🔒

Vulnerability Management Strategies

Dec 26, 2024

View transcript

Vulnerability Management and Prioritization

Understanding False Positives and Negatives

  • False Positive: Detection of a vulnerability that doesn't exist in the operating system.
    • Often occurs in low or informational vulnerabilities.
    • Still valid vulnerabilities, not to be confused with false positives.
  • False Negative: Undetected vulnerability that actually exists.
    • More dangerous than false positives.
    • Can be exploited by attackers if unlisted.

Preparing for Vulnerability Scanning

  • Update Signatures: To minimize false positives and avoid false negatives.
  • Working with Manufacturers: For updated signature sets.

Vulnerability Severity and Prioritization

  • Severity Levels: Critical, high, low, informational.
    • Critical vulnerabilities need immediate attention.
    • Low and informational are less urgent but still valid.
  • Scoring Systems: Common Vulnerability Scoring System (CVSS).
    • Scores range from 0 to 10.
    • Use scores to prioritize vulnerabilities.

Public Vulnerability Lists

  • National Vulnerability Database (NVD): nvd.nist.gov
    • Synchronized with the Common Vulnerabilities and Exposures (CVE) list.
  • CVE Database: cve.mitre.org/CVE
    • Cross-reference vulnerabilities with NVD and manufacturer databases.
  • Manufacturer-Specific Vulnerabilities: Check with specific manufacturers.

Types of Vulnerability Scanning

  • Application Scans: Desktop and mobile apps.
  • Web Application Scans: Applications on web servers.
  • Network Devices: Firewalls, switches, routers.
    • Examples: CVE-2020-1889 (WhatsApp), CVE-2020-24981 (UCMS).

Risk Assessment and Exposure Factor

  • Exposure Factor: Percentage representing potential service impact.
    • Helps prioritize fixes based on CVSS scores and exposure factors.

Considerations for Patching

  • Environment: Public cloud vs. test lab.
    • Public-facing systems have higher patch priority.
  • Organizational Impact: Depends on application criticality, revenue impact.
  • Exploitation Ease: Easy-to-exploit vulnerabilities prioritized.

Real-World Examples

  • Healthcare and Critical Infrastructure: Different impacts from outages or attacks.
    • Example: Ransomware attack on Tallahassee Memorial Healthcare.
    • Example: DDoS attacks on power generators in Salt Lake City and LA County.

Risk Tolerance and Patch Prioritization

  • Risk Tolerance: How much risk is acceptable with unpatched vulnerabilities.
  • Patch Deployment: Requires thorough testing before installation.
    • Balance between security and operational functionality.
    • Urgency depends on vulnerability severity and exploitability.

Full transcript