Vulnerability Remediation - CompTIA Security+ SY0-701 - 4.3

Patching

• The most common mitigation technique

- We know the vulnerability exists

- We have a patch file to install

• Scheduled vulnerability/patch notices

- Monthly, quarterly

• Unscheduled patches

- Zero day, often urgent

• This is an ongoing process

- The patches keep coming

- An easy way to prevent most exploits

Insurance

Cybersecurity insurance coverage

- Lost revenue

- Data recovery costs

- Money lost to phishing

- Privacy lawsuit costs

Doesn't cover everything

- Intentional acts, funds transfers, etc

Ransomware has increased popularity of cybersecutiy liability insurance

- Applies to every organization

Segmentation

Limit the score of an exploit

- Separate devices into their own networks/VLANs

A breach would have limited scope

- It's not as bas as it could be

Can't patch?

- Disconnect from the world

- Air gaps may be required

Use internal NGFW's

- Block unwanted/unnecessary traffic between VLANs

Physical segmentation

• Separate devices

- Multiple units, separate infrastructure

Compensating Controls

• Optimal security methods may not be available

- Can't deploy a patch right now

- No internal firewalls

• Compensate in other ways

- Disable the problematic service

- Revoke access to the application

- Limit external access

- Modify internal security controls and software firewalls

• Provide coverage until a patch is deployed

- Or similar optimal security response

Exceptions and exemptions

• Removing the vulnerability is optimal

- But not everything can be patched

• A balancing act

- Provide the service, but also protect the data and

systems

• Not all vulnerabilities share the same severity

- May require local login, physical access, or other criteria

• An exception may be an option

- Usually a formal process to approve

Validation of remediation

• The vulnerability is now patched

- Does the patch really stop the exploit?

- Did you patch all vulnerable systems?

• Rescanning

- Perform an extensive vulnerability scan

• Audit

- Check remediated systems to ensure the patch

was successfully deployed

• Verification

- Manually confirm the security of the system

Reporting

Ongoing checks are required

- New vulnerabilites are continuously discovered

- Difficult (or impossible) to manage without automation

- Manual checks would be time consuming

Continuous reporting

- Number or identified vulnerabilities

- Systems patched vs unpatched

- New threat notifications

- Errors, exceptions and exemptions