vulnerability management (noun) [Word Notes] - Hacking Humans

Summary4 min read

Podcast Summary: Hacking Humans – Episode on Vulnerability Management

Podcast Information:

Title: Hacking Humans
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.
Episode: Vulnerability Management (Word Notes)
Release Date: March 18, 2025

Introduction to Vulnerability Management

In this episode of Hacking Humans, N2K Networks delves deep into the critical topic of vulnerability management. The discussion centers around understanding software vulnerabilities, the processes involved in managing them, and the tools that aid cybersecurity professionals in safeguarding systems against potential threats.

Definitions and Key Concepts

Vulnerability Management is defined as the continuous practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities within a system. The term breaks down into:

Vulnerability: Refers to software that might be exploited by malicious actors.
Management: The act of controlling a process or a set of processes.

Example Sentence: "Vulnerability management is an essential tactic for our zero trust strategy."

The episode emphasizes that while software engineering has matured alongside traditional engineering disciplines since the 1980s, it remains relatively nascent. Unlike civil engineering, where structural failures are rare and catastrophic, software applications are often riddled with bugs and vulnerabilities from their inception.

The Evolution of Software Vulnerabilities

The discussion distinguishes between vulnerabilities, exploits, and the term zero day:

Vulnerabilities: Mistakes in programming that can potentially be exploited. These are identified flaws that may or may not yet have been exploited.
Exploits: Code developed by bad actors that leverages vulnerabilities to breach systems. These are more dangerous than mere vulnerabilities because they are actively used in the wild.
Zero Day Vulnerabilities: The most perilous category, where an exploit is used before the software vendor is even aware of the vulnerability. This leaves little to no time for remediation.

The episode underscores the urgency in vulnerability management by illustrating a race between developers to patch vulnerabilities and bad actors attempting to exploit them.

Vulnerability Management Process

Effective vulnerability management involves several key steps:

Identifying Vulnerabilities: Regularly scanning systems to detect known vulnerabilities.
Classifying and Prioritizing: Assessing the severity and potential impact of each vulnerability.
Remediating: Implementing fixes or patches to address vulnerabilities.
Mitigating: Reducing the likelihood or impact of vulnerabilities being exploited.

Tools and Resources: CVE List, NVD, CVSS, SCAP

To streamline vulnerability management, several tools and resources are pivotal:

Common Vulnerabilities and Exposures (CVE) List: A unified reference list for publicly known cybersecurity vulnerabilities and exposures.

Origin: Initiated in 1999 to standardize the tracking of vulnerabilities across various software vendors.
National Vulnerability Database (NVD): Enhances the CVE list by adding risk and impact scores using the Common Vulnerability Scoring System (CVSS) and provides additional references like affected products and Security Content Automation Protocol (SCAP) mappings.

The episode advises network defenders to routinely consult these databases to determine if their systems are impacted by known vulnerabilities. Vulnerability scanners are highlighted as essential tools that scan environments, collect system information, and compare it against the publicly known vulnerabilities.

Future of Vulnerability Management: Software Bill of Materials (SBOMs)

Looking ahead, the introduction of Software Bill of Materials (SBOMs) is poised to revolutionize vulnerability management. SBOMs act as "food labels" for software components, detailing the various libraries and dependencies used in software applications.

Current Challenge: Developers often utilize shared software libraries, making it difficult to track which components are in use and whether they contain vulnerabilities.
SBOM Advantage: By providing detailed information about software components, SBOMs simplify the detection of vulnerable code within shared libraries.

Policy Impact: In May 2021, U.S. President Joe Biden signed an executive order mandating the use of SBOMs for contractors supplying to the federal government. This directive is expected to catalyze the adoption of SBOMs as a standard best practice across the industry.

Expert Insights: Professor Messer on Vulnerability Scanning

Professor Messer, a renowned cybersecurity certification trainer for CompTIA, offers valuable insights into vulnerability scanning:

"Unlike a penetration test, a vulnerability scan usually is not very invasive. It's simply gathering information about what can be found without actually performing any exploits on a system. We might perform a port scan to see what services might be open on a particular server or find out what version of those services may be running. You can perform vulnerability scans from outside the network, but you can also perform your own vulnerability scans from inside the network. It's usually a good idea to do both so that if somebody did gain access to the inside, you'd know exactly what they would see."
— Professor Messer [06:24]

This commentary highlights the non-invasive nature of vulnerability scans compared to penetration tests and underscores the importance of conducting both external and internal scans to comprehensively understand potential exposure points within a network.

Conclusion and Key Takeaways

The episode meticulously outlines the intricacies of vulnerability management, emphasizing its role in a robust cybersecurity strategy. Key takeaways include:

Continuous Vigilance: Vulnerability management is an ongoing process that requires regular scanning, assessment, and remediation to stay ahead of potential threats.
Resource Utilization: Leveraging standardized tools like the CVE list and NVD is essential for effective vulnerability tracking and management.
Emerging Practices: The adoption of SBOMs represents a significant advancement in managing software components and preempting vulnerabilities.
Expert Practices: Incorporating insights from cybersecurity professionals, such as Professor Messer, can enhance the effectiveness of vulnerability scanning efforts.

