Organizations spend tremendous time and resources addressing vulnerabilities to their technology, software, and organizations. But are those time and resources well spent? Often, the answer is no, because we rely on outdated practices and inefficient, scattershot approaches. Effective Vulnerability Management takes a fresh look at a core component of cybersecurity, revealing the practices, processes, and tools that can enable today's organizations to mitigate risk efficiently and expediently in the era of Cloud, DevSecOps and Zero Trust.
Every organization now relies on third-party software and services, ever-changing cloud technologies, and business practices that introduce tremendous potential for risk, requiring constant vigilance. It's more crucial than ever for organizations to successfully minimize the risk to the rest of the organization's success. This book describes the assessment, planning, monitoring, and resource allocation tasks each company must undertake for successful vulnerability management. And it enables readers to do away with unnecessary steps, streamlining the process of securing organizational data and operations. It also covers key emerging domains such as software supply chain security and human factors in cybersecurity. - Learn the important difference between asset management, patch management, and vulnerability management and how they need to function cohesively - Build a real-time understanding of risk through secure configuration and continuous monitoring - Implement best practices like vulnerability scoring, prioritization and design interactions to reduce risks from human psychology and behaviors - Discover new types of attacks like vulnerability chaining, and find out how to secure your assets against them
Effective Vulnerability Management is a new and essential volume for executives, risk program leaders, engineers, systems administrators, and anyone involved in managing systems and software in our modern digitally-driven society.
Table of Contents
Foreword xvii
Introduction xix
1 Asset Management 1
Physical and Mobile Asset Management 3
Consumer IoT Assets 4
Software Assets 5
Cloud Asset Management 6
Multicloud Environments 7
Hybrid Cloud Environments 7
Third-Party Software and Open Source Software (OSS) 9
Third-Party Software (and Risk) 10
Accounting for Open Source Software 11
On-Premises and Cloud Asset Inventories 11
On-Premises Data Centers 12
Tooling 13
Asset Management Tools 13
Vulnerability Scanning Tools 14
Cloud Inventory Management Tools 15
Ephemeral Assets 16
Sources of Truth 17
Asset Management Risk 18
Log4j 18
Missing and Unaccounted-for Assets 19
Unknown Unknowns 20
Patch Management 21
Recommendations for Asset Management 22
Asset Manager Responsibilities 22
Asset Discovery 23
Getting the Right Tooling 24
Digital Transformation 25
Establishing and Decommissioning Standard Operating Procedures 26
Summary 27
2 Patch Management 29
Foundations of Patch Management 29
Manual Patch Management 30
Risks of Manual Patching 31
Manual Patching Tooling 32
Automated Patch Management 34
Benefits of Automated vs Manual Patching 35
Combination of Manual and Automated Patching 36
Risks of Automated Patching 37
Patch Management for Development Environments 38
Open Source Patching 38
Not All Software Is Equal 39
Managing OSS Patches Internally 39
Responsibilities of Infrastructure vs Operations Teams 40
Who Owns Patch Management? 41
Separation of Duties 42
Tools and Reporting 43
Patching Outdated Systems 43
End-of-Life Software 44
Unpatched Open Source Software 45
Residual Risk 46
Common Attacks for Unpatched Systems 47
Prioritizing Patching Activities 48
Risk Management and Patching 49
Building a Patch Management Program 50
People 50
Process 51
Technology 51
Summary 52
3 Secure Configuration 53
Regulations, Frameworks, and Laws 53
NSA and CISA Top Ten Cybersecurity Misconfigurations 54
Default Configurations of Software and Applications 55
Improper Separation of User/Administrator Privilege 57
Insufficient Internal Network Monitoring 57
Lack of Network Segmentation 58
Poor Patch Management 58
Bypass of System Access Controls 60
Weak or Misconfigured Multifactor Authentication Methods 60
Lack of Phishing-Resistant MFA 61
Insufficient Access Control Lists on Network Shares and Services 61
Poor Credential Hygiene 61
Unrestricted Code Execution 62
Mitigations 62
Default Configurations of Software Applications 63
Improper Separation of User/Administration Privilege 64
Insufficient Network Monitoring 64
Poor Patch Management 64
