| |November 202019are outlined in the National Insti-tute of Standards and Technolo-gy's SP 800-40 document ­ Cre-ating a Patch and Vulnerability Management Program.1. ScanStart by using an automated vul-nerability scanner to perform a vulnerability scan across your known networks, both external and internal. If you haven't per-formed vulnerability scan before, conduct a scan without adminis-trative credentials to see exactly what an attacker would­ whether they were scanning your exter-nal-facing network from the Inter-net or had gained a foothold on the internal network.A number of automated vulnerability scanners exist to choose from, including open source, free to use solutions such as OpenVAS and paid versions with more sustainable, enter-prise-class solutions from com-panies such as Tenable, Rapid7, and Qualys.2. PrioritizeThe challenging part of vulnera-bility management is remediating any discovered vulnerabilities with limited resources. While a scanner can detect vulnerabilities, it's our team members that have to invest their time and effort in fixing discovered issues. Understanding that the time of our team mem-bers is limited, we cannot simply fix everything at one time. To help channel our efforts, organizations should focus on addressing those vulnerabilities that present the highest amount of risk (represented by a vulnerability's CVSS score) to the organization first, followed by fixing those issues which present the next highest level of risk and so on. While a base CVSS score might not be perfect for your orga-nization's particular environment, it's a great place to start and can be very effective in helping companies prioritize their remediation efforts.3. RemediateRemediation requires communi-cation between the system owners and those performing vulnerabili-ty scans in order to remediate any discovered issues which should be fixed. In certain situations, discovered vulnerabilities might not be fixed at all or resolution could be delayed. If the cost as-sociated with fixing vulnerability outweighs the perceived risk as-sociated with the vulnerability, the business can decide not to fix the issue. In this case, the known risk and the decision not to ad-dress it should be documented for future reference.4. VerifyOnce remediation work is complet-ed, any fixed vulnerabilities should be re-tested to ensure it was indeed addressed. Unfortunately, not all remediation work is successful the first time and, if not checked, could still present risk to the envi-ronment.Performing vulnerability man-agement can help organizations greatly strengthen their overall cyber security posture by limit-ing the options hackers have for attacking an organization, while also providing security teams the time needed to detect and defend against such attackers. Make sure to take the time to find your own vulnerabilities and address those that present risk to your organiza-tion ­ before an attacker does. To help find these vulnerabilities and understand the potential associated impact, organizations can engage outside parties to perform costly vulnerability assessments and penetration testsMike Holcomb, Director of Information Security
< Page 9 | Page 11 >