Risk Based Vulnerability Management

Whilst most companies seek to run a risk-based vulnerability management program, it is very hard to implement one from scratch. Most companies do this in the following 3 steps, gradually phasing in extra sophistication:

  • 1. Vulnerability Assessments
  • 2. Vulnerability Management
  • 3. Risk based vulnerability management

Below we discuss the 3 steps in more details:

Vulnerability Assessment:

The act of scanning for potential vulnerabilities (security issues) in software such as Microsoft Windows, Apache Web Server and Adobe Acrobat Reader, or in hardware such as firewalls, routers, switches and servers, producing a list of the issues. Continuous vulnerability scanning is the first step to truly understanding where your organisation’s vulnerabilities lie, ensuring your business can then work to eliminate the more serious vulnerabilities affecting your valuable resources.

Vulnerability management:

A comprehensive Vulnerability Assessment programme. Running cyclical vulnerability assessments to identify threats then taking the output data to classify and prioritise risks based on severity (known as CVSS score) for remediation and mitigation.

Risk based vulnerability management:

The final step in increasing vulnerability maturity. Vulnerabilities are prioritised based on business risk, rather than just technical risk. For example, if a vulnerability is identified across multiple machines, say one on the public web site, and one in engineering, a typical Vulnerability Management approach would rate them as equally dangerous, whilst a risk-based approach would focus on the public web site first as this is where the highest business risk lies.Depending on your level of vulnerability maturity, S4 Applications has a range of solutions from Bringa, Netsparker and Tenable, that can help prevent unauthorised attacks and protect business continuity and reputation.

What’s Next