRed (eccouncil.org)

https://tryhackme.com/