Effective Vulnerability Management

CHRIS HUGHES, M.S., MBA, currently serves as the Co-Founder and President at Aquia and has 20 years of IT/Cybersecurity experience in the public and private sectors. He is also an adjunct professor for M.S. Cybersecurity programs. Chris co-hosts the Resilient Cyber Podcast and also serves as a Cyber Innovation Fellow at CISA. NIKKI ROBINSON, DSc, PhD, is a Security Architect and Professor of Practice at Capitol Technology University. She holds a DSc in Cybersecurity and a PhD in Human Factors.

Foreword xvii

Introduction xix

1 Asset Management 1

Physical and Mobile Asset Management 3

Consumer IoT Assets 4

Software Assets 5

Cloud Asset Management 6

Multicloud Environments 7

Hybrid Cloud Environments 7

Third-Party Software and Open Source Software (OSS) 9

Third-Party Software (and Risk) 10

Accounting for Open Source Software 11

On-Premises and Cloud Asset Inventories 11

On-Premises Data Centers 12

Tooling 13

Asset Management Tools 13

Vulnerability Scanning Tools 14

Cloud Inventory Management Tools 15

Ephemeral Assets 16

Sources of Truth 17

Asset Management Risk 18

Log4j 18

Missing and Unaccounted-for Assets 19

Unknown Unknowns 20

Patch Management 21

Recommendations for Asset Management 22

Asset Manager Responsibilities 22

Asset Discovery 23

Getting the Right Tooling 24

Digital Transformation 25

Establishing and Decommissioning Standard Operating Procedures 26

Summary 27

2 Patch Management 29

Foundations of Patch Management 29

Manual Patch Management 30

Risks of Manual Patching 31

Manual Patching Tooling 32

Automated Patch Management 34

Benefits of Automated vs Manual Patching 35

Combination of Manual and Automated Patching 36

Risks of Automated Patching 37

Patch Management for Development Environments 38

Open Source Patching 38

Not All Software Is Equal 39

Managing OSS Patches Internally 39

Responsibilities of Infrastructure vs Operations Teams 40

Who Owns Patch Management? 41

Separation of Duties 42

Tools and Reporting 43

Patching Outdated Systems 43

End-of-Life Software 44

Unpatched Open Source Software 45

Residual Risk 46

Common Attacks for Unpatched Systems 47

Prioritizing Patching Activities 48

Risk Management and Patching 49

Building a Patch Management Program 50

People 50

Process 51

Technology 51

Summary 52

3 Secure Configuration 53

Regulations, Frameworks, and Laws 53

NSA and CISA Top Ten Cybersecurity Misconfigurations 54

Default Configurations of Software and Applications 55

Improper Separation of User/Administrator Privilege 57

Insufficient Internal Network Monitoring 57

Lack of Network Segmentation 58

Poor Patch Management 58

Bypass of System Access Controls 60

Weak or Misconfigured Multifactor Authentication Methods 60

Lack of Phishing-Resistant MFA 61

Insufficient Access Control Lists on Network Shares and Services 61

Poor Credential Hygiene 61

Unrestricted Code Execution 62

Mitigations 62

Default Configurations of Software Applications 63

Improper Separation of User/Administration Privilege 64

Insufficient Network Monitoring 64

Poor Patch Management 64

Wrapping up the CIS Misconfigurations Guidance 65

CIS Benchmarks 65

DISA Security Technical Implementation Guides 66

Summary 68

4 Continuous Vulnerability Management 69

CIS Control 7—Continuous Vulnerability Management 70

Establish and Maintain a Vulnerability Management Process 70

Establish and Maintain a Remediation Process 71

Perform Automated Operating System Patch Management 71

Perform Automated Application Patch Management 72

Perform Automated Vulnerability Scans of Internal Enterprise Assets 73

Perform Automated Vulnerability Scans of Externally Exposed Enterprise Assets 73

Remediate Detected Vulnerabilities 74

Continuous Monitoring Practices 74

Summary 77

5 Vulnerability Scoring and Software Identification 79

Common Vulnerability Scoring System 79

