Module 12: Vulnerability Management & Monitoring

Glossary of Terms

A weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.

The continuous process of identifying, classifying, prioritizing, remediating, and mitigating vulnerabilities in systems and software.

A vulnerability that has been disclosed but is not yet patched, leaving systems susceptible to a zero-day exploit. Attackers have "zero days" to exploit it before a fix is released.

A standardized system for identifying and naming publicly disclosed cybersecurity vulnerabilities. Each vulnerability gets a unique CVE ID.

An open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical score (0-10) to reflect severity.

The process of distributing and applying updates to software. It is a component of vulnerability management focused on remediation.

A simulated cyber attack against your computer system to check for exploitable vulnerabilities. It is a depth-over-breadth approach.

The process of continuously observing and analyzing activity on a network to detect and respond to potential threats or malicious behavior.

A computer-generated file that captures activity within an operating system or software application, including messages, errors, and file transfers.

A solution that gives security teams a central place to collect, aggregate, and analyze log data from across an enterprise to detect incidents.

A passive monitoring tool that analyzes network traffic for signs of potential threats and generates alerts when suspicious activity is detected.

An active security tool that monitors network traffic and takes immediate action to block or prevent potential threats in real time.

An integrated security solution that combines anti-malware, personal firewall, and other controls to provide preventative security on endpoint devices like laptops and servers.

A structured approach used by organizations to manage and mitigate security incidents. The lifecycle includes phases like Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Vulnerability Management

The Vulnerability Management Lifecycle

This is a continuous, six-phase cycle designed to systematically reduce an organization's risk exposure.

1. Discover: Create a comprehensive inventory of all assets (devices, software, etc.) on the network.
2. Prioritize Assets: Assign a value or criticality level to each asset group. Not all systems are equally important.
3. Assess: Use vulnerability scanners to perform automated scans on assets to identify weaknesses.
4. Report: Analyze the scan results and document the findings. Use systems like CVSS to understand the severity of each vulnerability and report the risk to stakeholders.
5. Remediate: Fix the identified vulnerabilities, starting with the highest-risk ones. This often involves patch management but can also include configuration changes.
6. Verify: Conduct follow-up scans to confirm that the vulnerabilities have been successfully remediated and the fixes have not introduced new issues.

Vulnerability Scanning vs. Penetration Testing

Though both are used to find weaknesses, they have different goals and approaches.

Vulnerability Scanning:
- Approach: Largely automated, breadth-over-depth.
- Goal: To identify and list as many known vulnerabilities as possible across a wide range of systems.
- Frequency: Should be performed regularly (e.g., weekly, monthly) to maintain security hygiene.
Penetration Testing:
- Approach: A combination of automated and manual techniques, depth-over-breadth.
- Goal: To simulate a real-world attack by actively trying to exploit vulnerabilities to see how far an attacker could get.
- Frequency: Performed less frequently (e.g., annually or after major system changes).

CVE and CVSS

These two systems are the common language of vulnerability management.

CVE (Common Vulnerabilities and Exposures): A list of publicly disclosed security vulnerabilities. Each vulnerability is given a unique ID (e.g., CVE-2021-44228 for Log4Shell) to ensure everyone is talking about the same issue.
CVSS (Common Vulnerability Scoring System): A standardized scoring system (from 0.0 to 10.0) that rates the severity of a vulnerability. A higher score means a more critical vulnerability. This helps organizations prioritize which issues to fix first.

Security Monitoring & Alerting

The Importance of Monitoring

Traditional defenses like firewalls are not enough. Continuous monitoring is essential for detecting threats that bypass preventative controls. The main purposes of monitoring are:

Threat Detection: To serve as the last line of defense, identifying attacks in progress.
Verification of Controls: To ensure that security policies (like blocking certain traffic) are actually working as intended.

Forensics:

Log Analysis and SIEM

At the heart of security monitoring is the collection and analysis of logs.

Logs: These are records of events that happen on systems and networks. They can come from operating systems, applications, firewalls, and more.
SIEM (Security Information and Event Management): Since manual log review is impossible at scale, SIEM systems are used to collect logs from thousands of sources into one central place. The SIEM can then correlate events from different sources to identify patterns that might indicate an attack and generate alerts.

IDS vs. IPS

These network security tools are critical for monitoring and responding to threats in real time.

IDS (Intrusion Detection System): A passive system. It's like a security camera that watches network traffic. If it sees something suspicious that matches a known attack signature, it sends an alert, but it doesn't stop the traffic.
IPS (Intrusion Prevention System): An active system. It's like a security guard at a gate. It sits "inline" with network traffic and can actively block or drop packets that it identifies as malicious, preventing the attack from reaching its target.