Module 4

Vulnerability Assessment & Risk

Management
4.1 Vulnerability
Management

What is Vulnerability management ?

Vulnerability management is a comprehensive process for identifying,

assessing, prioritizing, mitigating, and monitoring vulnerabilities in an
organization's information technology infrastructure, applications, and
systems. The goal is to reduce the security risk associated with known
vulnerabilities and prevent potential security breaches.
Vulnerability Management
Vulnerability discovery : Often its referred to as vulnerability research or
vulnerability finding, is the process of identifying and uncovering security
vulnerabilities in software, hardware, or systems. These vulnerabilities can
include software bugs, misconfigurations, design flaws, or other weaknesses
that could be exploited by malicious actors.
Vulnerability prioritization: It is the process of determining the order in
which security vulnerabilities should be addressed or remediated based on
their potential impact on an organization's systems, networks, and data.
Vulnerability assessment : It is the testing process used to identify and
assign severity levels to as many security defects as possible in a given
timeframe.
Vulnerability Management
Vulnerability report : It is a document that provides detailed information
about security vulnerabilities or weaknesses discovered in an organization's
systems, networks, software, or infrastructure. These reports are a critical
component of vulnerability management and are used to communicate the
findings of vulnerability assessments, penetration tests, or security audits.
Vulnerability remediation : It is the process of taking corrective actions to
address and mitigate security vulnerabilities discovered within an
organization's systems, networks, software, or infrastructure.
Vulnerability verification : It is also known as vulnerability validation, is
the process of confirming whether a previously identified security
vulnerability has been successfully remediated or mitigated.
4.2 Techniques used to Identify
Vulnerabilities

Vulnerability Database :

Vulnerability Database are valuable resources in the field of cybersecurity,

providing a centralized repository of information about known security
vulnerabilities in software, hardware, and systems. These databases serve
various purposes and offer benefits but also have certain limitations.
Vulnerability Database
Uses Limitations
 Identification of Vulnerabilities  Incompleteness
 Risk Assessment  False Positives and Negatives
 Prioritization  Dependency on Public Disclosure
 Security Audits and Compliance  Lack of Context
Industry Standard Tools Used For Vulnerabilities
Assessment

1. Common Vulnerability Scoring System (CVSS): CVSS is a

standardized system for assessing the severity of security vulnerabilities.
It assigns scores to vulnerabilities based on their impact, exploitability,
and other factors, making it easier to prioritize remediation efforts.

2. ISO/IEC 27001: This is an international standard for information security

management systems (ISMS). It provides a framework for organizations to
manage security vulnerabilities and assess their security controls.

3. NIST Cybersecurity Framework: Developed by the U.S. National

Institute of Standards and Technology (NIST), this framework provides
guidelines for assessing, managing, and reducing cybersecurity risks.
Tools used in Vulnerability
Assessment
Nessus: Nessus is a versatile vulnerability scanner. Recommendations
include regularly scanning your network and systems with Nessus, and using
the reports it generates to guide remediation efforts.
OpenVAS: OpenVAS is a free and open-source vulnerability scanner that is
particularly well-suited for smaller organizations. Recommendations include
using OpenVAS for periodic vulnerability scans.
Qualys: Qualys offers a comprehensive vulnerability management platform.
Recommendations include leveraging Qualys for scanning, remediation, and
policy enforcement.
Acunetix: Acunetix is a web vulnerability scanner. Recommendations
include using Acunetix for web application assessments and integrating it
into the software development lifecycle.
CVE
A CVE (Common Vulnerabilities and Exposures) is a unique identifier for
a known security vulnerability. It's used to track and communicate about
vulnerabilities in software and hardware. Each CVE is a structured entry that
includes a description of the vulnerability, affected products, references to
patches or updates, and a severity score. CVEs are essential for managing
and prioritizing vulnerabilities, conducting patch management, and improving
overall cybersecurity. They are publicly accessible and maintained by various
organizations, with MITRE being the primary authority.
Threat Intelligence
Definition: Threat intelligence is information about cybersecurity threats
and vulnerabilities used to protect against potential attacks.

Example: An organization subscribes to a commercial threat intelligence

service that provides real-time data on emerging malware threats, enabling
the organization to update its antivirus systems to block these threats before
they can compromise its network.
Types Of Threat Intelligence
Why It is Important to update Vulnerabilities
documentations
 Ensures accuracy.
 Enables timely response to incidents.
 Helps with legal and regulatory compliance.
 Improves the organization's security posture.
 Facilitates knowledge transfer.
 Allows for learning from past incidents.
 Supports effective communication during incidents.
 Aids in recovery and resilience.
 Helps with reputation management.
 Drives continuous improvement in security practices.
4.3 Risk Management
Risk: Risk is like the possibility of something bad happening. It's a
combination of the chance of a problem occurring (the threat) and how bad
it could be (the impact). Think of it as a way to measure and prepare for
potential troubles.
Threat: A threat is something that could cause harm or trouble. It's like a
danger or a bad thing that might happen. Threats can come from various
sources, like hackers, viruses, or even natural disasters.
Vulnerability: Vulnerability is a weakness or a gap that makes it easier for
a threat to cause harm. It's like a hole in your armor that can be exploited
by a threat. Vulnerabilities can be in software, systems, or even in how
people use technology.
Risk = Threat * Vulnerability
Risk Management

Risk management is the process of identifying, assessing, and controlling

or mitigating risks to minimize the potential negative impact on an
organization's objectives and operations. It involves a structured approach to
understanding and dealing with uncertainties and potential threats.
Risk Analysis
Risk analysis is the process of assessing and evaluating potential risks,
vulnerabilities, and threats to an organization's assets, operations, and
objectives.

