Chapter 22

Vulnerability Management

Systematic and ongoing process of identifying, evaluating, prioritizing, and mitigating vulnerabilities

Vulnerability Scanning

Automated method of probing networks, systems, and applications to discover potential vulnerabilities

Application Security

used to safeguard the software from being manipulated during its lifecycle

Static Analysis

used to analyze an application's source code without executing it

Dynamic Analysis

Evaluates an application as it is being run to determine if there are any vulnerabilities in the application

Package Monitoring

Ensures that the libraries and components that the application depends on are secure and up-to-date

Penetration Testing

Used to simulate a real-world attack on a system to evaluate its security posture

System/process audit

An audit process with a wide scope, including assessment of supply chain, configuration, support, monitoring, and cybersecurity factors.

What are the 4 steps to identify vulnerabilities?

1) Planning

2) Testing

3) Implementing

4) Auditing

What are the different methods?

-Vulnerability scanning

-application security techniques

-penetration testing

-security and process auditing

Threat Intelligence

Continual process used to understand the threats faced by an organization

Threat Intelligence Feed

Continuous stream of data related to potential or current threats to an organization's security

Open-Source Intelligence (OSINT)

Intelligence that is collected from publicly available sources including reports, forums, news articles, blogs, and social media posts

proprietary or third-party feeds

Threat intelligence feeds that are provided by commercial vendors, usually under a subscription service type of business model

Responsible Disclosure

Term used to describe the ethical practice where a security researcher discloses information about vulnerabilities in a software, hardware, or online service

Bug Bounties

Offer rewards to researchers who discover vulnerabilities, encourages responsible disclosure

- enhances cybersecurity collabs for a safer digital landscape

Common Vulnerabilities and Exposures (CVE)

System that provides a standardized way to uniquely identify and reference known vulnerabilities in software and hardware

Exposure Factor (EF)

Used as a quantifiable metric to help a cybersecurity professional understand the exact percentage of an asset that is likely to be damaged or affected if a particular vulnerability is exploited

Steps to finding vulnerabilities

- confirmation (false positive, etc)

- prioritization

- classification

- organizational impact

- exposure factor

- risk tolerance

vulnerability response and remediation

Strategies that identify, assess, and address vulnerabilities in a system or network to strengthen an organization's security posture

Patching

Applying updates to fix vulnerabilities.

Purchasing Cybersecurity Insurance Policies

Procuring insurance policies to mitigate financial losses from cyber incidents

Network Segmentation

Dividing a network into smaller, manageable parts.

implementing compensating controls

Alternative security measures is used for situations where standard controls are not feasible or effective

exception

temporarily relaxes security controls for operational business needs

exemption

permanently waives controls for specific reasons such as when using a legacy system