![vulnerability management (noun) [Word Notes] - Hacking Humans cover](/_next/image?url=https%3A%2F%2Fmegaphone.imgix.net%2Fpodcasts%2F8797f03a-a50b-11ea-b6c0-87ebb093948d%2Fimage%2Fhacking-humans-cover-art-cw.png%3Fixlib%3Drails-4.3.1%26max-w%3D3000%26max-h%3D3000%26fit%3Dcrop%26auto%3Dformat%2Ccompress&w=1920&q=75)
Transcript
A (0:02)
You're listening to the Cyberwire network. Powered by N2K.
B (0:11)
Cyber threats are more sophisticated than ever. Passwords. They're outdated and can be cracked in a minute. Cybercriminals are intercepting SMS codes and bypassing authentication apps. While businesses invest in network security, they often overlook the front door. The login Yubico believes the future is passwordless. Yubikeys offer unparalleled protection against phishing for individuals, SMBs, and enterprises. They deliver a fast, frictionless experience that users love. Yubico is offering N2K followers a limited buy one, get one offer. Visit yubico.com N2K to unlock this deal. That's Yubico. Say no to modern cyber threats. Upgrade your security today.
A (1:09)
The word is vulnerability management. Spelled vulnerability for software that might be exploited, and management for the act of controlling a process or a set of processes. The continuous practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities within a system. Example sentence Vulnerability management is an essential tactic for our zero trust strategy. Origin and context. You can make an argument that since the dawn of the personal computer revolution, somewhere in the 1980s, that software engineering started to grow as an important design skill to modernize the world alongside other more established disciplines like chemical engineering, civil engineering, electrical engineering, and mechanical engineering. That said, it's the new kid on the block, relatively, and has yet to mature as a reliable discipline compared to the others. After all, the times that bridges fall down within a day or two of completion are few and far between. But it's routinely the case that version one of a software application is riddled with mistakes. Some of those mistakes are just bugs or incorrect behavior. Others can be leveraged by bad actors, and the industry call those software vulnerabilities. Now it's important to distinguish the meaning between vulnerabilities, exploits, and the catchphrase zero day. They all play in the same ballpark, but they aren't the same. Identified vulnerabilities are mistakes in programming. Nothing bad has happened yet. It's just that somebody has noticed a flaw that might be leveraged by a bad actor. Usually that's the developer responsible for the code, but sometimes outside parties find them before the developers do. When that happens, we call those zero day vulnerabilities because it's day zero for the development team to start to repair it. It then becomes a race between how fast the developers can produce a fix and how quickly the bad actors can produce an exploit to leverage it. Exploits are code developed by bad actors and researchers that leverage the software vulnerability's weakness in order to break into a system. These are much more dangerous than vulnerabilities because they actually work in the wild. If bad actors have a working exploit, say EternalBlue from the NSA leaked cache of hacking tools, then they essentially have a master key to break into any system running on the underlying software. A zero day exploit is the most dangerous of all. It means that bad actors started using a working exploit before the responsible software vendor even knew there was a vulnerability. Vulnerability management, then, is the internal process of tracking down known vulnerabilities in your own systems and patching them when fixes become available in some order that makes sense. To aid in that process is a tool called the Common Vulnerabilities and Exposures List, or CVE list for short. Back in 1999, most software vendors had their own way of tracking vulnerabilities in their products. To make things more efficient, they proposed creating a unified vulnerability and exposure reference list that the entire community could use by 2005. The community built the National Vulnerability Database, or NVD for short, designed to enrich the CVE list with risk and impact scoring using the Common Vulnerability Scoring System, or cvss, and provided other references like affected products and Security Content Automation Protocol mappings, or SCAP mappings. The trick then, is for network defenders to routinely review the associated vulnerability databases and determine if their own systems are impacted. One way to do that is with vulnerability scanners. These tools scan your environment to collect and compare system information with publicly known vulnerabilities. In the near future, vulnerability managers may have some extra help in the form of software bill of materials, or sboms. Think of them as food labels for software components that you run. Today, many developers use shared software libraries for their customers. It's mostly a mystery which components are used, though identifying if you are running a vulnerable piece of code in one of those shared libraries is Difficult with an SBoM, the developers provide that information as part of the software package. The idea of S bombs has been around for a while, but has gained little traction. But in May 2021, the American president, Joe Biden, signed an executive order mandating the use of S bombs for contractors selling to the US federal government. This may be the first step in SBoMBS becoming a standard best practice for everybody. Nerd Reference Professor Messer is a cybersecurity certification trainer for CompTIA, a network and Security Certifications. He had this to say about vulnerability scanning.