How to create a Vulnerability management security team, roles & responsibilities in your organizations?

Mr.Vic
Mr.Vic
Nov 26, 2020 · 10 min read

“Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities”.

Image for post
Image for post

1.Vulnerability management:

★Vulnerability management is an integral part of computer and network security, and must not be confused with a Vulnerability assessment. We discover vulnerabilities with a vulnerability scanner, which analyzes a system in search of known vulnerabilities, like open/insecure ports, software miss configurations, and susceptibility to malware infections. Unknown vulnerabilities, like a zero-day attack, identified with fuzz testing, which might identify certain types of vulnerabilities, as a buffer overflow with relevant test cases. Test automation can facilitate such analysis.

“Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities”.

★In computer security, a vulnerability is a weakness in the system, a threat actor can exploit the weakness, to perform unauthorized actions within organizational applications or networks. To take advantage of a vulnerability, an attacker must have a minimum of one applicable tool or technique that will be wont to identify and connect with system vulnerability. During this frame, we also know vulnerability because of the attack surface. Vulnerability management is that the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.

★This practice refers to software vulnerabilities in computing systems. A security risk is usually incorrectly classified as a vulnerability. Using vulnerability with the identical meaning of risk can result in confusion. the danger is that the potential of a major impact resulting from the exploit of a vulnerability.

★There are vulnerabilities without risk: when the affected asset has no value. We classify a vulnerability with one or more known instances of working and fully implemented attacks as an exploitable vulnerability — a vulnerability that an exploit exists.

1.1 Why Vulnerability Management is Important:

★Both hardware, and software applications from multiple industry vendors constantly lookout for security bugs, cause of that actions frequently ending with updates and security patches. According to the CVE management website, more than 16,500 CVE were reported in 2018, 14600 in 2017, each and every year the overall reporting rates continue to emerge. The more sophisticated network attacks are conducted on vulnerable devices, networks, and software products. It is very critical to proactively implement security measures and control to protect the information assets.

1.2 Implications on our cloud products, Infrastructure, and Customers:

★The vulnerability rating framework(VRF) and the Vulnerability rating checklist (VRC) becomes (VRFC) outline the bug researchers the type of issues that are existed, accepted through comprehensive severity and priority criteria. It helps one to understand the type of bug they exploited on particular products, infrastructure, devices, and endpoint users.

★While R&D engineers and security engineers discover bugs on our cloud products and services through vulnerability & Risk assessment programs, this VRFC helps to brief the vulnerability and remediating the identified vulnerability issues clearly. In addition, VRFC guide provides information about the OWASP Top 10 Web Application Security Risks and other vulnerabilities based on the above-mentioned platforms.

★The vulnerability framework guide (VFG) and Vulnerability Rating checklist (VRC) designed to support the security, operation, Network, and Research & Development(R&D) team, to enhance the effort to further bolster the vulnerability management process and handling with clear transparency and communication.

2. Information Security Assessment Approach:

★The information security assessment approach focuses on a number of services to provide your organization management and its customer with broad business decision-making approaches. We implement cyber intelligence, vulnerability management, Incident response, and incident handling, and threat management operations enabled in our organization to protect and defend from external threats, cyber risks, adopt adequate measures.

2.1 Assessment Team:

★In the vulnerability management process, we defined the number of participating teams and required team members to conduct vulnerability assessments.

2.2 Roles and responsibilities:

★In this section, we defined the roles and responsibilities of each individual member in the vulnerability management operations, which can be identified within the organization in Table 1. Note: The given roles and responsibilities are only applicable to vulnerability management operations, and differ from their regular responsibilities.

Image for post
Image for post
Table1. Vulnerability management- Roles and responsibilities.

★The given roles and responsibilities are only applicable to vulnerability management operations and differ from their regular responsibilities or you may add and define responsibilities based on the size of your organization such as small and medium-sized businesses (SMB)to large enterprises.

Image for post
Image for post
Figure 1. Vulnerability management FlowChart-Roles and responsibilities.

3.Vulnerability Management Process (VMP):

3.1 Objective:

★The objective of this VMP is to identify and eradicate the vulnerabilities in a timely manner. Vulnerability assessment is not conducted periodically by many organizations, most of them perform scans on a quarterly or annual basis. This could trigger the possibility of potential threats to hide and stays there for longer than the expected period. Hence, organizations should conduct a periodical assessment on their network to remediate the threats quickly.

3.2 Vulnerabilities Assessment Types:

(I)The window of vulnerability is that the time from when the protection hole was introduced or manifested in deployed software, to when access was removed, a security fix was available/deployed, or it disabled the attacker — see a zero-day attack.

(ii)A security bug (security defect) could be a narrower concept: there are vulnerabilities that aren’t associated with software: hardware, site, personnel vulnerabilities are samples of vulnerabilities that don’t seem to be software security bugs.

★The other integral part of vulnerability management, these are the following assessment methodologies can be performed within an organization to discover vulnerabilities, assess, and audit the physical and virtual infrastructure of the network.

⍟Vulnerability scanning
⍟Web application assessment
⍟Phishing assessment
⍟Network mapping
⍟wireless assessment
⍟Database assessment
⍟Operating system security assessment (OSSA)
⍟Penetration testing

★Building a recommendation for cost-effective mitigation. In the above section, potential impact, and also the likelihood of occurrence are projected, considerately of existing controls safeguards that would reduce the impact of the likelihood.

Note: Please, use the rating matrix to evaluate the vulnerabilities, risk rating of Critical, High, Medium, low to explain the magnitude of risk.

★I have defined everything that you need to understand about these topics in these web links, feel free to navigate than all, worth a try!!!

