Technical Vulnerability Management

July 29, 2008

At the core of Information Security is the protection of information assets through the mitigation of vulnerabilities. Vulnerabilities can be found in people (i.e. social engineering), process (e.g. lack of change management) and technology (e.g. buffer overflows). Vulnerability Managements tends to focus on technology.

Security Event Management (SEM) will help to provide visibility of the IT and business environment and should be combined with Vulnerability Management to ensure vulnerabilities are managed effectively (e.g. accepted or mitigated). This post will examine the scope of Vulnerability Management and link to resources.


In this case it helpful to define several associated terms:

  • Risk – The probability (likelihood X impact) that a given threat will exploit a vulnerability
  • Threat – The source or cause that may exploit a vulnerability
    • e.g. Natural disasters such as fire and floods
    • e.g. Insider undertaking fraudulent behaviour
    • e.g. Outside motivated individuals or groups
  • Exploit – The specific method used by the the threat to take advantage of the vulnerability
    • e.g. phishing email or website setup to fraudulently obtain information
    • e.g. use of a false identity to submit a transaction for personal gain
    • e.g. buffer overflow attack allowing execution of arbitary code
  • Vulnerability – The weakness in a system that creates the opportunity for a vulnerability to be exploited by a threat
    • e.g. lack of dual control on a sensitive transaction
    • e.g. absence of raised flooring in a data centre
    • e.g. inadequate data validation in software

Business Case

  • Security Efficiency
    • Minimise the time and costs to deploy secure builds
    • Minimise the effort spent on patching vulnerabilities
  • Security Effectiveness
    • Reduce the likelihood of downtime caused by vulnerabilities
    • Demonstrate control by reducing the number of vulnerabilities
  • Business Enablement
    • Allow business to continue during malicious code outbreaks
    • Provide auditors, clients and partners with confidence


  • Hardening
    • Prevention is better than cure so reduce your exposed surface error by undertaking the appropriate level of system hardening
      • e.g. removing unrequired software, file shares and accounts
      • e.g. disable unrequired features of required software
      • e.g. rename required accounts and establish strong passwords
      • e.g. install endpoint security (intrusion/extrusion prevention)
      • e.g. implement appropriate access controls
      • e.g. configure auditing and enable remote logging
  • Patching
    • Keep your systems up-to-date from the latest threats through the implementation of a patching plan and systematic process that includes testing, change control, automated deployment and post-implementation review
    • Rely on compensatory controls such as network or host-based intrustion/extrusion  systems to help mitigate zero day attacks and provide protection until patches can be tested and rolled out on your own schedule
  • Testing
    • Penetration Testing is just one part of Vulnerability Management and provides assurance by trying to expoit the target like any threat may
  • Process Integration
    • Asset Management must be able to accurately identify the hardware and software requiring Vulnerability Management
    • The status of vulnerable hardware/software and patch implementation should be reported into Security Event Management (SEM)
  • Continual Improvement
    • Receive Computer Emergency Response Team (CERT) and Vendor (e.g. Microsoft, Cisco, IBM, Sun, HP) Advisories
    • Incident Management will be inacted when a vulnerability has been expoited and must provide feedback into Vulnerability Management processes
    • Feedback idenitified weaknesses to vendors and when appropriate into your own application development process


Vulnerability Management

Vulnerability Databases

Open Source – Open Source Vulnerability Database (OSVDB)

US National Institute for Standard and Technology (NIST) – National Vulnerability Database (NVD)

SecurityFocus – Vulnerabilities

SecurityFocus – BugTraq

Hardening Standards

Centre for Internet Security (CIS) – Benchmark Standards

US National Security Agency (NSA) – Security Configuration Guidelines (SNAC)

US Department of Defence (DoD) – Security Technical Implementation Guides (STIG)

Microsoft – Security and Compliance Solution Accelerators

SANS – Cisco Router Hardening

Computer Emergency Response Teams

Carnegie Mellon University (CERT)

United States Emergency Readiness Team (US-CERT)

United Kingdom Computer Emergency Response Team (UKCERT)

Australian Computer Emergency Response Team (AUSCERT)

Australian Government Computer Emergency Readiness Team (GOVCERT)

Chinese Computer network Emergency Response technical Team (CNERT)

Indian Computer Emergency Response Team (CERTIN)

Japan Computer Emergency Response Team (JPCERT)

Singapore Computer Emergency Response Team (SingCERT)

Computer Emergency Response Team Brazil (

European Cooperation of Abuse fighting Teams (E-COAT)

Forum for Incident Response and Security Teams (FIRST)


One Response to “Technical Vulnerability Management”

  1. […] Technical Vulnerability Management […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: