Vulnerability management

Last updated November 02, 2023

Vulnerability management is the "cyclical practice of identifying, classifying, prioritizing, remediating, and mitigating" software vulnerabilities.^[1] Vulnerability management is integral to computer security and network security, and must not be confused with vulnerability assessment.^[2]

Vulnerabilities can be discovered with a vulnerability scanner, which analyzes a computer system in search of known vulnerabilities,^[3] such as open ports, insecure software configurations, and susceptibility to malware infections. They may also be identified by consulting public sources, such as NVD, vendor specific security updates or subscribing to a commercial vulnerability alerting service. Unknown vulnerabilities, such as a zero-day,^[3] may be found with fuzz testing. Fuzzy testing can identify certain kinds of vulnerabilities, such as a buffer overflow with relevant test cases. Such analysis can be facilitated by test automation. In addition, antivirus software capable of heuristic analysis may discover undocumented malware if it finds software behaving suspiciously (such as attempting to overwrite a system file).

Correcting vulnerabilities may variously involve the installation of a patch, a change in network security policy, reconfiguration of software, or educating users about social engineering.

Project vulnerability management

Project vulnerability is the project's susceptibility to being subject to negative events, the analysis of their impact, and the project's capability to cope with negative events.^[4] Based on Systems Thinking, project systemic vulnerability management takes a holistic vision, and proposes the following process:

Project vulnerability identification
Vulnerability analysis
Vulnerability response planning
Vulnerability controlling – which includes implementation, monitoring, control, and lessons learned

Coping with negative events is done, in this model, through:

resistance – the static aspect, referring to the capacity to withstand instantaneous damage, and
resilience – the dynamic aspect, referring to the capacity to recover in time.

Redundancy is a specific method to increase resistance and resilience in vulnerability management.^[5]

Antifragility is a concept introduced by Nassim Nicholas Taleb to describe the capacity of systems to not only resist or recover from adverse events, but also to improve because of them. Antifragility is similar to the concept of positive complexity proposed by Stefan Morcov.

Related Research Articles

Risk management is the identification, evaluation, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities.

<span class="mw-page-title-main">Business continuity planning</span> Prevention and recovery from threats that might affect a company

Business continuity may be defined as "the capability of an organization to continue the delivery of products or services at pre-defined acceptable levels following a disruptive incident", and business continuity planning is the process of creating systems of prevention and recovery to deal with potential threats to a company. In addition to prevention, the goal is to enable ongoing operations before and during execution of disaster recovery. Business continuity is the intended outcome of proper execution of both business continuity planning and disaster recovery.

Nassim Nicholas Taleb is a Lebanese-American essayist, mathematical statistician, former option trader, risk analyst, and aphorist whose work concerns problems of randomness, probability, and uncertainty.

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface.

Software assurance (SwA) is a critical process in software development that ensures the reliability, safety, and security of software products. It involves a variety of activities, including requirements analysis, design reviews, code inspections, testing, and formal verification. One crucial component of software assurance is secure coding practices, which follow industry-accepted standards and best practices, such as those outlined by the Software Engineering Institute (SEI) in their CERT Secure Coding Standards (SCS).

In software engineering, software system safety optimizes system safety in the design, development, use, and maintenance of software systems and their integration with safety-critical hardware systems in an operational environment.

<i>The Black Swan: The Impact of the Highly Improbable</i> 2007 book by Nassim Nicholas Taleb

The Black Swan: The Impact of the Highly Improbable is a 2007 book by Nassim Nicholas Taleb, who is a former options trader. The book focuses on the extreme impact of rare and unpredictable outlier events—and the human tendency to find simplistic explanations for these events, retrospectively. Taleb calls this the Black Swan theory.

