3. 3
Technical Vulnerability Management
vulnerability analysis and assessment is an
important element of each required activity in the
NIST Risk Management Framework (RMF).
This RMF comprises six steps, into each of which
vulnerability analysis and assessment is to be
integrated:
5. 5
Technical Vulnerability Management
To reduce risks resulting from exploitation of
published technical vulnerabilities.
Technical vulnerability management should be
implemented in an effective, systematic, and
repeatable way with measurements taken to
confirm its effectiveness.
These considerations should include operating
systems, and any other applications in use.
6. 6
Technical Vulnerability Management
A current and complete inventory of assets is a
prerequisite for effective technical vulnerability
management.
Specific information needed to support technical
vulnerability management includes the software
vendor, version numbers, current state of
deployment (e.g. what software is installed on what
systems), and the person(s) within the organization
responsible for the software.
7. 7
Technical Vulnerability Management
The following guidance should be followed to
establish an effective management process for
technical vulnerabilities
the organization should define and establish the
roles and responsibilities associated with technical
vulnerability management, including vulnerability
monitoring, vulnerability risk
assessment, patching, asset tracking, and any
coordination responsibilities required;
8. 8
Technical Vulnerability Management
information resources that will be used to identify
relevant technical vulnerabilities and to maintain
awareness about them should be identified for software
and other technology
a timeline should be defined to react to notifications of
potentially relevant technical vulnerabilities;
once a potential technical vulnerability has been
identified, the organization should identify the
associated risks and the actions to be taken; such action
could involve patching of vulnerable systems and/or
applying other controls;
9. 9
Technical Vulnerability Management
depending on how urgently a technical vulnerability
needs to be addressed, the action taken should be
carried out according to the controls related to change
management
a timeline should be defined to react to notifications of
potentially relevant technical vulnerabilities;
an audit log should be kept for all procedures
undertaken
systems at high risk should be addressed first.
10. 10
The Patch and Vulnerability Group
The PVG should be a formal group that incorporates
representatives from information security and
operations.
These representatives should include individuals
with knowledge of vulnerability and patch
management, as well as system
administration, intrusion detection, and firewall
management.
11. 11
The duties of the PVG
Create a System Inventory.
Monitor for Vulnerabilities, Remediations, and Threats.
Prioritize Vulnerability Remediation.
Create an Organization-Specific Remediation Database
Conduct Generic Testing of Remediations.
Deploy Vulnerability Remediations.
Distribute Vulnerability and Remediation Information to Local
Administrators.
Perform Automated Deployment of Patches.
12. 12
The duties of the PVG
Configure Automatic Update of Applications Whenever Possible and
Appropriate.
Verify Vulnerability Remediation Through Network and Host
Vulnerability Scanning.
Vulnerability Remediation Training.
13. 13
Report Organization
Section1 Introduction to purpose, organization, scope, and assumptions for this
Report.
Section 2 Overview of automated vulnerability assessment tools—including
descriptions of the various types of automated vulnerability assessment
tools currently available
Section 3 Catalogue of descriptions of current vulnerability assessment tools,
categorized by type.
Section 4 Representative listing of vulnerability assessment tools
Section 5 List of resources to additional detailed information about IT and network
vulnerability assessment and assessment tools.
14. 14
Vulnerability Analysis tools
Vulnerability assessment tools generally work by
attempting to automate the steps often employed to
exploit vulnerabilities: they begin by performing a
“footprint” analysis to determine what network services
and/or software programs (including versions and patch
levels) run on the target.
Vulnerability assessment tools help in that
integration, by automating the
detection, identification, measurement, and
understanding of vulnerabilities found in ICT
components at various levels of a target ICT system or
infrastructure.
15. 15
Vulnerability Analysis tools
Most vulnerability assessment tools are capable of
scanning a number of network nodes, including
networking and networked devices
(switches, routers, firewalls, printers, etc.), as well as
server, desktop, and portable computers.
The type and level of detail of a vulnerability assessment
tool’s findings varies from tool to tool.
16. 16
Tool type
Network Scanners
Host Scanners
Database Scanners
Web Application Scanners
Multilevel Scanners
Automated Penetration Test Tools
Vulnerability Scan Consolidators
17. 17
Network Scanners
Assuria Auditor and Auditor RA
Infiltration Systems Infiltrator for Home Users
Microsoft® Attack Surface Analyzer
NileSOFT Secuguard SSE
Numara® Vulnerability Manager
SoftRun Inciter Vulnerability Manager
ThreatGuard® Secutor