Cybersecurity Practice #7: Vulnerability Management Organizations use vulnerability management to proactively discover vulnerabilities. These processes enable the organization to classify, evaluate, prioritize, remediate, and mitigate the technical vulnerability footprint from the perspective of an attacker. The ability to mitigate vulnerabilities before a hacker discovers them gives the organization a competitive edge and time to address these vulnerabilities in a prioritized fashion.26
Cybersecurity Practice 7: Vulnerability Management Data that may be affected Medium SubPractices Large SubPractices Key Mitigated Risks
PHI 7.M.A 7.M.B 7.M.C 7.M.D 7.L.A 7.L.B
Host/Server Based Scanning Web Application Scanning System Placement and Data Classification Patch Management, Configuration Management & Change Management Penetration Testing Remediation Planning
Ransomware Attacks Insider, Accidental or Intentional Data Loss Attacks Against Connected Medical Devices that May Affect Patient Safety
There are multiple types of vulnerability scanning. The most wellknown methods are scans against servers (or hosts) and against web applications. These two scan types focus on different considerations.
Sub-Practices for Medium-Sized Organizations 7.M.A
Host/Server-Based Scanning
NIST FRAMEWKORK REF: DE.CM-8
In this model, vulnerability scanners are leveraged to identify weaknesses in OS or third-party applications that reside on a server. There are two scan options: unauthenticated and authenticated. In the unauthenticated model, the scanner has no extra sets of server privileges and queries the server based on ports that are active and present for network connectivity. Depending on the level of sophistication of the software scanner, each server is queried and checked for vulnerabilities. Scan results provide the perspective of an attacker who lacks server access. Vulnerabilities that rate high in this space should be mitigated first, as they are the most likely points at which a hacker could enter the server. Authenticated scans are conducted by letting the vulnerability scanner log in to the server and query all running software with all running versions. The resulting vulnerability lists are usually compared against a database (maintained by the scanner’s vendor), and vulnerabilities are enumerated based on the
26. “CIS Control 3: Continous Vulnerability Management,” Center for Information Security Controls, accessed September 24, 2018, https://www.cisecurity.org/controls/continuous-vulnerabilitymanagement/. 65
