So, you know what vulnerabilities are and that vulnerability scanning can help mitigate those vulnerabilities. Now you need to establish your own vulnerability management program. A strong program uses threat intelligence and deep knowledge of IT and business operations to prioritize and address risks and vulnerabilities as quickly as possible.
But what exactly does the vulnerability management process look like? While every organization takes a slightly different approach, there are three main phases that your vulnerability management program should adhere to. Skipping any of these renders your entire process incomplete and ineffective.
Identifying Vulnerabilities
The longer a vulnerability goes undetected, the more likely it is to result in a security breach. The first step usually involves a vulnerability scan that identifies a variety of systems on a network and probes them for different attributes — operating system, open ports, installed software, file system structure, and more. The results are presented in the form of reports, metrics, and dashboards.
Evaluating Vulnerabilities
As your scans uncover vulnerabilities, the next step is to prioritize them based on their potential risk to your business, employees, and customers. You should assign each a different risk rating and score — from 0.0 to 10.0 – to determine the major areas of concern. Here’s a few questions to consider while evaluating each vulnerability:
- Is the vulnerability a true or false positive?
- Could the vulnerability be directly exploited from the internet?
- How difficult or easy would it be to exploit the vulnerability?
- What would be the potential impact on the organization if the vulnerability is exploited?
- Do any security controls already exist to protect the vulnerability from being exploited?
- For how long has the vulnerability existed on the network?
Treating Vulnerabilities
Once a vulnerability has been evaluated and validated, an organization must decide how it should be treated by involving the relevant stakeholders. During this phase, you may also want to increase monitoring or reduce access to areas considered to be high risk. There are three ways to treat vulnerabilities, including:
Remediation
Remediation is regarded as the ideal treatment of a vulnerability. This involves fully fixing or patching the vulnerability so that it can’t be exploited. Mean time to remediate, or MTTR, is the number of days it takes to close a security vulnerability once it has been discovered. By minimizing the MTTR, you effectively minimize your organization’s losses.
Mitigation
In some cases, a proper fix or patch isn’t yet available for a vulnerability. This is where the concept of mitigation comes into play. This method will reduce the likelihood and/or impact of a vulnerability being exploited. While mitigation isn’t the final step in dealing with a vulnerability, it buys an organization time until a better solution is found.
Acceptance
Organizations can also decide neither to fix the vulnerability nor reduce its likelihood/impact. This is justified when the vulnerability is considered low risk and the cost of fixing it is greater than the potential cost incurred by the organization if exploited. You must know the requirements of your cyber insurance policies, contracts, and regulations before deciding to leave a vulnerability unfixed.
Expert Vulnerability Assessments in NJ & FL
While this process can seem daunting, there are solutions that can help you manage and automate many tasks associated with vulnerability management. Mindcore offers a vulnerability management platform for companies of all sizes in New Jersey and Florida. It includes all the key features and functions you need, without the unnecessary bells and whistles that add complexity and cost. If you’d like to learn more about our cyber security services or schedule a consultation, please contact us today!