What is vulnerability management?

- [Presenter] Modern computing systems and applications are extremely complicated. It might not surprise you to learn that there are millions and millions of lines of code contained in every major piece of software that you run. For example, the Linux kernel is the core part of the operating system that handles input, output, memory management, CPU management and other core tasks. This central piece of the operating system contains over 24 million lines of code and it changes at an astonishing rate. Thousands of lines of code are added, removed and changed every day as the kernel evolves. Given the complexity of modern software, it's inevitable that developers will make mistakes. And some of those mistakes will lead to security vulnerabilities. In the security community, we have a well understood process for managing vulnerabilities. When a company learns of a vulnerability in their software, they analyze the issue and develop a fix for the problem known as a patch. They then release this patch through their update mechanism and administrators around the world apply the patch to correct the security vulnerability. From an administrator's perspective, there's a lot of work to do. Modern enterprises may run several different operating systems and hundreds of applications. They also have routers, switches, internet of things devices, software libraries and many other components that are being patched on a regular basis. Vulnerability management processes help administrators get a handle on this complexity. A mature vulnerability management process includes scanning systems for vulnerabilities, the application of patches, tracking of remediation and reporting of results. In this course, we'll explore all of these topics in detail. Before you can develop a vulnerability management program however, you need to have a firm understanding of your requirements. Why are you developing the program in the first place? Your first answer is probably that you were developing a vulnerability management program because you want your systems to be secure. That's a great answer and it should be the core purpose of the program. You may also be developing the program because your company policy requires you to do so. You might work in a department or operating unit and be following a corporate mandate to manage vulnerabilities in your systems. If that's the case, your vulnerability management program probably needs to fit within the parameters of a higher level corporate program. You might need to use specific tools, meet corporate deadlines and submit reports to a central office. And in many cases, companies develop vulnerability management programs because someone requires them to do so. There are a variety of regulations that apply to cybersecurity and two of them have specific requirements for vulnerability scanning. The Payment Card Industry Data Security Standard, PCI DSS applies to anyone who handles credit card information. It has detailed requirements for vulnerability scanning which include requiring quarterly vulnerability scans of systems and networks from both internal and external perspectives, requiring new scans whenever you make significant changes to your environment, mandating the use of an approved scanning vendor for your external scans and remediating vulnerabilities and re-scanning your systems and networks until the scan produces a clean bill of health with no significant vulnerabilities. If you work for an agency of the US government, you're subject to the Federal Information Security Management Act, FISMA. FISMA requires that you follow the security controls found in NIST, special publication, 800-53. This set of requirements includes a section on vulnerability management that requires that you regularly scan systems and applications for vulnerabilities, analyze the results of those scans, remediate vulnerabilities deemed legitimate and share information about vulnerabilities with other government agencies. As you build out vulnerability scanning in your organization, you should combine three different types of vulnerability tests. Network vulnerability scans probe any devices attached to your network for security issues while application scans, test the code running on those devices for potential flaws. Web applications require specialized testing that probes for common web application security issues such as SQL injection and cross-site scripting. You should also remember that vulnerability scanning doesn't happen in a vacuum. As you interpret the results of vulnerability scans, supplement those scans with reviews of system and application configurations and logs to vet the results for false positives and other errors. No matter why you're building a vulnerability management program, the basic tools and processes are the same. But before you start, it's important that you know what rules apply to you and your organization so that you can be sure to design your program to satisfy those requirements.