Disaster risk reduction (DRR) sometimes called disaster risk management (DRM) is a systematic approach to identifying, assessing and reducing the risks of disaster. It aims to reduce socio-economic vulnerabilities to disaster as well as dealing with the environmental and other hazards that trigger them. In other words, the aim of DRR is "to prevent new and reducing existing disaster risk and managing residual risk, all of which contribute to strengthening resilience and therefore to the achievement of sustainable development".

Information security management (ISM) defines and manages controls that an organization needs to implement to ensure that it is sensibly protecting the confidentiality, availability, and integrity of assets from threats and vulnerabilities. The core of ISM includes information risk management, a process that involves the assessment of the risks an organization must deal with in the management and protection of assets, as well as the dissemination of the risks to all appropriate stakeholders. This requires proper asset identification and valuation steps, including evaluating the value of confidentiality, integrity, availability, and replacement of assets. As part of information security management, an organization may implement an information security management system and other best practices found in the ISO/IEC 27001, ISO/IEC 27002, and ISO/IEC 27035 standards on information security.

Supply chain risk management (SCRM) is "the implementation of strategies to manage both everyday and exceptional risks along the supply chain based on continuous risk assessment with the objective of reducing vulnerability and ensuring continuity".

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

Antifragility is a property of systems in which they increase in capability to thrive as a result of stressors, shocks, volatility, noise, mistakes, faults, attacks, or failures. The concept was developed by Nassim Nicholas Taleb in his book, Antifragile, and in technical papers. As Taleb explains in his book, antifragility is fundamentally different from the concepts of resiliency and robustness. The concept has been applied in risk analysis, physics, molecular biology, transportation planning, engineering, aerospace (NASA), and computer science.

Opportunity management (OM) has been defined as "a process to identify business and community development opportunities that could be implemented to sustain or improve the local economy".

<i>Antifragile</i> (book) 2012 book by Nassim Nicholas Taleb

Antifragile: Things That Gain From Disorder is a book by Nassim Nicholas Taleb published on November 27, 2012, by Random House in the United States and Penguin in the United Kingdom. This book builds upon ideas from his previous works including Fooled by Randomness (2001), The Black Swan (2007–2010), and The Bed of Procrustes (2010–2016), and is the fourth book in the five-volume philosophical treatise on uncertainty titled Incerto. Some of the ideas are expanded on in Taleb's fifth book Skin in the Game: Hidden Asymmetries in Daily Life (2018).

Climate resilience is defined as the "capacity of social, economic and ecosystems to cope with a hazardous event or trend or disturbance". This is done by "responding or reorganising in ways that maintain their essential function, identity and structure while also maintaining the capacity for adaptation, learning and transformation". The key focus of increasing climate resilience is to reduce the climate vulnerability that communities, states, and countries currently have with regards to the many effects of climate change. Efforts to build climate resilience encompass social, economic, technological, and political strategies that are being implemented at all scales of society. From local community action to global treaties, addressing climate resilience is becoming a priority, although it could be argued that a significant amount of the theory has yet to be translated into practice.

NIST Cybersecurity Framework is a set of guidelines for mitigating organizational cybersecurity risks, published by the US National Institute of Standards and Technology (NIST) based on existing standards, guidelines, and practices. The framework "provides a high level taxonomy of cybersecurity outcomes and a methodology to assess and manage those outcomes", in addition to guidance on the protection of privacy and civil liberties in a cybersecurity context. It has been translated to many languages, and is used by several governments and a wide range of businesses and organizations.

ISO 22300:2021, Security and resilience – Vocabulary, is an international standard developed by ISO/TC 292 Security and resilience. This document defines terms used in security and resilience standards and includes 360 terms and definitions. This edition was published in the beginning of 2021 and replaces the second edition from 2018.

Project complexity is the property of a project which makes it difficult to understand, foresee, and keep under control its overall behavior, even when given reasonably complete information about the project system. With a lens of systems thinking, project complexity can be defined as an intricate arrangement of the varied interrelated parts in which the elements can change and evolve constantly with an effect on the project objectives. The identification of complex projects is specifically important to multi-project engineering environments.

