Free Book - External Exposure & Attack Surface Management for Dummies
Vulnerability management (VM) is the process of identifying, categorizing, and remediating security vulnerabilities to proactively defend against threats. All vulnerability management should begin by identifying all of the assets within an IT ecosystem before attempting to test for vulnerabilities, or organizations may end up with significant blind spots. Unfortunately, the true extent of an organization’s attack surface is not identified by legacy security tools and processes, such as vulnerability scanners and penetration tests, yet many organizations operate as if that were the case. These legacy security tools do not have the means to identify previously unknown assets.
A vulnerability scanner is a tool that inspects applications, systems, networks, and software for potential vulnerabilities and compares details about the assets encountered to a database of information about known security holes in those assets that may involve services and ports, anomalies in packet construction, and potential paths to exploitable programs or scripts.
Vulnerability scanners only discover vulnerabilities in those assets and resources they are directed to scan. This leaves assets that they do not scan, which often includes cloud-based deployments, workloads running in the cloud, resources operated or maintained by third parties, partners, subsidiaries or suppliers open to exploitation. These are the security gaps that attackers are constantly on the lookout for. The relative proportion of what vulnerability scanners can reveal, compared to what they cannot know, can render these tools a form of security theater.
A vulnerability is a weakness or issue within a system, software, or application that could be exploited by a malicious party or hacker to gain unauthorized access to an organization. For vulnerabilities in commercial products, there is a system maintained by the MITRE corporation that is known as the Common Vulnerability and Exposure (CVE) system, in which a unique number is assigned to each CVE based upon timing of the discovery within a year. Whether vulnerabilities occur in the custom software an organization has created or in the commercial products they use, organizations almost always have far more vulnerabilities that need to be addressed than they can address in a timely manner, which is why there has been growing interest in risk-based vulnerability management.