Vulnerability Management FAQ

What is the Vulnerability Management (VULN) Security Capability?

The VULN CDM security capability supports the ongoing assessments of a grouping of security controls that are employed to:

  • Give organizations visibility into the known vulnerabilities present on their networks. Known vulnerabilities are those with a Common Vulnerabilities and Exposures (CVE) identifier or discovered by the local organization and associated with a specific set of software products and operating systems; to include IOS and firmware.
  • Delay or prevent entry of malicious or compromised software from being installed on the network.
  • Reduce the number of easy-to-compromise devices due vulnerable software.
  • Delay or prevent vulnerable software from being used to gain access to other parts of the network, for expansion and or escalation of privileges, or for data exfiltration.

What security results should we be able to achieve by implementing the VULN security capability?

Effective implementation of the VULN security capability helps ensure known vulnerabilities are identified, prioritized for mitigation, and managed (e.g. patched). The VULN security capability identifies the existence of vulnerable software products on the network to allow an organization to mitigate and thwart common attacks that exploit those vulnerabilities. Devices with vulnerable software are more likely to be used by attackers as a platform from which to extend compromise of the network. It is important to note that you cannot identify a vulnerability unless you know it exists, and you cannot fix an identified vulnerability without the appropriate patch(es).

What types of security issues are addressed with VULN security capability?

Attackers continually scan devices for known vulnerabilities (CVE) and common weakness enumerations (CWE) that can be exploited. By exploiting these machines attackers are able to gain a foothold on the network in order to pivot to other parts of the network or to extract data. Attackers also attempt to exploit known vulnerabilities using additional attack vectors such as malicious emails, web browser redirects, or executing embedded software code in the email itself.
The VULN security capability addresses attacks on assets with identifiable vulnerabilities by reducing the number of such devices on the network. VULN identifies these vulnerabilities so they can be prioritized and managed.

What can I do to reduce my exposure to attacks exploiting poor vulnerability management?

After identifying a software defect on a device, the method below can reduct this particular cybersecurity risk:
Primary Methods

  • Remove the software on the device or the entire device from the network
  • Apply a patch or update the software to one with no known CVEs

Preventative Methods:

  • Develop processes to prioritize and patch software as soon as it is identified with a CVE and associated patch
  • Apply a compensating control to prevent or reduct the likelihood of the exploit

How does the VULN security capability define a vulnerability?

For the purposes of the VULN security capability, a vulnerability is a software product installed that contains at least one known vulnerability. This can be determined by collecting and comparing the enumerated software product data for each device with current National Vulnerability Database (NVD) information. If known vulnerabilities are present, the D/A will either patch/update the software product or remove it from the device.

How can the VULN security capability assessment support ongoing automated assessments as defined by NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations?

The following is an example of how the assessment for vulnerable software can be automated:

  1. Develop an actual state list (inventory) of (as close as practical to) all software on the network from the Manage Hardware Assets (HWAM) and Manage Software Assets (SWAM) security capabilities to enumerate all vulnerable software installed on all devices.
  2. Determine all CVEs on all devices that are appropriately mitigated by alternative methods.
  3. The desired state is that all software products installed on all devices are free of known vulnerabilities and that the list of known vulnerabilities is up-to-date.
  4. Ensure there are collection mechanisms and/or processes to detect and record/report the actual state information.
  5. Determine the defect, that is, the existence of an installed software product that contains at least one known vulnerability or is using out of date or incomplete CVE data.

What data should I collect to support the VULN security capability?

The minimal VULN security capability data recorded should include or be derived from the following:

Table 1: VULN Security Capability Required Data Elements
Data Item Justification
Authorized Hardware Inventory To identify what devices to check
The associated Value for every device role To prioritize defects associated with devices and device roles.
A version controlled and dated listing of all software products that have at least one known vulnerability to include:
  • Vulnerable software product in same format as the Authorized Software Inventory; e.g., Common Platform Enumeration (CPE), Software ID (SWID) or equivalent
  • All CVEs associated with that software product
For every locally defined known vulnerabilities maintain a version controlled and dated listing to include:
  • Vulnerable software product in same format as the Authorized Software Inventory (CPE or SWID equivalent)
  • Identifier of all local vulnerabilities associated with that software product
  • Severity for each local vulnerability (Common Vulnerability Scoring System score equivalent)
  • To detect known vulnerabilities present on the system
Alternative mitigation specification for any known vulnerability where the source vendor provides a mitigation option that can be implemented instead of patching/re-versioning the software to include:
  • CVE or local identifier
  • Associated system attributes
  • Required/acceptable values
  • Compliance definition
- To exclude vulnerabilities mitigated by alternative methods that can be automatically checked from the score.
- To determine compliance with each specific check
The vulnerable software installed on every device. To identify defects
Devices that are compliant with alternative mitigation specifications to include the CVEs or local identifiers that are appropriately mitigated To eliminate those vulnerabilities from the score
Data necessary to determine how long vulnerable software has been present on a device. At a minimum:
  • Date/time it was first discovered
  • Date/time it was last seen
To determine how long vulnerabilities have been present on a device

How do I identify managers to support the VULN security capability?

The manager(s) for hardware and software vulnerabilities are the group of persons who have authority and responsibility to manage the hardware assets (devices) and software assets. Authority and responsibility means, at a minimum, having the right administrator privileges on the asset to effectively manage the asset. Typically, this manager will be the subject matter expert for the application determined in the SWAM security capability.

How can we prevent vulnerabilities from getting on the network in the first place?

Vulnerabilities are an outcome of current industry software development practices; however, organizations can take particular steps to reduce the operational and maintenance requirements to keep systems up to date in terms of patching and software versions.
The following kinds of actions can be taken to reduce the number of vulnerable software versions on the network. The first is to minimize the installed software of all devices to just those that are required for the users of that device to performing their necessary duties. This will enable the patch management teams to be more efficient since they will not need to patch as many systems in general. Second, during acceptance of a system from the system development and testing lifecycle, organizations can institute processes to ensure that those systems are delivered at the most secure patch level available. This ensures the patch management teams will only need to patch current, rather than historic software versions. Finally, the organization can ensure that deprecated systems and devices are removed quickly from the network once their end of life is reached. This will ensure that devices which are not actively used in the environment are not patched, thus making the patch management teams more efficient in patching active devices.
While such actions won't eliminate all vulnerable devices, these actions can lower their incidence rates, which it a positive step.

How does the VULN security capability support other CDM security capabilities?

The VULN security capability relies upon the implementation of the SWAM security capability (which in turn depends on the HWAM security capability) to provide a reliable and up-to-date inventory of software assets in order to identify vulnerabilities and weaknesses.