Why we need to understand the vulnerability process Artwork

Need help - Ask Roger

The complex world of protecting your organisation from the internet-based cybercriminal can be daunting for most.As a C-level executive, manager, owner or board member of a not-for-profit organisation, a charity or a small or medium enterprise you are faced with a number of issues related to data.This podcast is here to help you, from simple solutions to complex strategies. It will address as many as possible.Business is all about risk, revenue, brand and productivity.A cyber event can impact all of them.

All Episodes

Need help - Ask Roger

Why we need to understand the vulnerability process

December 06, 2021 • Director

Introduction to the episode

This episode we are going to focus on vulnerabilities and how they are managed

Threat actors use vulnerabilities to target us.

By exploiting vulnerabilities they can gain access to systems, networks and devices.

Vulnerabilities allow the criminals to gain a foot hold on a system.

Vulnerabilities can be bugs, malicious changes to code (solarwinds), accidents or default configurations.

Vulnerability management

What is a vulnerability

How much exposure

How can we measure it all

Before we do anything else

A vulnerability is a weakness that can be exploited in an attack

Vulnerability can allow attackers to run code, access system resources, override installation protocols, steal or change data

Vulnerabilities are the trade craft of the cybercriminal

We first need some standards

The common Vulnerability score system (CVSS)

An open framework for communicating to the security industry the characteristics and severity of software and operating systems vulnerability

Common vulnerabilities and exposures (CVE)

Is a list of vulnerabilities that include ID, Description, dates and comments

National Vulnerability Database (NVD) is a list of CVEs managed by NIST that is synchronised and provides enhanced information including patch availability.

How do they work?

CVSS - needs a calculator which is available on the internet

Takes into account

Vector - how will the vulnerability be exploited

Complexity - how easy is it to exploit the vulnerability

Authentication - how often is the exploit required to authenticate against the system

3 other areas - the impact on confidentiality, availability and integrity (CIA) of data

CVE

Anyone can add to the CVE database

Based on "publicly known" vulnerabilities (usually means that they are patched or mitigated in some way.

They are a unique number associated with the vulnerability as well as identifying the vendor of the software.

1000s of CVEs are issued daily

CVEs can be assigned before a solution but they are normally hidden from public view.

Why do we need these systems?

Security is complex,

We needed a simple and readily available way to ensure that all parties are playing on the same field.

Summary