Risk Based Vulnerability Management
Whilst most companies seek to run a risk-based vulnerability management program, it is very hard to implement one from scratch. Most companies do this in the following 3 steps:
Below we discuss the 3 steps in more detail:
The act of scanning for potential vulnerabilities (security issues) in software such as Microsoft Windows, Apache Web Server and Adobe Acrobat Reader, or in hardware such as firewalls, routers, switches and servers, producing a list of the issues. Continuous vulnerability scanning is the first step to truly understanding where your organisation’s vulnerabilities lie, ensuring your business can then work to eliminate the more serious vulnerabilities affecting your valuable resources.
A comprehensive Vulnerability Assessment programme. Running cyclical vulnerability assessments to identify threats then taking the output data to classify and prioritise risks based on severity (known as CVSS score) for remediation and mitigation.
Risk based Vulnerability Management:
The final step in increasing vulnerability maturity. Vulnerabilities are prioritised based on business risk, rather than just technical risk. For example, if a vulnerability is identified across multiple machines, say one on the public web site, and one in engineering, a typical Vulnerability Management approach would rate them as equally dangerous, whilst a risk-based approach would focus on the public web site first as this is where the highest business risk lies.