Vulnerability Management (VM) vs. System Admins. It is a challenge !!!

I was facing problem in arranging my thoughts on how I can manage the vulnerability scan results of the servers and other equipment on my network.  I wrote this article to bring the results of the research that I performed in this field to help others in managing the vulnerabilities and resolve it as soon as possible. Because the main factor in vulnerability management is time as soon as you resolve it as soon as you will be secure.  
Vulnerability assessment (VA) is part of the vulnerability management (VM) tasks that the security professional perform on regular basis. The first step in any VM task is to discover your network and find all the assets you have to assess the vulnerabilities on it. So, you need a tool to map and discover your network and run it. Keep in mind to perform the discovery scan on a frequent basis to keep your asset list up to date.  The second step reviews the results and group the assets based on an operating system that assets run on. The method I used to group the assets is:  
    • Windows OS.  
    • Linux and Unix ( I used generally Unix)  
    • Network equipment  
This grouping will help in running the vulnerability assessment on scheduled base for frequent periods. For example, the Windows group can be scheduled on first Friday of the month to scan all windows assets. Schedule the second group to run on second Friday of the month and etc. Choosing the time of the scan on weekend better to avoid the overhead happens on the network and to review and analyze the results on the first working day of the week. Always review your results of discovery and grouping with the admins on each group to help in making the grouping more accurate.    
As the results of the vulnerability scan are ready with you. You can start the next stage which is the reporting. Always better to filter the most critical high severity vulnerabilities as the first step to resolve the vulnerabilities with admins. So, I recommend structuring the vulnerability management task to start with the reports showing high severity exploitable vulnerabilities to be resolved. That is better to make the task easy to be managed and easy to be tracked by admins and the security professional working on this task. Then as the second stage of reporting produce reports with the remaining vulnerabilities with lower severity.   
For reporting it is recommended to group the assets as groups based on application/solution running on the assets/servers. For example Domain Controllers group, Exchange group, ...etc. Grouping based on application/solution will make the task much easier for the admins to patch the servers and test the patch. Because the main problem with the admins is to test the patching needed to resolve the vulnerabilities it is usually will make a problem with the application running on these servers. Like compatibility issues.     
Reporting the vulnerabilities can be categorized into two categories: admin reports and management reports. Admins report is more technical details reports that show the servers details with the vulnerabilities related to it. Details of admins report contains only the relevant information needed to the admin to avoid confusion and the report can list all the vulnerabilities with a brief description of the vulnerability and the solution for the vulnerability usually mention the configuration or the patch needs to be applied to solve that vulnerability. On the other hand,  Management report should show the total vulnerabilities of all servers in graphic and summary counts view that explains the status of the vulnerabilities in the organization network.  Finally, share high severity exploitable vulnerabilities reports with the concerned persons.  
In this stage, security professional created the structure of the vulnerability management task in a way that can be tracked with the related admins and they have to start the follow-up and SLA stage to resolve the vulnerabilities as soon as possible. This task can be performed using excel sheet or dedicated solution to track the resolved vulnerabilities.   
Finally, vulnerability management is a task that is must be accomplished on a frequent basis. Monthly is a good frequency to give the time to resolve the vulnerabilities.   

By Abdulla Abusaif, CISSP, PMP 

Comments

  1. Ana CyberDecember 11, 2021 at 2:23 AM

    You have done great work by publishing this article here. It is useful and convenient info for us. Keep upgrading our knowledge by share these types of articles. Find cyber security and ISO consultants in India.

    ReplyDelete
  2. caidonvagnoniNovember 5, 2022 at 3:38 PM

    The splashes of shade make each game look engaging. As you’d anticipate, there are particular person classes for all game types 카지노게임 and you may rapidly see which studio has developed each title. We particularly loved the playability on mobile devices. You also can rapidly see the key thing} information about a given game, which could be invaluable when you need to determine which game want to} play subsequent. Each game sort is perfectly broken down into numerous subcategories.

    ReplyDelete
  3. InkclawMarch 30, 2023 at 8:38 AM

    This blog is really helpful to deliver updated affairs over internet which is really appraisable.
    Tattoo Machines For Sale

    ReplyDelete
  4. tavernermotorsportsApril 3, 2023 at 8:22 AM

    Thanks for share your blog here .
    restore motorcycle

    ReplyDelete
  5. Hebe AdventuresApril 14, 2023 at 9:16 AM

    I found one successful example of this truth through this blog. I am going to use such information now.
    Why choose Hebe for your child's language stay

    ReplyDelete

Post a Comment

Popular posts from this blog

Information Security in Organization Structure (CISO)

In this article, I will introduce the concept of Information Security (InfoSec) as an independent section or department in the organization. I will start from the beginning by explaining what is information and what is information in the organization until we reach to a point where we can differentiate between Information Technology (IT) and Information Security (InfoSec) which is somehow related terms and also a related department in the organization. But, it should to independent departments in the organization. Just to mention at the beginning that the purpose of this article is not to reduce the importance of IT in the organization but to clarify that IT is a department that is handling an important part of the organization strategy and goals and InfoSec also handling another impotent part of the organization strategy and goals. Better to start by explaining what is Information. It is something that people can learn, know about, or understand. For example, the book contain
Read more

Vulnerability Assessment vs. Penetration Test

It is all about  Vulnerabilities.  So, what is the Vulnerability? It is a  Weakness  in an  Information System or  System Security Procedures or  Internal Controls or System D esign or System  Implementation or  Configuration/Setup  that will raise risk and expose it to be exploited or triggered by a threat actor.  As  Window Snyder -  Chief Security Officer at Square, Inc. said:   "One single vulnerability is all an attacker needs.".    To find this vulnerability we need to search for it and to search for it we need to test the system from a security perspective to find it. So,  Security Testing is to identify the threats in or on the system and measure its potential vulnerabilities "Weaknesses" so these threats and vulnerabilities must be remediated to reduce the risk. In other words, Security Tests are to identify all possible loopholes and weaknesses of the system which might result in a loss of information, revenue, repute at the hands of the employees or outsi
Read more