Infuse efficiency into risk mitigation practices by optimizing resource use with the latest best practices in vulnerability management
Organizations spend tremendous time and resources addressing vulnerabilities to their technology, software, and organizations. But are those time and resources well spent? Often, the answer is no, because we rely on outdated practices and inefficient, scattershot approaches. Effective Vulnerability Management takes a fresh look at a core component of cybersecurity, revealing the practices, processes, and tools that can enable today's organizations to mitigate risk efficiently and expediently in the era of Cloud, DevSecOps and Zero Trust.
Every organization now relies on third-party software and services, ever-changing cloud technologies, and business practices that introduce tremendous potential for risk, requiring constant vigilance. It's more crucial than ever for organizations to successfully minimize the risk to the rest of the organization's success. This book describes the assessment, planning, monitoring, and resource allocation tasks each company must undertake for successful vulnerability management. And it enables readers to do away with unnecessary steps, streamlining the process of securing organizational data and operations. It also covers key emerging domains such as software supply chain security and human factors in cybersecurity.
Learn the important difference between asset management, patch management, and vulnerability management and how they need to function cohesively Build a real-time understanding of risk through secure configuration and continuous monitoring Implement best practices like vulnerability scoring, prioritization and design interactions to reduce risks from human psychology and behaviors Discover new types of attacks like vulnerability chaining, and find out how to secure your assets against them
Effective Vulnerability Management is a new and essential volume for executives, risk program leaders, engineers, systems administrators, and anyone involved in managing systems and software in our modern digitally-driven society.
Foreword xvii Introduction xix 1 Asset Management 1 Physical and Mobile Asset Management 3 Consumer IoT Assets 4 Software Assets 5 Cloud Asset Management 6 Multicloud Environments 7 Hybrid Cloud Environments 7 Third-Party Software and Open Source Software (OSS) 9 Third-Party Software (and Risk) 10 Accounting for Open Source Software 11 On-Premises and Cloud Asset Inventories 11 On-Premises Data Centers 12 Tooling 13 Asset Management Tools 13 Vulnerability Scanning Tools 14 Cloud Inventory Management Tools 15 Ephemeral Assets 16 Sources of Truth 17 Asset Management Risk 18 Log4j 18 Missing and Unaccounted-for Assets 19 Unknown Unknowns 20 Patch Management 21 Recommendations for Asset Management 22 Asset Manager Responsibilities 22 Asset Discovery 23 Getting the Right Tooling 24 Digital Transformation 25 Establishing and Decommissioning Standard Operating Procedures 26 Summary 27 2 Patch Management 29 Foundations of Patch Management 29 Manual Patch Management 30 Risks of Manual Patching 31 Manual Patching Tooling 32 Automated Patch Management 34 Benefits of Automated vs Manual Patching 35 Combination of Manual and Automated Patching 36 Risks of Automated Patching 37 Patch Management for Development Environments 38 Open Source Patching 38 Not All Software Is Equal 39 Managing OSS Patches Internally 39 Responsibilities of Infrastructure vs Operations Teams 40 Who Owns Patch Management? 41 Separation of Duties 42 Tools and Reporting 43 Patching Outdated Systems 43 End-of-Life Software 44 Unpatched Open Source Software 45 Residual Risk 46 Common Attacks for Unpatched Systems 47 Prioritizing Patching Activities 48 Risk Management and Patching 49 Building a Patch Management Program 50 People 50 Process 51 Technology 51 Summary 52 3 Secure Configuration 53 Regulations, Frameworks, and Laws 53 NSA and CISA Top Ten Cybersecurity Misconfigurations 54 Default Configurations of Software and Applications 55 Improper Separation of User/Administrator Privilege 57 Insufficient Internal Network Monitoring 57 Lack of Network Segmentation 58 Poor Patch Management 58 Bypass of System Access Controls 60 Weak or Misconfigured Multifactor Authentication Methods 60 Lack of Phishing-Resistant MFA 61 Insufficient Access Control Lists on Network Shares and Services 61 Poor Credential Hygiene 61 Unrestricted Code Execution 62 Mitigations 62 Default Configurations of Software Applications 63 Improper Separation of User/Administration Privilege 64 Insufficient Network Monitoring 64 Poor Patch Management 64 Wrapping up the CIS Misconfigurations Guidance 65 CIS Benchmarks 65 DISA Security Technical Implementation Guides 66 Summary 68 4 Continuous Vulnerability Management 69 CIS Control 7—Continuous