Weekly Stand up — Vulnerability Management

Welcome back to our weekly updates.

Last week, I talked about information security and information privacy. this week, I’ll be talking about vulnerability management: the defense-in-depth model.

Disclaimer: The information (most of the definitions) shared is based on my knowledge from the Google cybersecurity certification program on Coursera and some online articles and videos.

Every asset we protect has a series of vulnerabilities or flaws that we need to be aware of. Finding those vulnerabilities and fixing them before they become a problem is the key to keeping an asset safe.

As we recall from previous discussions, vulnerability is a weakness that can be exploited by a threat. Vulnerability management is the process of finding and patching up vulnerabilities before they can be exploited. It is a four-step process. The first is identifying the vulnerabilities. The next step is to consider potential exploits of the vulnerabilities found in the first step. The third step is to prepare defenses against threats. And finally, evaluate those defenses. Vulnerability management happens in a cycle. Security teams undertake this process regularly since new vulnerabilities are constantly being discovered. These new vulnerabilities are called zero-day exploits A zero-day is an exploit that was previously unknown. The term “zero-day” refers to the fact that the exploit is happening in real-time with zero days to fix it. These kinds of exploits are dangerous. They represent threats that haven’t been planned for yet.

A layered defense is less vulnerable to attack. It’s a layered approach to vulnerability management that reduces risk. The defense-in-depth model is a layered approach to vulnerability management that reduces risk. It is commonly referred to as “Castle defense” because it resembles the layered defenses of a castle. It is a five-layered design used by security analysts to protect information in all states.

1. Perimeter layer: This is the first layer, it is a user authentication layer that filters external access and includes technologies like username and password.
2. Network layer: This layer is closely aligned with authorization and involves technologies like network firewalls.
3. Endpoint layer: Endpoints refer to the devices that have access to a network. The technologies involved in this layer include antivirus software.
4. Application layer: At this layer, security measures are programmed as part of an application. Technologies involved in this layer include Multifactor authentication.
5. Data layer: This layer contains critical data like PII (Personally Identifiable Information). A security control that is important here is asset classification.

Weaknesses and flaws are generally found during a vulnerability assessment. A vulnerability assessment is the internal review process of an organization’s security systems. An organization performs vulnerability assessments to identify weaknesses and prevent attacks. They’re also how security teams determine whether their security controls meet regulatory standards.

The vulnerability assessment involves a four-step process: Identification, vulnerability analysis, risk assessment, and remediation.

Vulnerability scanning tools are commonly used to simulate threats by finding vulnerabilities in an attack surface. A vulnerability scanner is software that automatically compares known vulnerabilities and exposures against the technologies on the network. In general, these tools scan systems to find misconfigurations or programming flaws. There are a few different ways that these tools are used to scan a surface. Each approach corresponds to the pathway a threat actor might take.

As part of the identification and risk assessment process, it is important to identify potential threat sources and events that could negatively impact the business. This is done by asking several questions such as: Is the threat relevant to the system in question? Is the threat internal or external? What is the intent of the threat actor? What are the technical capabilities of the threat actors? Answering these questions will help to better understand the nature of the threats and take necessary measures to mitigate them.

To evaluate the risk of each threat to the business, we multiply its likelihood of occurrence by the severity of its impact. Based on this, we calculate an overall risk score that shows the seriousness of the risks to the database and provides guidance on how to prioritize resources to address the most critical risks. The risk assessment report includes a statement that explains why and how specific threats were evaluated. Additionally, the report outlines a plan for securing the vulnerable database server in the Remediation section.

What is CVE

Also covered some interesting topics on Vulnerabilities versus Exposures (a mistake that can be exploited by a threat). The CVE (Common Vulnerabilities and Exposures) list, to MITRE, the CNA (CVE Numbering Authority), the NIST national vulnerability database, CVSS, and CVE list criteria.

The CVE list tests four criteria that a vulnerability must meet before it’s assigned an ID. First, it must be independent of other issues. In other words, the vulnerability should be able to be fixed without having to fix something else. Secondly, whoever reports the vulnerability must recognize it as a potential security risk. Third, the vulnerability must be submitted with supporting evidence. And finally, the reported vulnerability can only affect one codebase or program’s source code. For example, the Chrome desktop version may be vulnerable, but the Android application may not be. Once a reported flaw passes all of these tests, it is assigned a CVE ID.

Staying informed and maintaining awareness about the latest cybersecurity trends can be a useful way to help defend against attacks and prepare for future risks in your security career. The OWASP’s Top 10 and the OSINT (Open-source Intelligence) framework are useful resources to learn more about these vulnerabilities.

In summary, To become an effective security analyst, it is essential to develop risk assessment and reporting skills. These abilities will help you to identify potential risks in an organization’s systems and report the information to the appropriate channels.

Thanks for reading. Let’s discuss, exchange ideas, and connect in the comment section. Also looking forward to collaborations.

See you next week.