A couple of months ago, we published two articles on vulnerability management:
- Building a Vulnerability Management program
- How to create a Manageable and Sustainable Vulnerability Management program
We will discuss OWASP, Threat Modelling, and other vulnerability management areas in the new vulnerability management blog series. The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications and APIs that can be trusted.
A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005). Vulnerability management is when vulnerabilities in information technology are identified, and the risks of these vulnerabilities are evaluated. This evaluation leads to remediating the vulnerabilities, transfer the risk, or a formal risk acceptance by the management of an organization. Any organization must implement effective Vulnerability Management to safeguard against attacks and threats in the environment.
Vulnerability Management vs Vulnerability Scanning
The term vulnerability management is often confused with vulnerability scanning. Even though both are related, there is an essential difference between the two. The vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure, or applications. Vulnerability management is the process of vulnerability scanning and considering other aspects such as governance, risk acceptance, and remediation.
The attackers continue to get better at exploiting security vulnerabilities in systems. As a result, organizations have an unending task to continuously identify system weaknesses, prioritize them according to criticality, and remediate them. Vulnerability management helps remediate the vulnerabilities, so they do not lead to a breach. These security methods – scanning and remediation – combined with various other security majors, help keep an organization’s assets safe.
Sources of Vulnerabilities
The network vulnerabilities provide unauthorized entry channels and can expose confidential information, fuel stolen identities, violate privacy laws, or paralyze operations. The exposure is extreme for networks with critical vulnerable devices connected by IP. The examples include:
- Programming errors
- Unintentional mistakes or intentional malware in General Public License software
- Improper system configurations
- Mobile users sidestepping perimeter security controls
- Rising attacks through viewing popular websites
The attack trends on the increase include:
- Increased professionalism and commercialization of malicious activities
- Threats that are increasingly tailored for specific regions
- Growing numbers of multistage attacks
- Attackers targeting victims by first exploiting trusted entities
- A convergence of attack methods
- A shift from “Hacking for Fame” to “Hacking for Fortune.”
The typical challenges IT faces in managing the
- NOT enough TIME, PEOPLE, BUDGET
- Prioritization of efforts to minimize business risks
- Reduction of operational & capital expenses
- Adapting to accelerating change in the sophistication of attacks and the increasing number of regulations
2020 CWE Top 25 Most Dangerous Software Weaknesses
The Common Weakness Enumeration (CWE) identified the Top 25 Most Dangerous Software Weaknesses. While the list remains comprehensive, many other threats leave software vulnerable to attack.
| Missing data encryptionOS command injectionSQL injectionBuffer overflowMissing authentication for critical functionMissing authorizationUnrestricted upload of dangerous file typesReliance on untrusted inputs in a security decision | Cross-site scripting and forgeryDownload of codes without integrity checksUse of broken algorithmsURL redirection to untrusted sitesPath traversalBugsWeak passwordsSoftware that is already infected with a virus |
Attackers performing reconnaissance will often find unknown, unprotected, and unmonitored assets to use as attack vectors. For a large enterprise, unknown assets often exist by the hundreds and are typically easy for even novice hackers and threat groups to find. We will continue discussion in the next week on part II.
Continued Next Week – Part II