Types of Risk Analysis:

Risk Analysis
Qualitative Analysis Quantitative Analysis
 Focuses on non-numeric data.  Deals with numerical data.
 Involves qualities, descriptions,  Involves measurements and
and attributes. statistics.
 Used for subjective or complex  Used for objective, data-driven
topics. assessments.
 Techniques include content and  Relies on statistical methods and
thematic analysis. mathematical models.
Risk Mitigation Strategies
Risk Mitigation Strategies
Risk Avoidance: This strategy involves completely avoiding activities or
situations that could lead to a risk. For example, not engaging in high-risk
investments or not using certain technologies that are known to be
vulnerable.
Risk Reduction: Involves taking actions to reduce the likelihood or impact of
a risk. This can include implementing security measures, such as firewalls or
encryption, to reduce the risk of data breaches.
Risk Transfer: This strategy involves shifting the risk to another party. It's
commonly used in insurance, where organizations transfer the financial risk
to an insurance provider.
Risk Acceptance: Sometimes, organizations may choose to accept certain
risks if the cost of mitigation is higher than the potential impact. However,
even in acceptance, monitoring and preparation may be necessary.
Levels of Risk
Low Risk: This is when the likelihood of a risk occurring is minimal, and the
potential impact is not severe. Low-risk situations are generally manageable
and may not require extensive resources for mitigation.
Moderate Risk: Moderate risk indicates a higher likelihood of a risk
occurring and a potentially significant impact if it does. These risks typically
require active monitoring and some level of mitigation efforts.
High Risk: High-risk situations have a significant likelihood of occurring and
can result in severe consequences if not addressed. These risks demand
immediate attention, extensive mitigation efforts, and a well-defined
response plan.
Risk Associated with Specific
Data
Public Data:
• Minimal risk, as this data is intended for public consumption.
• Risks mainly involve inaccuracies, unauthorized modifications, and potential
reputational damage.

Internal Use Data:

• Low to moderate risk.
• Risks include unauthorized access, data leaks, and potential internal misuse.
Confidential Data:
• Moderate to high risk.
• Risks include data breaches, unauthorized access, theft, and potential legal and
regulatory consequences.
Sensitive Data:
• High risk.
• Risks include significant data breaches, compliance violations, and potential
harm to individuals or organizations.
Highly Sensitive Data:
• Very high risk.
• Risks involve catastrophic data breaches, legal and regulatory penalties, and
severe damage to individuals' privacy and organizations' reputation.
4.4 Disaster Recovery & BCP
Plan

Disaster recovery (DR) is a set of policies, procedures, and technologies

that an organization puts in place to recover its critical IT systems and data
after a disruptive event. The goal of disaster recovery is to minimize
downtime, data loss, and ensure business continuity in the face of various
disasters, including natural disasters (e.g., earthquakes, floods), technical
failures (e.g., hardware or software failures), human errors, and cybersecurity
incidents (e.g., cyberattacks and data breaches).
Types of Disaster
Natural Disasters: Man-Made Disasters:
Earthquakes: Sudden shaking of the Cyberattacks: Deliberate attacks on
ground caused by the movement of computer systems, networks, or data.
tectonic plates.
Terrorist Attacks: Acts of violence and
Floods: Overflow of water onto normally sabotage carried out by individuals or
dry land, often due to heavy rain, groups with political or ideological
storms, or the melting of snow and ice. motives.
Hurricanes, Typhoons, Cyclones: Industrial Accidents: Mishaps in
Violently rotating storms with strong industrial facilities, such as chemical
winds and heavy rainfall. spills, nuclear accidents, and explosions.

Tornadoes: Violently rotating columns Transportation Accidents: Incidents

of air that extend from a thunderstorm involving planes, trains, ships, or vehicles
to the ground. that result in disasters.
 Key features of a Disaster
Recovery Plan
1. RTO and RPO
2. Backup and Data Recovery
3. Alternate Sites
4. Documentation
5. Vendor and Third-Party Considerations
6. Security Measures
7. Incident Response Procedures
8. Continuous Monitoring and Updating
9. Regulatory Compliance
10. External Collaboration
11. Documentation Storage
BCP(Business Continuity
Plan)

It is a proactive process and strategy designed to ensure an organization's

critical business functions can continue to operate during and after a disaster
or disruptive event. The primary focus of BCP is to maintain business
operations, minimize downtime, and mitigate the impact of disruptions,
whether they are caused by natural disasters, technology failures, human
errors, or other unforeseen events.
 Key components of a Business
Continuity Plan
 Risk Assessment: Identifying potential threats and vulnerabilities that
could disrupt business operations.
 Business Impact Analysis (BIA): Evaluating the potential impact of
disruptions on critical business functions, revenue, and reputation.
 Recovery Strategies: Developing strategies for how to continue essential
business operations during a disruption.
 Communication Plan: Establishing effective communication protocols for
alerting employees, stakeholders, and customers during a crisis.
 Alternate Facilities and Resources: Identifying backup locations,
equipment, and resources needed to maintain operations if the primary site
becomes unavailable.