Vulnerability management is the process of using tools, processes, and knowledge to reduce risk related to IT systems. This includes the entire life cycle, from initially discovering vulnerabilities through reporting them, prioritizing them according to business needs, remediating them through software or procedural changes, verifying that they have been fixed, and documenting lessons learned for the future.

Note that vulnerability management is not a one-time event. It's an ongoing process that needs to be revisited regularly. New vulnerabilities are discovered all the time, and old ones are fixed or become irrelevant. You need to make sure your systems are always up-to-date and that your patches are current.

In this chapter, we'll cover the following topics:

• Vulnerability analysis – where to start
• Vulnerability classifications
• The life cycle
• Ongoing scanning and monitoring

Let's dive in!

A vulnerability assessment is a systematic review of security weaknesses in an information system. Specifically, it looks for vulnerabilities in computer systems, applications, and network infrastructures. It evaluates if the system is susceptible to any known vulnerabilities, assigns severity levels to those vulnerabilities, and recommends remediation, if and whenever it's needed.

Vulnerability assessments also provide an organization with the necessary knowledge, awareness, and risk backgrounds to understand and react to threats to its environment.

Vulnerabilities can be classified into the following categories:

• Misconfiguration: You'll hear me preach about this all the time because it's one of the most common vulnerabilities. Misconfiguration is caused by human error. It allows attackers to gain unauthorized access to your systems. There are different types of misconfigurations because they could happen on application platforms, databases, the network itself, and even web servers. As misconfiguration could occur because someone may have forgotten to update the application or the database. They may have disabled the security settings or some features that are needed, or they may have gone set up permissions incorrectly or misconfigured SSL certificates.
• Default installation vulnerabilities: These are typically done when we hit the Next options during installation. I get it. Sometimes, this happens. Installing an application where the attackers and everybody else are expecting...

Every time I see the words life cycle, I think I need to go out and exercise, but the purpose of the life cycle here is to make sure we follow every step to find solutions and remediate them. In this case, these steps will help us find security weaknesses and remediate them before they become exploits:

Figure 6.1 – Vulnerability assessment life cycle

Here are the steps of the vulnerability life cycle process:

• Creating a baseline: In this phase, we look at critical assets, identify them, and prioritize them to create a good baseline for vulnerability management.
• The assessment: This is a critical phase of vulnerability management. What we do, as security professionals, is identify and know the vulnerabilities within our infrastructure.
• Risk assessment: All we're doing here is measuring or summarizing the vulnerability and the risk level – some systems may be at a higher risk level than others...

When it comes to ongoing scanning and continuous monitoring through the cycle – procurement, as well as replacing, and the issue of new tactics or new threats and techniques being utilized – it's not enough to perform a vulnerability assessment only once. You need to have some type of plan for an ongoing scan. As we mentioned earlier, you need to come up with a schedule and stick to it.

Continuous security monitor refers to the process of continual risk assessment. This means we maintain a high level of awareness of the threats that are coming out or have been released into the wild. It also refers to performing routine audits of rights and privileges in real time.

To truly have a good understanding of monitoring, you need to create an initial baseline to help identify any variations. You need to compare them. It's kind of like when someone says my system seems to be slow. Well, compared to what? We must have something...

In this chapter, we discussed the benefits of a VMP. We looked at ongoing VMP processes and the importance of vulnerability research, which helps ensure the network is extremely secure and can withstand attacks.

Then, we discussed how to ID targets for scanning, how often, how deep, and what scope to scan targets with, as well as the different levels of configuration. We also covered classifying data so that when an incident occurs, you'll know what needs to take priority when it comes to fixing the issue. We reviewed which scanner to use based on your environment. We also reviewed ways we can remediate our network vulnerabilities. We also talked about SSL and TLS, making sure that our certificates are valid, and that we're using a strong enough cipher for this encryption. We also talked about the issues with virtualization.

In the next chapter, we'll dive into how to attack the targets that we've identified.

As we conclude, here is a list of questions for you to test your knowledge regarding this chapter's material. You will find the answers in the Assessments section of the Appendix:

1. To find a vulnerability, an attacker sends probes and fabricated requests to a target. What type of scanning is this?
   1. Passive scanning
   2. Active scanning
   3. Flooding
   4. Man-in-the-middle
2. To identify hosts and vulnerabilities, which type of assessment is used?
   1. Distributed
   2. Passive
   3. Active
   4. Automated
3. Which vulnerability assessment solution is said to be placed in private or corporate resources?
   1. Service-based
   2. Inference-based
   3. Product-based
   4. Tree-based
4. What kind of scanner is used when the location and data from a scan are stored on a single system?
   1. Cluster-based
   2. Proxy-based
   3. Network-based
   4. Agent-based