3 Technical Vulnerability Management vulnerability analysis and assessment is an important element of each required activity in the NIST Risk Management Framework (RMF). This RMF comprises six steps, into each of which vulnerability analysis and assessment is to be integrated:
5 Technical Vulnerability Management To reduce risks resulting from exploitation of published technical vulnerabilities. Technical vulnerability management should be implemented in an effective, systematic, and repeatable way with measurements taken to confirm its effectiveness. These considerations should include operating systems, and any other applications in use.
6 Technical Vulnerability Management A current and complete inventory of assets is a prerequisite for effective technical vulnerability management. Specific information needed to support technical vulnerability management includes the software vendor, version numbers, current state of deployment (e.g. what software is installed on what systems), and the person(s) within the organization responsible for the software.
7 Technical Vulnerability Management The following guidance should be followed to establish an effective management process for technical vulnerabilities the organization should define and establish the roles and responsibilities associated with technical vulnerability management, including vulnerability monitoring, vulnerability risk assessment, patching, asset tracking, and any coordination responsibilities required;
8 Technical Vulnerability Management information resources that will be used to identify relevant technical vulnerabilities and to maintain awareness about them should be identified for software and other technology a timeline should be defined to react to notifications of potentially relevant technical vulnerabilities; once a potential technical vulnerability has been identified, the organization should identify the associated risks and the actions to be taken; such action could involve patching of vulnerable systems and/or applying other controls;
9 Technical Vulnerability Management depending on how urgently a technical vulnerability needs to be addressed, the action taken should be carried out according to the controls related to change management a timeline should be defined to react to notifications of potentially relevant technical vulnerabilities; an audit log should be kept for all procedures undertaken systems at high risk should be addressed first.
10 The Patch and Vulnerability Group The PVG should be a formal group that incorporates representatives from information security and operations. These representatives should include individuals with knowledge of vulnerability and patch management, as well as system administration, intrusion detection, and firewall management.
11 The duties of the PVG Create a System Inventory. Monitor for Vulnerabilities, Remediations, and Threats. Prioritize Vulnerability Remediation. Create an Organization-Specific Remediation Database Conduct Generic Testing of Remediations. Deploy Vulnerability Remediations. Distribute Vulnerability and Remediation Information to Local Administrators. Perform Automated Deployment of Patches.
12 The duties of the PVG Configure Automatic Update of Applications Whenever Possible and Appropriate. Verify Vulnerability Remediation Through Network and Host Vulnerability Scanning. Vulnerability Remediation Training.
13 Report OrganizationSection1 Introduction to purpose, organization, scope, and assumptions for this Report.Section 2 Overview of automated vulnerability assessment tools—including descriptions of the various types of automated vulnerability assessment tools currently availableSection 3 Catalogue of descriptions of current vulnerability assessment tools, categorized by type.Section 4 Representative listing of vulnerability assessment toolsSection 5 List of resources to additional detailed information about IT and network vulnerability assessment and assessment tools.
14 Vulnerability Analysis tools Vulnerability assessment tools generally work by attempting to automate the steps often employed to exploit vulnerabilities: they begin by performing a “footprint” analysis to determine what network services and/or software programs (including versions and patch levels) run on the target. Vulnerability assessment tools help in that integration, by automating the detection, identification, measurement, and understanding of vulnerabilities found in ICT components at various levels of a target ICT system or infrastructure.
15 Vulnerability Analysis tools Most vulnerability assessment tools are capable of scanning a number of network nodes, including networking and networked devices (switches, routers, firewalls, printers, etc.), as well as server, desktop, and portable computers. The type and level of detail of a vulnerability assessment tool’s findings varies from tool to tool.
20 Web Application Scanners Acunetix® Web Vulnerability Scanner Casaba Watcher 1.5.1 Cenzic® Hailstorm® Enterprise Application Risk Controller eEye Retina Web Grabber Mavutina Netsparker® HP WebInspect®
21 Multilevel Scanners Integrigy AppSentry Open Vulnerability Assessment System 4 SAINT® Professional and SAINT® Enterprise Symantec® Control Compliance Suite: Vulnerability Manager Tenable® Nessus® Venusense Vulnerability Scanning and Management System