Join Mike Chapple for an in-depth discussion in this video What is vulnerability management?, part of CompTIA CySA+ (CS0-002) Cert Prep: 2 Vulnerability Management.
- [Instructor] Modern computing systems and applications are extremely complicated. It might not surprise you to learn that there are millions and millions of lines of code contained in each major piece of software that you run. For example, the Linux kernel is the core part of the operating system that handles input, output, memory management, CPU management and other core tasks. That central component of the operating system contains over 24 million lines of code and it changes at an astonishing rate. Thousands of lines of code are added, removed and changed each day as the kernel evolves. Given the complexity of modern software, it's inevitable that developers will make mistakes and that some of those mistakes will lead to security vulnerabilities. In the security community, we have a well-understood process for managing those vulnerabilities. When a company learns of a vulnerability in their product, they analyze the issue and then develop a fix for the problem known as a patch. The company then releases this patch to customers through their update mechanism and administrators around the world apply the patch and correct the vulnerability. From an administrator's perspective, there's a lot of work to do. Modern enterprises may run several different operating systems and hundreds of applications. They also have routers, switches, Internet of Things devices, software libraries, and many other components that are being patched on a regular basis. Vulnerability management processes help administrators get a handle on this complexity. A mature vulnerability management process includes scanning systems for vulnerabilities, the application of patches, tracking and remediation, and reporting of results. In this course, we'll cover all of those topics in detail. Before you can deliver a vulnerability management program, however, you need to have a firm understanding of your requirements. Why are you developing this program in the first place? Your first answer is probably that you're developing a vulnerability management program because you want your systems to be secure. That's a great answer and it should be the core purpose of the program. You may also be developing the program because your company policy requires you to do so. You might work in a department or operating unit and be following a corporate mandate to manage the vulnerabilities in your systems. If that's the case, your vulnerability management program probably needs to fit within the parameters of a higher-level corporate program. You might need to use specific tools, meet corporate deadlines, and submit reports to a central office. And in many cases, companies develop vulnerability management programs because someone requires them to do so. There are a variety of regulations that apply to cybersecurity and two of them have specific requirements for vulnerability scanning. The Payment Card Industry Data Security Standard, PCI DSS, applies to anyone who handles credit card information. It has detailed requirements for vulnerability scanning which include requiring quarterly vulnerability scans of systems and networks from both internal and external perspectives, requiring new scans whenever significant changes are made to the environment, mandating the use of an approved scanning vendor for external scans and remediating vulnerabilities and rescanning systems and networks until the scan produces a clean bill of health with no significant vulnerabilities. If you work for an agency of the US government, you're subject to the Federal Information Security Management Act, FISMA, which requires you to follow the security controls found in NIST's special publication 80-53. This set of requirements includes a section on vulnerability management that requires that you regularly scan systems and applications for vulnerabilities, analyze the results of those scans, remediate the vulnerabilities that are deemed legitimate and share information about vulnerabilities with other government agencies. No matter why you're building a vulnerability management program, the basic tools and processes are the same. But before you start, it's important that you know what rules apply to you and your organization so that you can be sure to design your program to satisfy those requirements.
We are a CompTIA Partner. As such, we are able to offer CompTIA exam vouchers at a 10% discount. For more information on how to obtain this discount, please download these PDF instructions.
- Configuring vulnerability scans
- Reporting scan results
- Barriers to vulnerability remediation
- Analyzing scan reports
- Common server, endpoint, and network vulnerabilities
- Software security issues, such as SQL injection
- Access control vulnerabilities