Vulnerability Management 70 Establish and Maintain a Vulnerability Management Process 70 Establish and Maintain a Remediation Process 71 Perform Automated Operating System Patch Management 71 Perform Automated Application Patch Management 72 Perform Automated Vulnerability Scans of Internal Enterprise Assets 73 Perform Automated Vulnerability Scans of Externally Exposed Enterprise Assets 73 Remediate Detected Vulnerabilities 74 Continuous Monitoring Practices 74 Summary 77 5 Vulnerability Scoring and Software Identification 79 Common Vulnerability Scoring System 79 CVSS 4.0 at a Glance 80 Base Metrics 84 Exploitability Metrics 84 Threat Metrics 86 Environmental Metrics 88 Supplemental Metrics 89 Qualitative Severity Rating Scale 91 Vector String 92 Exploit Prediction Scoring System 92 EPSS 3.0—Prioritizing Through Prediction 92 Epss 3.0 94 Moving Forward 95 Stakeholder-Specific Vulnerability Categorization 97 CISA SSVC Guide 99 Decision Tree Example 106 Software Identification Formats 107 Common Platform Enumeration 108 Package URL 110 Software Identification Tags 110 Common Weaknesses and Enumerations 112 Summary 114 6 Vulnerability and Exploit Database Management 115 National Vulnerability Database (NVD) 115 Sonatype Open Source Software Index 118 Open Source Vulnerabilities 119 GitHub Advisory Database 120 Exploit Databases 121 Exploit-DB 122 Metasploit 122 GitHub 122 Summary 123 7 Vulnerability Chaining 125 Vulnerability Chaining Attacks 125 Exploit Chains 127 Daisy Chains 128 Vendor-Released Chains 129 Microsoft Active Directory 129 VMware vRealize Products 130 iPhone Exploit Chain 130 Vulnerability Chaining and Scoring 131 Common Vulnerability Scoring System 132 EPSS 132 Gaps in the Industry 133 Vulnerability Chaining Blindness 134 Terminology 135 Usage in Vulnerability Management Programs 136 The Human Aspect of Vulnerability Chaining 138 Phishing 138 Business Email Compromise 139 Social Engineering 140 Integration into VMPs 141 Leadership Principles 142 Security Practitioner Integration 142 IT and Development Usage 143 Summary 144 8 Vulnerability Threat Intelligence 145 Why Is Threat Intel Important to VMPs? 145 Where to Start 146 Technical Threat Intelligence 146 Tactical Threat Intelligence 147 Strategic Threat Intelligence 148 Operational Threat Intelligence 149 Threat Hunting 150 Integrating Threat Intel into VMPs 151 People 151 Process 152 Technology 153 Summary 154 9 Cloud, DevSecOps, and Software Supply Chain Security 155 Cloud Service Models and Shared Responsibility 156 Hybrid and Multicloud Environments 158 Containers 159 Kubernetes 165 Serverless 169 DevSecOps 170 Open Source Software 174 Software-as-a-Service 182 Systemic Risks 183 Summary 186 10 The Human Element in Vulnerability Management 187 Human Factors Engineering 189 Human Factors Security Engineering 191 Context Switching 191 Vulnerability Dashboards 193 Vulnerability Reports 194 Cognition and Metacognition 196 Vulnerability Cognition 197 The Art of Decision-.Making 197 Decision Fatigue 198 Alert Fatigue 199 Volume of Vulnerabilities Released 199 Required Patches and Configurations 200 Vulnerability Management Fatigue 201 Mental Workload 202 Integration of Human Factors into a VMP 202 Start Small 203 Consider a Consultant 204 Summary 205 11 Secure-by-Design 207 Secure-by-Design/Default 208 Secure-by-Design 209 Secure-by-Default 210 Software Product Security Principles 211 Principle 1: Take Ownership of Customer Security Outcomes 211 Principle 2: Embrace Radical Transparency and Accountability 214 Principle 3: Lead from the Top 216 Secure-by-Design Tactics 217 Secure-by-Default Tactics 218 Hardening vs Loosening Guides 218 Recommendations for Customers 219 Threat Modeling 220 Secure Software Development 222 SSDF Details 223 Prepare the Organization (PO) 223 Protect Software (PS) 225 Produce Well-Secured Software (PW) 226 Respond to Vulnerabilities (RV) 227 Security Chaos Engineering and Resilience 229 Summary 231 12 Vulnerability Management Maturity Model 233 Step 1: Asset Management 234 Step 2: Secure Configuration 236 Step 3: Continuous Monitoring 238 Step 4: Automated Vulnerability Management 240 Step 5: Integrating Human Factors 242 Step 6: Vulnerability Threat Intelligence 244 Summary 245 Acknowledgments 247 About the Authors 249 About the Technical Editor 251 Index 253
CHRIS HUGHES, M.S., MBA, currently serves as the Co-Founder and President at Aquia and has 20 years of IT/Cybersecurity experience in the public and private sectors. He is also an adjunct professor for M.S. Cybersecurity programs. Chris co-hosts the Resilient Cyber Podcast and also serves as a Cyber Innovation Fellow at CISA. NIKKI ROBINSON, DSc, PhD, is a Security Architect and Professor of Practice at Capitol Technology University. She holds a DSc in Cybersecurity and a PhD in Human Factors.
