Vulnerability Management: What it is, and how to go about it

It doesn’t take a cybersecurity expert to know a successful attack can be catastrophic for an organization. But what exactly is the anatomy of a cyberattack, and how does vulnerability management help combat these threats? In this article, I'll answer both of these questions.

• What is a cybersecurity attack? Explained lightning fast
• How are vulnerabilities, risks, and threats different?
• Why are publicly disclosed vulnerabilities so important?
• What is the Common Vulnerabilities and Exposures (CVE®) Program?
  
• What is Vulnerability Management, and how can it help?
• Using the National Vulnerability Database (NVD) for vulnerability management
• Conclusion: Equip yourself to plug those vulnerabilities
• Bonus round: Dealing with Container Security Vulnerabilities in GCP

A cybersecurity attack is when a threat actor discovers a vulnerability in a system or network and exploits it to gain unauthorized access. Vulnerabilities can include software bugs, configuration errors, or weak passwords that can be exploited by an attacker.

• A vulnerability, as defined by ISO27002, is “a weakness of an asset or group of assets that can be exploited by one or more threats.” 

• A threat is something that can exploit a vulnerability, usually a person.

• A risk is the probability of loss or damage resulting from a cybersecurity attack 

Vulnerabilities come in two forms, public and private. Of the two, public vulnerabilities are especially dangerous.

Unlike private vulnerabilities, which take a threat time and effort to find, a public vulnerability is just that, public. Everyone and their dog knows about it! And so, threat actors actively search for people with unpatched systems with recently disclosed vulnerabilities. After all, to them, these systems are like money on the table — just waiting there to be snatched up.

A good example of a public vulnerability being exploited is the 2017  "NotPetya" cybersecurity attack, where attackers exploited a Server Message Block vulnerability that Microsoft had recently released a security patch for. 

Thankfully, finding out what vulnerabilities are public is not at all hard! In fact, there are programs like CVE® to help.

The MITRE organization runs the Common Vulnerabilities and Exposures (CVE®) Program, which identifies and catalogs publicly disclosed vulnerabilities. This program assigns each vulnerability a unique CVE record number consisting of the year it was disclosed and a unique identifier. This allows cybersecurity professionals to easily identify and discuss specific vulnerabilities.

One CVE record that garnered much attention was CVE-2021-44228, also known as Log4Shell (which admittedly rolls off the tongue better). This vulnerability allowed attackers to execute arbitrary code loaded from LDAP servers on the Apache Log4j2 service. Since this service was widely used on many web servers, thousands of websites were vulnerable to attack. 

Log4Shell demonstrated how one vulnerability can have a cascading effect on the security of millions of other systems.

Vulnerability management is the continuous process of identifying, evaluating, documenting, managing, and fixing security weaknesses in endpoints, workloads, and systems. In most cases, a security team uses a vulnerability management tool to discover these vulnerabilities, and employs various techniques to repair or mitigate them.

An effective vulnerability management program incorporates threat intelligence and awareness of IT and business operations to prioritize risks and deal with vulnerabilities promptly.

The National Vulnerability Database (NVD) is a government repository for vulnerability management. It provides a standardized list of vulnerabilities, allowing for automated vulnerability management across U.S. government agencies using the Security Content Automation Protocol (SCAP). 

The NVD also leverages the Common Vulnerability Scoring System (CVSS) to score and measure the severity of vulnerabilities. This rating system helps organizations prioritize vulnerability management accordingly. CVSS consists of qualitative metrics that describe properties like:

• The vectors of attack

• Whether the vulnerability can be exploited via a network, physical location, or adjacent network

• The level of user interactions required for exploitation

• The privileges required

• The potential scope of the exploitation. 

The NVD is operated by the National Institute of Standards and Technology (NIST) — just in case you haven’t had enough acronyms yet.

In conclusion, vulnerability management is a critical aspect of cybersecurity, and understanding the anatomy of a cyber attack is essential in protecting against them. With the CVE® Program and NVD, cybersecurity professionals have the tools they need to identify, manage, and remediate vulnerabilities, reducing the risk of a successful attack.

If you’re using Google Cloud Platform (GCP), here’s some additional insights. Developers can leverage GCP Cloud Build's Security Insights to scan and identify CVE records within container images. Each identified CVE is also accompanied by a CVSS score for severity, which can be used to prioritize management of each vulnerability. 

Check out my Hands-on Security for GCP Developers course, which includes hands-on training on how to scan containers for security vulnerabilities, scan running web apps for OWASP Top 10 vulnerabilities, and secure software apps running on GCP.