São Paulo/SP – March 02, 2023. “Vulnerability Management is an important process for the organization that needs an audit trail for future purposes, as well as being a recurring process that has its effectiveness periodically attested”.
* Leandro Zilli
OVERVIEW
THE Vulnerability Management is a process that must be included in the Master Plan for Information Security and Cybersecurity, as it promotes an important approach regarding the organization's exposure to risks, demonstrating that the Information Security must be allied to the business.
But after all, what is a vulnerability? According to the “Terms and definitions” chapter of ISO 27002:2022, vulnerability is the “weakness of an asset or control that can be exploited by one or more threats”. Outdated software, failure to manage access credentials, network devices (firewalls, routers, servers) misconfigured and outdated are some examples of vulnerabilities. In all cases, these vulnerabilities make it possible for cybercriminals to access / exploit the organization's environment and information.
PROTECTION AND COMPLIANCE WITH REGULATORY REQUIREMENTS:
The December 2022 report of the Trend Micro “Future Tense: Trend Micro Security Predictions for 2023” presented, among several considerations, the trend towards an increase in attacks on infrastructure security “blind spots” with VPNs being an attractive target, since when gaining access through the still existing vulnerabilities (patches or configuration fixes) you can access many corporate networks. Another highlighted aspect is the non-maintenance of vulnerabilities and application of patches on home routers due to remote/hybrid work.
It is also important to mention that, increasingly, regulatory and supervisory bodies establish requirements for supervised organizations to establish and maintain a Vulnerability Management process.
We cite as an example:
BACEN (CMN Resolution No. 4,893, of February 26, 2021)
“Art. 3 The cybersecurity policy must include, at a minimum:
II – the procedures and controls adopted to reduce the institution’s vulnerability to incidents and meet other cybersecurity objectives;”
SUSEP (Circular No. 638 of July 27, 2021)
“Art. 5 The supervised body must have, and keep updated, processes, procedures and effective controls for:
I – proactively identify and reduce vulnerabilities; and
II – detect, respond to and recover from incidents.”
CONSIDERATIONS REGARDING THE PROCESS
The Vulnerability Management process is complex and must be developed from the pillars of technology, processes and people, covering three important stages:
Identification
A premise that allows effective Vulnerability Management is to have an inventory of assets that is always up to date. In addition, it is essential to use tools to support this inventory, which can be something manual (Excel spreadsheets, proprietary systems) or automated, through market solutions that allow the installation of clients on infrastructure assets.
Other actions are important and necessary, such as the recurring performance of scan of vulnerabilities and, if possible, pentes, in order to document and classify the identified vulnerabilities, as well as to evaluate the vulnerability reports of the respective manufacturers on security information. patches or changes to settings. Also important, as applicable, is the tracking of third-party libraries and source code, as well as being part of the secure development process.
People must be indicated and responsibilities assigned, and must follow the guidelines established in good market practices to monitor the execution and efficiency of the process, as well as propose and implement improvements enabling continuous improvement.
Assessment
In this step, the analysis and verification of the identified vulnerabilities must be carried out, to determine which action must be taken in order to mitigate the associated risks, whether to apply an update (for example, patch) or another control measure (e.g., disabling some feature).
Attention should be paid to the origin of this information, with manufacturers and entities that have acted in a reputable way in combating vulnerabilities being the most indicated.
Actions
From the moment the vulnerability has been identified, evaluated and approved which action must be taken, a process must be established so that the correction is carried out assertively and without impact on the organization, with a schedule, identification of the parties involved (responsible for , executors) enabling the planning and understanding of all possible variables which assets and areas of the organization will be impacted, application of corrections in a homologation environment, backup of data and/or configurations, provision of the change “window” and for cases of greater urgency and/or impact, apply the GMUD (Change Management) protocol or the response to Information Security incidents.
In cases where there is no correction or change to be performed, it must be evaluated whether the supplier indicates an alternative solution or whether it is necessary to perform other measures such as adding layers of protection through firewall, limiting traffic and implementing proactive monitoring, due to the risk involved.
In addition to assuming the risk, the possibility of shutting down the impacted asset can be evaluated.
FINAL CONSIDERATIONS
As it was possible to identify, Vulnerability Management is an important process for the organization and that needs an audit trail for future purposes, as well as being a recurring process that has its effectiveness periodically attested.
It is important to mention that there may be other points in addition to those addressed due to regulatory issues or laws that the organization must follow, as well as contractual issues where, when contracting a service, the responsibilities on the part of the service provider regarding the dealings with the vulnerabilities (example, cloud services).
*Leandro Zilli is a GRC Consultant at Safeway
HOW CAN WE HELP?
SAFEWAY is an Information Security consulting company recognized by its clients for offering high added value solutions through projects that fully meet the needs of the business. In 15 years of experience, we have accumulated several successful projects that have earned us credibility and prominence among our clients, which largely constitute the 100 largest companies in Brazil.
Today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best technology, process and people solutions. We have both the technical skill and the experience necessary to help your company establish and execute the vulnerability management process in its infrastructure, web and mobile applications on a one-off or recurring basis, enabling greater visibility, mitigation of associated risks and protection of the environment and image of your organization. If you want more information