By understanding and implementing comprehensive vulnerability management practices, organizations can significantly bolster their defenses against evolving cyber threats.

Notable Quotes:

Professor Messer on Vulnerability Scanning:
"Unlike a penetration test, a vulnerability scan usually is not very invasive... you’d know exactly what they would see."
[06:24]

This episode serves as an essential guide for cybersecurity professionals and enthusiasts, offering a thorough exploration of vulnerability management and its critical role in safeguarding digital infrastructures.

Loading summary

Transcript6 lines

[00:02]
A
You're listening to the Cyberwire network. Powered by N2K.
[00:12]
B
Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door. The login Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs, and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today.
[01:09]
A
The word is vulnerability management. Spelled vulnerability for software that might be exploited, and management for the act of controlling a process or a set of processes. The continuous practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities within a system. Example sentence Vulnerability management is an essential tactic for our zero trust strategy. Origin and context. You can make an argument that since the dawn of the personal computer revolution, somewhere in the 1980s, that software engineering started to grow as an important design skill to modernize the world alongside other more established disciplines like chemical engineering, civil engineering, electrical engineering, and mechanical engineering. That said, it's the new kid on the block, relatively, and has yet to mature as a reliable discipline compared to the others. After all, the times that bridges fall down within a day or two of completion are few and far between. But it's routinely the case that version one of a software application is riddled with mistakes. Some of those mistakes are just bugs or incorrect behavior. Others can be leveraged by bad actors, and the industry call those software vulnerabilities. Now it's important to distinguish the meaning between vulnerabilities, exploits, and the catchphrase zero day. They all play in the same ballpark, but they aren't the same. Identified vulnerabilities are mistakes in programming. Nothing bad has happened yet. It's just that somebody has noticed a flaw that might be leveraged by a bad actor. Usually that's the developer responsible for the code, but sometimes outside parties find them before the developers do. When that happens, we call those zero day vulnerabilities because it's day zero for the development team to start to repair it. It then becomes a race between how fast the developers can produce a fix and how quickly the bad actors can produce an exploit to leverage it. Exploits are code developed by bad actors and researchers that leverage the software vulnerability's weakness in order to break into a system. These are much more dangerous than vulnerabilities because they actually work in the wild. If bad actors have a working exploit, say EternalBlue from the NSA leaked cache of hacking tools, then they essentially have a master key to break into any system running on the underlying software. A zero day exploit is the most dangerous of all. It means that bad actors started using a working exploit before the responsible software vendor even knew there was a vulnerability. Vulnerability management, then, is the internal process of tracking down known vulnerabilities in your own systems and patching them when fixes become available in some order that makes sense. To aid in that process is a tool called the Common Vulnerabilities and Exposures List, or CVE list for short. Back in 1999, most software vendors had their own way of tracking vulnerabilities in their products. To make things more efficient, they proposed creating a unified vulnerability and exposure reference list that the entire community could use by 2005. The community built the National Vulnerability Database, or NVD for short, designed to enrich the CVE list with risk and impact scoring using the Common Vulnerability Scoring System, or cvss, and provided other references like affected products and Security Content Automation Protocol mappings, or SCAP mappings. The trick then, is for network defenders to routinely review the associated vulnerability databases and determine if their own systems are impacted. One way to do that is with vulnerability scanners. These tools scan your environment to collect and compare system information with publicly known vulnerabilities. In the near future, vulnerability managers may have some extra help in the form of software bill of materials, or sboms. Think of them as food labels for software components that you run. Today, many developers use shared software libraries for their customers. It's mostly a mystery which components are used, though identifying if you are running a vulnerable piece of code in one of those shared libraries is Difficult with an SBoM, the developers provide that information as part of the software package. The idea of S bombs has been around for a while, but has gained little traction. But in May 2021, the American president, Joe Biden, signed an executive order mandating the use of S bombs for contractors selling to the US federal government. This may be the first step in SBoMBS becoming a standard best practice for everybody. Nerd Reference Professor Messer is a cybersecurity certification trainer for CompTIA, a network and Security Certifications. He had this to say about vulnerability scanning.
[06:24]
C
Unlike a penetration test, a vulnerability scan usually is not very invasive. It's simply gathering information about what can be found without actually performing any exploits on a system, we might perform a port scan to see what services might be open on a particular server. Find out what version of those services may be running. You can perform vulnerability scans from outside the network, but you can also perform your own vulnerability scans from inside the network. It's usually a good idea to do both so that if somebody did gain access to the inside, you'd know exactly what they would see.
[07:05]
A
Wordnotes is written by Nyla Genoi, executive produced by Peter Kilpe, and edited by John Petrick and me, Rick Howard. The mix, sound, design and original music have all been crafted by the ridiculously talented Elliot Heltzman. Thanks for listening.
[07:38]
B
Cyber threats are evolving every second, and staying ahead is more than just a challenge, it's a necessity. That's why we're thrilled to partner with Threat Locker, the cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full suite of solutions designed to give you total control stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely. Visit threatlocker.com today to see how a default deny approach can keep your company safe and compliant.