vulnerability management (noun)

Rick Howard: The word is vulnerability management. 


Rick Howard: Spelled: vulnerability for software that might be exploited, and management for the act of controlling a process or a set of processes.  


Rick Howard: Definition: The continuous practice of identifying classifying, prioritizing, remediating, and mitigating software vulnerabilities within this. 


Rick Howard: Example sentence: Vulnerability management is an essential tactic for our zero trust strategy.  


Rick Howard: Origin and context: You can make an argument that since the dawn of the personal computer revolution, somewhere in the 1980s, that software engineering started to grow as an important design skill to modernize the world alongside other more established disciplines, like chemical engineering, civil engineering, electrical engineering, and mechanical engineering. That said, it's the new kid on the block relatively, and has yet to mature as a reliable discipline compared to the others. 


Rick Howard: After all the times that bridges fall down within a day or two of completion are few and far between, but it's routinely the case that version one of a software application is riddled with mistakes. Some of those mistakes are just bugs or incorrect behavior. Others can be leveraged by bad actors and the industry calls those software vulnerabilities.  


Rick Howard: Now it's important to distinguish the meaning between vulnerabilities, exploits, and the catchphrase, zero day. They all play in the same ballpark, but they aren't the same. Identified vulnerabilities are mistakes in programming. Nothing bad has happened yet. It's just that somebody has noticed a flaw that might be leveraged by a bad actor. Usually that's the developer responsible for the code, but sometimes outside parties find them before the developers do. When that happens, we call those zero day vulnerabilities because it's day zero for the development team to start to repair it. It then becomes a race between how fast and developers can produce a fix and how quickly the bad actors can produce an exploit to leverage it.  


Rick Howard: Exploits are code developed by bad actors and researchers that leverage the software vulnerabilities weakness in order to break into a system. These are much more dangerous than vulnerabilities because they actually work in the wild. If bad actors have a working exploit, say EternalBlue from the NSA leak cache of hacking tools, then they essentially have a master key to break into any system running on the underlying software.  


Rick Howard: A zero day exploit is the most dangerous of all. It means that bad actors started using a working exploit before the responsible software vendor even knew there was a vulnerability.  


Rick Howard: Vulnerability management then is the internal process of tracking down known vulnerabilities in your own systems and patching them when fixes has become available in some order that makes sense. To aid in that process is a tool called the Common Vulnerabilities and Exposures list, or CVE list for short. Back in 1999, most software vendors had their own way of tracking vulnerabilities in their products. To make things more efficient, they proposed creating a unified vulnerability and exposure reference list that the entire community could use. By 2005, the community built the National Vulnerability Database, or NVD for short. Designed to enrich the CVE list with risk and impact scoring using the Common Vulnerability Scoring System, or CVSS, and provided other references like effective products and Security Content Automation Protocol mappings, or SCAP mappings.  


Rick Howard: The trick then is for network defenders to routinely review the associated vulnerability databases and determine if their own systems are impacted. One way to do that is with vulnerability scanners. These tools scan your environment to collect and compare system information with publicly known vulnerabilities. In the near future, vulnerability managers may have some extra help in the form of Software Bill of Materials, or SBOMs. Think of them as a food labels for software components that you run.  


Rick Howard: Today, many developers use a shared software and libraries to build their code. For their customers, it's mostly a mystery, which components are used though. Identifying if you are running a vulnerable piece of code in one of those shared libraries is difficult. With an SBOM, the developers provide that information as part of the software package. The idea of SBOMs has been around for a while, but has gained little traction. But in May, 2021, the American President, Joe Biden, signed an executive order mandating the use of SBOMs for contractors selling to the US federal government. This may be the first step in SBOMs becoming a standard best practice for everybody.  


Rick Howard: Nerd reference: Professor Messer is a cybersecurity certification trainer for CompTIA A+, Network+, and Security+ certifications. He had this to say about vulnerability scanning:  


Professor Messer: Unlike a penetration test, a vulnerability scan usually is not very invasive. It's simply gathering information about what can be found without actually performing any exploits on the system. We might perform a port scan, see what services might be open on a particular server, and find out what version of those services may be running. 


Professor Messer: You can perform vulnerability scans from outside the network, but you can also perform your own vulnerability scans from inside the network. It's usually a good idea to do both so that if somebody did gain access to the inside, you'd know exactly what they would see. 


Rick Howard: Word notes is written by Nyla Gennaoui, executive produced by Peter Kilpe, and edited by John Petrik and me, Rick Howard. The mix, sound design, and original music have all been crafted by the ridiculously talented Elliott Peltzman. Thanks for listening.