Vulnerability Scanning and Remediation

Why is Vulnerability Scanning and Remediation important?

  • We all work in an environment with a continuous stream of updates and patches to address cybersecurity vulnerabilities, threats, and attacks.
  • The key way to address this is through the continuous scanning and remediation of vulnerabilities. The continuous scanning and remediation of vulnerabilities is commonly referred to as Vulnerability Management (VM).
  • Remember, the majority of the time, if you are aware of vulnerabilities needing patching, so does the attacker. Attackers have the same information as you and will begin to scan networks looking for devices with these vulnerabilities.
  • Sometimes the vulnerability is so new, the vendor has yet to release a patch to address the vulnerability. In these situations, there are often workarounds provided by the vendor to mitigate the attack until a patch can be released.
  • Vulnerability Scanning and Remediation is so important, Continuous Vulnerability Management , is ranked as the #3 overall highest priority control by the Center for Internet Security (CIS). The CIS Top 20 Controls is an industry-wide accepted list of actions organizations can take to create a defense-in-depth cybersecurity posture to defend and mitigate against the most common cyberattacks.

How do I get started?

Working with Institutional Data:

University of Hawaii’s ScanUH Vulnerability Scanner:

  • The UH ScanUH vulnerability scanner is a service provided by ITS to scan any system on the UH network.
  • Included in this service is a report produced by ScanUH of any vulnerabilities and misconfigurations needing to be remediated.

How do I prioritize what to patch (remediate) first?

There are numerous factors to consider when prioritizing which vulnerabilities to address first. Below are three key factors to assist you in your prioritization efforts:

Does this device handle Institutional Data?

  • If yes, prioritize patching these devices first, working from the highest risk down to the lowest risk category.
  • The Institutional Data categories risk levels are: Regulated (High Risk), Sensitive (Medium Risk), Restricted (Low Risk) and Public (No Risk).
  • The following link provides further information on Institutional Data: https://datagov.intranet.hawaii.edu/institutional-data-classification-levels/

Vulnerability Severity Level

Is this vulnerability considered a critical or high vulnerability? A critical or high severity ranking often means the vulnerability:

  • Can be easily exploited;
  • Is actively being exploited by attackers in the wild (i.e., on the internet);
  • Is a zero-day attack ; or
  • Does not need any special privileges or user interaction to be exploited.

An excellent resource to use is the National Institute of Standards and Technology’s (NIST) National Vulnerability Database (NVD) . This website is a trusted resource to find severity levels, information, links, and workarounds (if any) on vulnerabilities.

Accessible from the internet?

  • Can you reach this device from outside the office?
  • If yes, attackers can as well, and thus the devices’ exposure level is significantly increased.

References

  • Center for Internet Security (CIS) Controls V7.1; Control 3: Continuous Vulnerability Management:
    • 3.4 Deploy Automated Operating System Patch Management Tools
    • 3.5 Deploy Automated Software Patch Management Tools
  • NIST SP 800-171r 2 — Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations:
    • 3.11 Risk Assessment: 3.11.2 Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
    • 3.11 Risk Assessment: 3.11.3 Remediate vulnerabilities in accordance with risk assessments.
    • 3.14 System and Information Integrity: 3.14.1 Identify, report, and correct system flaws in a timely manner.
  • Payment Card Industry (PCI) Data Security Standard, v3.2.1:
    • Requirement 6: Develop and maintain secure systems and applications. Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor provided security patches, which must be installed by the entities that manage the systems. All systems must have all appropriate software patches to protect against the exploitation and compromise of cardholder data by malicious individuals and malicious software.
    • Requirement 11: Regularly test security systems and processes. Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.