Closing information system vulnerabilities

A vulnerability refers to a weakness in a piece of technology, such as a workstation, server, router, software, cloud, or process, that undermines the system’s ability to provide adequate security assurance that the threat actors will use that have been previously discussed. Three aspects must be considered to assess a vulnerability properly:

1. First, the information system’s susceptibility to a particular flaw must be determined. This review involves ascertaining whether the specific version of the technology or software in question meets the criteria for the vulnerability to exist.
2. Next, it must be determined whether an attacker can access the information system to exploit the flaw. Depending on the technology and location, an attacker may not have immediate access to the system. This information helps prioritize vulnerabilities as it relates to enterprise vulnerability management.
3. Finally, whether sufficient means exist to exploit the flaw must be determined. If an active exploit exists in the wild for a given vulnerability, it should be considered a high-priority vulnerability to be addressed immediately.

After carefully reviewing the characteristics of vulnerabilities related to a specific information system, an information security professional can determine the attack surface for a given vulnerability and prioritize how the enterprise should mitigate the vulnerability. Hundreds of vulnerabilities may exist in an information system at any time. Therefore, the information security professional must be able to prioritize critical vulnerabilities that must be addressed immediately, while other vulnerabilities can be managed more methodically and reasonably over time. The following table provides more details related to this concept.

Table 2.1

Vulnerability management

It is essential to understand that many situations that require an all hands on deck response in information security are often a result of poor management of the enterprise information system. If an organization’s information system is not regularly patched, it can create serious vulnerabilities that must be addressed immediately. Vulnerability management is identifying and addressing vulnerabilities within an organization’s information system. The process involves several steps:

1. Firstly, the organization must identify vulnerabilities in its specific information system. This identification can be made through enterprise vulnerability management tools, such as Nessus, as well as staying up to date with information security blogs and subscribing to security sites for the vendors they use.
2. Secondly, the organization must triage the vulnerabilities and determine the level of risk they pose to the organization. The information security professional must communicate this risk effectively and determine whether an all hands on deck or a planned approach to a vulnerability is needed.
3. Thirdly, the organization must research, plan, and deploy the appropriate mitigations for applicable vulnerabilities. There may be multiple tasks involved in vulnerability mitigation. The information security professional must fully understand these steps, communicate them to stakeholders, and adequately deploy the appropriate countermeasures to mitigate the vulnerability.
4. Finally, the organization must continuously monitor the information system to ensure that vulnerabilities have been fully mitigated. Utilizing a vulnerability assessment tool during the vulnerability mitigation process will allow the organization to continuously assess its information system, track progress, and understand when they have successfully met its goal.