Wrapping up the CIS Misconfigurations Guidance 65
CIS Benchmarks 65
DISA Security Technical Implementation Guides 66
Summary 68
4 Continuous Vulnerability Management 69
CIS Control 7 - Continuous Vulnerability Management 70
Establish and Maintain a Vulnerability Management Process 70
Establish and Maintain a Remediation Process 71
Perform Automated Operating System Patch Management 71
Perform Automated Application Patch Management 72
Perform Automated Vulnerability Scans of Internal Enterprise Assets 73
Perform Automated Vulnerability Scans of Externally Exposed Enterprise Assets 73
Remediate Detected Vulnerabilities 74
Continuous Monitoring Practices 74
Summary 77
5 Vulnerability Scoring and Software Identification 79
Common Vulnerability Scoring System 79
CVSS 4.0 at a Glance 80
Base Metrics 84
Exploitability Metrics 84
Threat Metrics 86
Environmental Metrics 88
Supplemental Metrics 89
Qualitative Severity Rating Scale 91
Vector String 92
Exploit Prediction Scoring System 92
EPSS 3.0 - Prioritizing Through Prediction 92
Epss 3.0 94
Moving Forward 95
Stakeholder-Specific Vulnerability Categorization 97
CISA SSVC Guide 99
Decision Tree Example 106
Software Identification Formats 107
Common Platform Enumeration 108
Package URL 110
Software Identification Tags 110
Common Weaknesses and Enumerations 112
Summary 114
6 Vulnerability and Exploit Database Management 115
National Vulnerability Database (NVD) 115
Sonatype Open Source Software Index 118
Open Source Vulnerabilities 119
GitHub Advisory Database 120
Exploit Databases 121
Exploit-DB 122
Metasploit 122
GitHub 122
Summary 123
7 Vulnerability Chaining 125
Vulnerability Chaining Attacks 125
Exploit Chains 127
Daisy Chains 128
Vendor-Released Chains 129
Microsoft Active Directory 129
VMware vRealize Products 130
iPhone Exploit Chain 130
Vulnerability Chaining and Scoring 131
Common Vulnerability Scoring System 132
EPSS 132
Gaps in the Industry 133
Vulnerability Chaining Blindness 134
Terminology 135
Usage in Vulnerability Management Programs 136
The Human Aspect of Vulnerability Chaining 138
Phishing 138
Business Email Compromise 139
Social Engineering 140
Integration into VMPs 141
Leadership Principles 142
Security Practitioner Integration 142
IT and Development Usage 143
Summary 144
8 Vulnerability Threat Intelligence 145
Why Is Threat Intel Important to VMPs? 145
Where to Start 146
Technical Threat Intelligence 146
Tactical Threat Intelligence 147
Strategic Threat Intelligence 148
Operational Threat Intelligence 149
Threat Hunting 150
Integrating Threat Intel into VMPs 151
People 151
Process 152
Technology 153
Summary 154
9 Cloud, DevSecOps, and Software Supply Chain Security 155
Cloud Service Models and Shared Responsibility 156
Hybrid and Multicloud Environments 158
Containers 159
Kubernetes 165
Serverless 169
DevSecOps 170
Open Source Software 174
Software-as-a-Service 182
Systemic Risks 183
Summary 186
10 The Human Element in Vulnerability Management 187
Human Factors Engineering 189
Human Factors Security Engineering 191
Context Switching 191
Vulnerability Dashboards 193
Vulnerability Reports 194
Cognition and Metacognition 196
Vulnerability Cognition 197
The Art of Decision-.Making 197
Decision Fatigue 198
Alert Fatigue 199
Volume of Vulnerabilities Released 199
Required Patches and Configurations 200
Vulnerability Management Fatigue 201
Mental Workload 202
Integration of Human Factors into a VMP 202
Start Small 203
Consider a Consultant 204
Summary 205
11 Secure-by-Design 207
Secure-by-Design/Default 208
Secure-by-Design 209
Secure-by-Default 210
Software Product Security Principles 211
Principle 1: Take Ownership of Customer Security Outcomes 211
Principle 2: Embrace Radical Transparency and Accountability 214
Principle 3: Lead from the Top 216
Secure-by-Design Tactics 217
Secure-by-Default Tactics 218
Hardening vs Loosening Guides 218
Recommendations for Customers 219
Threat Modeling 220
Secure Software Development 222
SSDF Details 223
Prepare the Organization (PO) 223
Protect Software (PS) 225
Produce Well-Secured Software (PW) 226
Respond to Vulnerabilities (RV) 227
Security Chaos Engineering and Resilience 229
Summary 231
12 Vulnerability Management Maturity Model 233
Step 1: Asset Management 234
Step 2: Secure Configuration 236
Step 3: Continuous Monitoring 238
Step 4: Automated Vulnerability Management 240
Step 5: Integrating Human Factors 242
Step 6: Vulnerability Threat Intelligence 244
Summary 245
Acknowledgments 247
About the Authors 249
About the Technical Editor 251
Index 253