CVSS 4.0 at a Glance 80

Base Metrics 84

Exploitability Metrics 84

Threat Metrics 86

Environmental Metrics 88

Supplemental Metrics 89

Qualitative Severity Rating Scale 91

Vector String 92

Exploit Prediction Scoring System 92

EPSS 3.0—Prioritizing Through Prediction 92

Epss 3.0 94

Moving Forward 95

Stakeholder-Specific Vulnerability Categorization 97

CISA SSVC Guide 99

Decision Tree Example 106

Software Identification Formats 107

Common Platform Enumeration 108

Package URL 110

Software Identification Tags 110

Common Weaknesses and Enumerations 112

Summary 114

6 Vulnerability and Exploit Database Management 115

National Vulnerability Database (NVD) 115

Sonatype Open Source Software Index 118

Open Source Vulnerabilities 119

GitHub Advisory Database 120

Exploit Databases 121

Exploit-DB 122

Metasploit 122

GitHub 122

Summary 123

7 Vulnerability Chaining 125

Vulnerability Chaining Attacks 125

Exploit Chains 127

Daisy Chains 128

Vendor-Released Chains 129

Microsoft Active Directory 129

VMware vRealize Products 130

iPhone Exploit Chain 130

Vulnerability Chaining and Scoring 131

Common Vulnerability Scoring System 132

EPSS 132

Gaps in the Industry 133

Vulnerability Chaining Blindness 134

Terminology 135

Usage in Vulnerability Management Programs 136

The Human Aspect of Vulnerability Chaining 138

Phishing 138

Business Email Compromise 139

Social Engineering 140

Integration into VMPs 141

Leadership Principles 142

Security Practitioner Integration 142

IT and Development Usage 143

Summary 144

8 Vulnerability Threat Intelligence 145

Why Is Threat Intel Important to VMPs? 145

Where to Start 146

Technical Threat Intelligence 146

Tactical Threat Intelligence 147

Strategic Threat Intelligence 148

Operational Threat Intelligence 149

Threat Hunting 150

Integrating Threat Intel into VMPs 151

People 151

Process 152

Technology 153

Summary 154

9 Cloud, DevSecOps, and Software Supply Chain Security 155

Cloud Service Models and Shared Responsibility 156

Hybrid and Multicloud Environments 158

Containers 159

Kubernetes 165

Serverless 169

DevSecOps 170

Open Source Software 174

Software-as-a-Service 182

Systemic Risks 183

Summary 186

10 The Human Element in Vulnerability Management 187

Human Factors Engineering 189

Human Factors Security Engineering 191

Context Switching 191

Vulnerability Dashboards 193

Vulnerability Reports 194

Cognition and Metacognition 196

Vulnerability Cognition 197

The Art of Decision-.Making 197

Decision Fatigue 198

Alert Fatigue 199

Volume of Vulnerabilities Released 199

Required Patches and Configurations 200

Vulnerability Management Fatigue 201

Mental Workload 202

Integration of Human Factors into a VMP 202

Start Small 203

Consider a Consultant 204

Summary 205

11 Secure-by-Design 207

Secure-by-Design/Default 208

Secure-by-Design 209

Secure-by-Default 210

Software Product Security Principles 211

Principle 1: Take Ownership of Customer Security Outcomes 211

Principle 2: Embrace Radical Transparency and Accountability 214

Principle 3: Lead from the Top 216

Secure-by-Design Tactics 217

Secure-by-Default Tactics 218

Hardening vs Loosening Guides 218

Recommendations for Customers 219

Threat Modeling 220

Secure Software Development 222

SSDF Details 223

Prepare the Organization (PO) 223

Protect Software (PS) 225

Produce Well-Secured Software (PW) 226

Respond to Vulnerabilities (RV) 227

Security Chaos Engineering and Resilience 229

Summary 231

12 Vulnerability Management Maturity Model 233

Step 1: Asset Management 234

Step 2: Secure Configuration 236

Step 3: Continuous Monitoring 238

Step 4: Automated Vulnerability Management 240

Step 5: Integrating Human Factors 242

Step 6: Vulnerability Threat Intelligence 244

Summary 245

Acknowledgments 247

About the Authors 249

About the Technical Editor 251

Index 253