References

↑ Foreman, Park (2010). Vulnerability management. Boca Raton: CRC Press. p. 1. ISBN 978-1-4398-0151-2. OCLC 444700438.
↑ Walkowski, Michał; Oko, Jacek; Sujecki, Sławomir (19 September 2021). "Vulnerability Management Models Using a Common Vulnerability Scoring System". Applied Sciences. 11 (18): 8735. doi: 10.3390/app11188735 .
1 2 Anna-Maija Juuso and Ari Takanen Unknown Vulnerability Management, Codenomicon whitepaper, October 2010 .
↑ Marle, Franck; Vidal, Ludovic-Alexandre (2016). Managing Complex, High Risk Projects. London: Springer London. p. ^{[ page needed ]}. doi:10.1007/978-1-4471-6787-7. ISBN 978-1-4471-6785-3. OCLC 934201504.
↑ Nassim N. Taleb, Daniel G. Goldstein (2009-10-01). "The Six Mistakes Executives Make in Risk Management". Harvard Business Review. ISSN 0017-8012 . Retrieved 2021-12-13.

External links

"Implementing a Vulnerability Management Process". SANS Institute.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[Foreman_2010_p._1-1] Foreman, Park (2010). Vulnerability management. Boca Raton: CRC Press. p. 1. ISBN 978-1-4398-0151-2. OCLC 444700438.

[2] Walkowski, Michał; Oko, Jacek; Sujecki, Sławomir (19 September 2021). "Vulnerability Management Models Using a Common Vulnerability Scoring System". Applied Sciences. 11 (18): 8735. doi: 10.3390/app11188735 .

[Codenomicon-3] 1 2 Anna-Maija Juuso and Ari Takanen Unknown Vulnerability Management, Codenomicon whitepaper, October 2010 .

[Marle_Vidal_2016_p.-4] Marle, Franck; Vidal, Ludovic-Alexandre (2016). Managing Complex, High Risk Projects. London: Springer London. p. ^{[ page needed ]}. doi:10.1007/978-1-4471-6787-7. ISBN 978-1-4471-6785-3. OCLC 934201504.

[5] Nassim N. Taleb, Daniel G. Goldstein (2009-10-01). "The Six Mistakes Executives Make in Risk Management". Harvard Business Review. ISSN 0017-8012 . Retrieved 2021-12-13.

[1]

[2]

[3]

[4]

[5]

v t e Information Security
Related security categories	Computer security Automotive security Cybercrime Cybersex trafficking Computer fraud Cybergeddon Cyberterrorism Cyberwarfare Electronic warfare Information warfare Internet security Mobile security Network security Copy protection Digital rights management	vectorial version
Threats	Adware Advanced persistent threat Arbitrary code execution Backdoors Hardware backdoors Code injection Crimeware Cross-site scripting Cross-site leaks Cryptojacking malware Botnets Data breach Drive-by download Browser helper objects Viruses Data scraping Denial of service Eavesdropping Email fraud Email spoofing Exploits Hacktivism Keyloggers Logic bombs Time bombs Fork bombs Zip bombs Fraudulent dialers Malware Payload Phishing Polymorphic engine Privilege escalation Ransomware Rootkits Bootkits Scareware Shellcode Spamming Social engineering Screen scraping Spyware Software bugs Trojan horses Hardware Trojans Remote access trojans Vulnerability Web shells Wiper Worms SQL injection Rogue security software Zombie
Defenses	Application security Secure coding Secure by default Secure by design Misuse case Computer access control Authentication Multi-factor authentication Authorization Computer security software Antivirus software Security-focused operating system Data-centric security Code obfuscation Data masking Encryption Firewall Intrusion detection system Host-based intrusion detection system (HIDS) Anomaly detection Security information and event management (SIEM) Mobile secure gateway Runtime application self-protection

Vulnerability management

Contents

Project vulnerability management

See also

Related Research Articles

References

External links