The vulnerability management process involves the objective to detect and mitigate vulnerabilities in the organization. It can be done using tools such as nessus or qualys or nexpose, etc. While performing the vulnerability management, the following roles should be assigned within the organization by giving them the responsibilities to perform the task.
The below vulnerability management process explained against internal perspective in an organization. One can apply this process from an external perspective and can be done for other organizations as well.
A vulnerability management process consists of five phases:
Preparation
Vulnerability scan
Define remediating actions
Implement remediating actions
Rescan
Preparation: The main step in the preparation stage is to define the scope. It is important to identify which system or network should be included and excluded from the vulnerability management process. An organization or the group of security personnels should also determine the type of scan: internal or external with both types of scans can be either unauthenticated or authenticated scanning. This means from the perspective of an attacker outside the network or inside the organization's network.
An external scan provides the visibility of loopholes from outside the network and helps to remediate the vulnerabilities from network or application firewall, IDS/IPS etc. On the other hand, internal scanning provides the visibility of vulnerabilities from the local network.
It is also recommended to start with a small scope which helps the organization to implement the mitigation process at a feasible rate. It depends on the organization whether they want to go with the large or small scope of items.
Once the scope has been determined, the security officer or penetration tester should inform relevant asset owners in the organization. These people are accountable or responsible for the systems. The asset owner is responsible for identifying remediating actions to mitigate the
identified vulnerabilities. In most situations, asset owners should make these decisions
after examining the recommendations and risk assessment prepared by the penetration tester.
It is recommended to inform about upcoming vulnerability scans to the asset owners, IT team. The objectives of the vulnerability management process should be explained to them in detail, including how this process affects the systems they are responsible for. It is also the decision of the organization’s IT or development or any specific department to not scanning production
systems or environments which are critical risk and should be outside of the scope. The security officer or penetration tester shall also confirm with the departments in the organization at what time scanning should start during or after working hours. Depending on the organization and the mandate of the security officer, it may be necessary to obtain formal approval from each asset owner before performing vulnerability scans.
The preparation phase also includes the scope check, number of vulnerability checks, number of IP’s or applications that need to be scanned, scan type and the estimate on how long these scans will take and their impact on the network.
Vulnerability scan: Once the scope is determined, the next phase of the process begins with the initial vulnerability scan. It is the responsibility of security officer or penetration tester to identify any loopholes while scanning such as unavailability of the application or host is down. The scan can be performed with the vulnerability scanners such as nessus, nexpose, rapid7, qualys, etc. These tools also provide a wide range of reporting options to check the scan results. The organization’s head, IT department, asset owners in the company wants an overview of the vulnerabilities listed by the scanner as well as recommendations for mitigation and improvement.
Remediation: After scanning, the penetration tester or the assigned personnel will analyze and validate the vulnerabilities listed by the tool. The responsibility of the penetration tester is to remove the false positives reported by the scanner and provide input on the risk remediation to fix and close the vulnerability. The IT department will also analyze the vulnerabilities from a technical perspective and answer questions such as if patches are available or whether the
configuration can be hardened ? The IT department recommendation also includes the
feasibility of the possible remediating action such as whether installing a certain patch
will result in the application no longer being supported by the vendor.
The security officer / penetration tester will also track the status of remediating actions in order to follow up on their implementation. The critical vulnerabilities should be fixed immediately within 2-3 days, high or medium vulnerabilities in 4-8 or more days and low within a month. It is also up to the organization or different departments to accept the risk.
Implement remediating actions: The planned remediating actions should be executed in line with the agreed timeframes. If a problem occurs with implemented remediation, it should be recorded. Alternative actions can also be implemented by the suggestion of the IT department and the development team.
Rescan: Once a vulnerability or group of vulnerabilities is remediated, a rescan has to be scheduled to verify the remediating actions have been implemented. This scan will be performed using the same vulnerability scanning tool and identical configuration settings as the initial scan. This step is very important to prevent any inaccurate results due to configuration errors. The security officer then sends a fresh report to the different departments of the organization. The management, asset owners, IT department and development team interested in knowing whether the remediation has been effectively implemented.
It is also recommended how often such scans will be scheduled. This generally is a desire of the organization of the associated risk, as well as the capability of the organization to remediate identified vulnerabilities. In order to establish a mature vulnerability management process, it is recommended to schedule scans frequently, typically on a weekly or monthly basis. This will ensure rapid detection of vulnerabilities, allowing the organization to determine and deploy mitigating controls on time.