top of page

   Corporate Governance (Vulnerability Risk Management – VRM)

 

  • Vulnerability risk management (VRM) is a risk-based strategy to promote increased cybersecurity, combining the use of risk assessments and vulnerability assessments, in which the enterprise emphasizes the remediation of software vulnerabilities based on the risk they pose to the enterprise, and has awareness of all the enterprise assets – such as: applications; cloud services; embedded components; hardware; information technology (IT) systems; internet of things (IoT); intranet; middleware; software; networks; and the like – through artificial intelligence (AI) and machine learning, and also has the ability to prioritize such assets from the most-critical to the enterprise to the least-critical to the enterprise, in order to protect business continuity in the event of an attack from external sources by allocating defensive resources based on the combination of asset criticality, risk assessment and threat intelligence (identifying the vulnerabilities in which crackers are most interested, and then attempting to generate defenses and risk scores based on the likelihood that such crackers may succeed in their nefarious efforts).

  • Proactive best practices for efficient VRM may include: automatic patches and updates; creating a configuration management database (CMDB) documenting all configurations of the enterprise network, for quick reference to reconstruct such configurations in the event of an attack; cybersecurity forums; risk assessments; surprise penetration testing (or pen testing); threat intelligence feeds; upgrading hardware and software assets as soon as required; vulnerability data visualizations; vulnerability assessments; vulnerability intelligence feeds; vulnerability management log data analysis using a security information and event management (SIEM) software platform.

  • VRM encourages the proactive use of vulnerability assessments as a best practice, in conjunction with risk assessments; a vulnerability assessment is a deep dive into the business assets of an enterprise system, attempting the identify any security gaps that a bad actor or risk event could exploit, to the detriment of the enterprise.

  • A vulnerability is a flaw in the hardware or software of an enterprise system that may allow a cracker to bypass permissions, deny the access of legitimate users to the system, gain access to sensitive information, facilitate integrity tampering within the system, infest the system with pernicious applications (such as: key-loggers; malware; open ports in the perimeter firewall; viruses; and the like), and may include: bad code; defective internal authorization controls; insufficient internal access protocols; misconfigured security settings.

  • The VRM process generally follows a progression of tasks related to vulnerabilities: identification – mapping all enterprise system assets and noting which assets have sufficient existing protections and which are vulnerable; classification of assets through creating an inventory of all assets, and then applying prioritization rules; evaluation – the use of various scoring applications, such as the common vulnerability scanning system (CVSS) to assign a vulnerability level to each asset; remediation – increase monitoring to the most-vulnerable critical assets and provide extra defenses (such as: firewalls; malware scanners; password protection; restricted access permissions; virus scanners; and the like); reporting – creating logs and using notifications to key personnel regarding the results of the VRM process tasks.

  • Various types of scans are used in vulnerability assessments (and if possible, use an open-source vulnerability scanner, such as OpenVAS for greater flexibility), such as for example – application scans (check configuration settings, and also check websites for software vulnerabilities); code scans (code scanners such as Veracode may identify blocks of code that may be suspicious); database scans (check faulty database connections); host-based scans (may locate vulnerabilities in servers, workstations, and other systems); network-based scans (analysis of router and wi-fi passwords for vulnerabilities; analysis of routers, switches and computers for device security; review network strength against common attacks – including distributed denial of service (DDoS), man-in-the-middle attack (MITM), and network intrusion; system vulnerabilities on both ethernet and wi-fi networks); wi-fi network-based scans (check configuration settings, and the most-probable attack points on wi-fi networks).

  • In general, there may be at least several steps in a vulnerability assessment, such as for example –

    • initial assessment of the assets (including substeps to identify all enterprise system assets and context, assign the critical value and risk score for each such asset, as well as all system processes);

    • establish system baseline (a complete summary about the functioning of the entire enterprise system prior to performing the vulnerability assessment, for comparison purposes later to the functioning of the entire enterprise system after the vulnerability assessment);

    • conduct vulnerability scans, using industry-accepted security tools – such as databases, including the Common Vulnerabilities and Exposures (CVE) database, CVEdetails.com, National Vulnerability Database (NVD), and commercially-available vulnerability scanners, including Nessus, and pen testing;

    • report the results to the relevant enterprise personnel and security subject matter experts (SMEs) (including the complete summary of the functioning of entire enterprise system after the vulnerability scan, for comparison purposes to the earlier, pre-vulnerability baseline scan of the functioning of the entire enterprise system);

    • analysis of the results by the relevant enterprise personnel and security SMEs to reach alignment on any necessary improvements to the entire enterprise system, to plug all the vulnerabilities identified in the vulnerability scan;

    • after every vulnerability scan, there should be a follow-up re-scan, to ensure that all vulnerabilities have been addressed;

    • reporting of all findings to senior enterprise management and security SMEs for analysis and any improvement recommendations;

    • there should be continuous vulnerability scanning thereafter, as a component of the enterprise cybersecurity strategic plan.

  • An information security-type of risk assessment (as opposed to a risk management-type of risk assessment) is the at least annual process of identifying all the assets (both physical and system) in the enterprise system that could be exposed to risk, listing all the possible threats that might negatively-impact such assets, determining (for each of the listed possible threats that might negatively-impact such assets) the probability that such threats might actually occur, and then quantifying the negative impacts to the enterprise if such materialization were to actually occur, in order to prioritize any possible response strategies to mitigate such negative impacts;

  • Risk assessments generally have several steps, such as for example –

    • asset inventory (the identification of all physical and system assets to be included in the risk assessment, assigning a value to each asset, based on such asset’s replacement cost and the cost to completely remediate any breach to the system caused by the failure of such asset);

    • risk inventory (identifying all the risk factors that might negatively-impact the enterprise, and then categorize and quantify such risk factors, based on factors such as for example: the criticality of the asset in question; the likelihood for each such risk factor to occur; the frequency of each such occurrence; the negative impact that each such occurrence might have on the enterprise); risk appetite (comparing the results of the asset inventory plus the risk inventory aggregate of negative impacts against the maximum risk tolerance level that senior enterprise management has established as acceptable);

    • risk matrix (an evaluation of each risk for impact and likelihood, to determine the assets with the highest criticality levels);

    • resource allocation (once all the highest-criticality assets have been identified through the risk matrix, senior enterprise management allocates whatever human and monetary resources may be available for the remediation of any negative impact to the enterprise as a result of any breach related to any such asset; and, more often than not, the allocation for each breach related to each asset falls far short of the perceived need, since there are so many assets and negative impacts on the enterprise to consider);

    • after every risk scan, there should be a follow-up re-scan, to ensure that all risks have been addressed;

    • reporting of all findings to senior enterprise management and security SMEs for analysis and any improvement recommendations;

    • there should be continuous risk scanning thereafter, as a component of the enterprise cybersecurity strategic plan.

  • Drafting and negotiating all VRM-related documents, and legal support for all VRM-related tasks.

   Progress_Page_Last_Updated_221105_1853

bottom of page