Vulnerability Management Lifecycle

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
10 hours 25 minutes
Difficulty
Beginner
CEU/CPE
11
Video Transcription
00:00
>> Hey, everyone. Welcome back to the course.
00:00
In the last video, we talked about some of
00:00
the different types of vulnerability assessments.
00:00
In this video, we're going to talk about
00:00
the Vulnerability Management Life Cycle.
00:00
We've got six parts of this life cycle.
00:00
We've got our baseline,
00:00
we've got our vulnerability assessment itself,
00:00
we've got our risk assessment,
00:00
then we move into remediation,
00:00
verification, and monitoring.
00:00
Let's talk about all of those a little bit in detail.
00:00
Let's start off with creating that baseline.
00:00
We obviously have to understand
00:00
like where are we starting from.
00:00
With the baseline,
00:00
what we want to do is we want to actually
00:00
identify and understand the actual business process.
00:00
Because we don't just do stuff just because we're in
00:00
a business environment so we
00:00
need to understand that business process.
00:00
What that means is that we need to understand
00:00
the applications, the services,
00:00
the data, all that stuff
00:00
around that supports that business process.
00:00
Again, we start with the business process,
00:00
and then we learn what actually supports that.
00:00
What technology are we using
00:00
>> that supports that process?
00:00
>> The next step is creating
00:00
an inventory of all of our assets,
00:00
and then from there, we need to identify,
00:00
>> what's the priority asset?
00:00
>> Yeah, we've got this printer over
00:00
here that's part of this process,
00:00
or part of supporting this business process,
00:00
but the reality is
00:00
we can email these invoices to clients.
00:00
We don't mean to physically print them off.
00:00
That's not a critical asset in that situation.
00:00
We need to identify and then
00:00
prioritize and rank all of our assets.
00:00
Next, we need to map the network infrastructure,
00:00
identify any controls that we already have in place,
00:00
so going back to
00:00
that defense in depth I mentioned before.
00:00
Understanding any types of
00:00
policies that we have around that or any types of
00:00
standards or compliance that we
00:00
need to address for that business
00:00
process that we need to be
00:00
mindful of as we're building this stuff
00:00
out and actually performing the vulnerability scanning.
00:00
Then we, of course, need to define
00:00
the scope of the assessment, so that way,
00:00
we are not touching things we shouldn't be
00:00
touching or potentially damaging
00:00
things we shouldn't be damaging.
00:00
We needed to find the actual scope of the assessment,
00:00
and then create basically protection
00:00
and procedures that's going to support planning this,
00:00
scheduling it,
00:00
logistical stuff around it so you're not just
00:00
developing that information,
00:00
>> so we can have a pretty smooth process,
00:00
>> really smooth as possible.
00:00
When we move into the
00:00
vulnerability actual assessment phase,
00:00
this is where we're going to look at things like
00:00
physical security. So I mentioned before,
00:00
are we actually locking our door or are we not?
00:00
We want to look at things like that.
00:00
We're going to look for misconfigurations.
00:00
We talked about that with the S3 bucket.
00:00
>> Remember our bag of candy?
00:00
>> We want to keep that candy safe,
00:00
so we don't want misconfigure things.
00:00
We want to make sure we're configuring
00:00
properly to keep our favorite candy safe.
00:00
Because again, me personally,
00:00
I don't want someone swapping out
00:00
the candy I like for Whoppers.
00:00
By the way, one of the candies I used to
00:00
like is Butterfinger candy.
00:00
Now you know a fun fact about me.
00:00
We also want to run vulnerability scans using
00:00
various tools as part
00:00
of this vulnerability assessment phase,
00:00
and then once we find those vulnerabilities,
00:00
identify and prioritize them.
00:00
We talked about that before.
00:00
Just because we find a vulnerability,
00:00
>> doesn't mean that there's something we
00:00
>> necessarily need to worry about too much
00:00
in our particular situation
00:00
based of our company and
00:00
the company's business processes that are critical.
00:00
The other thing that we want to do when we
00:00
find vulnerabilities and in classifying them,
00:00
is we want to use what's
00:00
called OSINT, open source intelligence.
00:00
We want to identify, number 1,
00:00
are these things being
00:00
exploited in what's called the wild.
00:00
Basically out there in the real world,
00:00
are these things being exploited?
00:00
Or was it maybe something that
00:00
some researcher's lab found
00:00
and there had to be certain situations in place and
00:00
certain controls for to
00:00
actually allow them to do that thing?
00:00
If yes,
00:00
maybe that's not something you necessarily worry about
00:00
right off the bat because
00:00
there's got have be a lot of factors involved.
00:00
That's a lot of work, and unless
00:00
you've really got something valuable,
00:00
a lot of people are lazy.
00:00
Lot of these script kiddies, especially, are lazy,
00:00
so just keep that in mind that you have to understand
00:00
your risk appetite in that situation.
00:00
Then create a report of your actual scan.
00:00
Make sure that you communicate that properly.
00:00
Then we move into the things like the risk assessment,
00:00
and remediation, verification, etc.
00:00
We found these vulnerabilities.
00:00
Are these actually a risk?
00:00
If yes, what's the actual impact?
00:00
Is this going to shut down our business?
00:00
Is this a minor thing?
00:00
Maybe it's an inconvenience so we
00:00
have to think through, what's the actual impact here?
00:00
Then what's also our risk appetite?
00:00
Are we okay with losing this system?
00:00
Are we okay with this thing getting shut down?
00:00
Or are we okay with losing
00:00
this data because we do have backups?
00:00
We're not too worried about if we get
00:00
hit with a ransomware attack or something.
00:00
Just thinking through that type of stuff.
00:00
Remediation, we need to make
00:00
recommendations to
00:00
executive management or management team,
00:00
whomever the stakeholders are, say, hey,
00:00
we've noticed these things, we recommend that
00:00
you do these things to fix it.
00:00
If we're doing for
00:00
an external company doing
00:00
the vulnerability scanning or pen testing,
00:00
we need to be able to communicate that and say,
00:00
okay, look, we found these,
00:00
we think these are the most critical,
00:00
you should probably fix these,
00:00
and by the way, we can fix them right now.
00:00
Or hey, you can fix them this way, blah, blah, blah.
00:00
Verification, this is
00:00
where we're talking about actually performing
00:00
dynamic analysis and then
00:00
reviewing that attack surface and saying,
00:00
okay, why is there actually a vulnerability?
00:00
Again, going back to things like pen testing.
00:00
Then finally monitoring.
00:00
This is where we're talking about looking at logs
00:00
>> like our Intrusion Detection System or IDS,
00:00
>> or our Intrusion Prevention,
00:00
>> a lot of times we combine
00:00
those systems there, looking at logs.
00:00
Also implementing things like policies
00:00
or procedures, various controls.
00:00
By the way, if you are brand new to all of this stuff,
00:00
a good place to go look and get some information is
00:00
a CIS Top 20 critical security controls.
00:00
That's a good fundamental source of information you can
00:00
explore those different controls and understand some of
00:00
the fundamental stuff that companies should be doing
00:00
but many don't. So just keep that in mind.
00:00
A quick quiz question here.
00:00
We need to identify the data, services, and
00:00
blank that support a business process.
00:00
Do you remember?
00:00
>> I actually mentioned this specifically.
00:00
>> If you've guessed number 2,
00:00
applications, you are correct.
00:00
The rest of those were just smoke and mirrors.
00:00
In this video, we focused primarily
00:00
on the Vulnerability Management Life Cycle.
00:00
In the next video, we're going to jump
00:00
into talking about a couple of
00:00
different tool options you
00:00
have for vulnerability scanning.
Up Next