4. Vulnerability Management Phases (VMP):

★Vulnerability management is the process of Preparing, Discovering, identifying, evaluating, remediating, and report on security vulnerabilities in software applications and hardware systems. A vulnerability management process consists of five phases:

Image for post
Image for post
Figure 2. Vulnerability management process (VMF).

4.1 Prepare:

★The preparation phase is used to build a scope for the vulnerability management process. The discovered vulnerabilities can be identified with the marginal scopes. When the Security architect defines the scope (assets, scan types (Internal-External), assessment types, limitation, network infrastructure, cloud resources, roles, responsibilities) are reviewed and approved by CISO, and the security manager prior to the next process (Discover). It depends on the organizations to obtain and document a request, approval from each asset owner or department head before performing vulnerability scans on the assets. When an organization implementing a vulnerability management process, it is highly recommended to initiate with a number of limitations in the scope. A risk-based approach to the management process helps to determine vulnerability risks with different elements. It helps the security engineer to process, control, handle informations about vulnerabilities more efficiently and prevent them from being overwhelmed. The stakeholders and other top management members can initially understand the scope and its potentials.

4.2 Discover:

★Once the scope and responsibilities are defined in the preparation phase, the discovery phase begins and the security engineer actively performs the scanning operations on information assets that include both physical and virtual security of the organization. For instance, the majority of the dynamic scanning performed through industry-standard tools, engineers can apply templates to create a various number of vulnerability results.

4.3 Identify and Evaluate:

★Once security engineers completed the scanning, the next step is to identify and apply an evaluation matrix on each vulnerability type and assign it to a group. Engineers can integrate and apply the Risk rating matrix and risk exposure on the vulnerability to separate them. The security engineers can produce different types of scanning results such as overall CVE, risk exposures, risk rating matrix, priority’s, solutions, recommendations for mitigation and submit to the security manager, security architect, and CISO.

4.4 Remediate:

★After the completion of the report generation process, the security manager, architect, CISO will review each individual report based on the results. CISO will review and accept the report based on the defined inputs in the feasibility, and provide feedback to architects, security engineers on the potential required to remediate actions. Based on the feedback, security engineers apply the inputs and regenerate the indenity& evaluation phase results. The previous and new inputs are all recorded with timeframe information for references and analysis purposes. The security architect must track the status of the remediation process and actions.

4.5 Re-Scan:

★When the remediation inputs are applied to the process, the security engineer enters the final phase re-scan, and it can be performed only after the confirmation of the remediation phase. It will be performed with the same discovery applications and initial configurations on the templates. The security architect, manager actively engaged with the security engineer team to understand the remediation inputs have been effectively implemented. It is highly recommended to the CISO/CTO to establish a new set of scheduling frameworks on your organization's procudts& Resources to perform scanning operation activities such as a Weekly or Monthly, Quarterly basis. It will ensure the rapid discovery, detection, remediation of existing and new vulnerabilities, allowing CISO to determine and deploy necessary security measures and controls in a timely fashion.

I appreciate your effort towards the end of this article, also I tried my best to make the knowledge and resource to be intriguing to the readers. If you liked the effort, learned a piece of information. Then I appreciate your effort to give a clap and make me smile! Thanks a bunch!!!.

Conclusion:

★The objective of this Vulnerability management process, guide, and framework we learned in this article helps individual organizations identify and eradicate the vulnerabilities in a timely manner. Vulnerability assessment is not conducted periodically by many organizations, most of them perform scans on a quarterly or annual basis. This could trigger the possibility of potential threats to hide and stays there for longer than the expected period. Hence, organizations should conduct a periodical assessment on their network to remediate the threats quickly.

★I believe this article provided and covered important measures and guides related to the article title. This approach focuses on a number of services to provide your organization management and its customer with broad business decision-making approaches. I encourage organizations to implement cyber intelligence, vulnerability management, Incident response, incident handling, and threat management operations enabled in your organization to protect and defend from external threats, cyber risks, adopt adequate measures to act defend-early, and avoid damages to the assets.

Popular and Trending: Most viewed Medium articles:

What is the HMAC message authentication system in cryptography? How to deploy it on cryptool2.1 open-source software?

Risk Management Overview & Integration of Risk management into SDLC

Employee’s Endpoint security Internal Survey-Template

Quote of the day: 鱼见食而不见钩,人见利而不见害 (Yú jiàn shí ér bùjiàn gōu, rén jiàn lì ér bùjiàn hài)

Explanation: The fish sees the food but not the hook, and people see the profit but not the harm.

Thanks for reading!
Have a pleasant day!

Other Articles you may find interesting:

Image for post
Image for post

👋 Join FAUN today and receive similar stories each week in your inbox! Get your weekly dose of the must-read tech stories, news, and tutorials.

Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬

Image for post
Image for post

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts

Sign up for FAUN

By FAUN

Medium’s largest and most followed independent DevOps publication. Join thousands of aspiring developers and DevOps enthusiasts Take a look.

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Mr.Vic

Written by

Mr.Vic

Founder of gtmars.com & plan2trip.com. Sharing knowledge in the digital world about Cybersecurity, Technology, Space industry. download: buymeacoffee.com/gtmars

FAUN

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Mr.Vic

Written by

Mr.Vic

Founder of gtmars.com & plan2trip.com. Sharing knowledge in the digital world about Cybersecurity, Technology, Space industry. download: buymeacoffee.com/gtmars

FAUN

FAUN

The Must-Read Publication for Creative Developers & DevOps Enthusiasts. Medium’s largest DevOps publication.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store