April 08, 2011, 3:16 PM —
It is springtime!
... and especially here in Finland it is probably the most influencing season of them all with the sun pushing away all the darkness. Perhaps because of that, I also woke up today with new motivation to write something here in ITworld.
So hello again everyone! ;)
Vulnerability management is like a spring clean-up!
Like the melting snow reveals all the trash that it has hidden all winter, vulnerability management processes also aim to reveal things in hiding, so I thought that would be a timely topic to re-start blogging with. But I will do that with a new spin! I will tell you how you can extend your current practises to finally also look for those zero-day vulnerabilities as well!
As you all probably know, vulnerability management is a process (and lot's of techniques and tools) of finding the vulnerabilities in your system, code, network architecture and so on. Conducting it manually is possible, but requires thorough knowledge of the actual traffic, interfaces, attack vectors and protocols. It also requires tedious planning and follow-up so that discovered vulnerabilities eventually get fixed by deploying the latest patches, or kicking those unmaintained legacy boxes forgotten into the network, to where they belong (trash).
But when thinking of vulnerability management, people often limit their focus on finding out if their system has a soft spot for certain known vulnerabilities. Known vulnerabilities have already been found by someone, and reported to the public. The best way to keep up-to-date with the latest vulnerabilities is to subscribe to regular security updates from comprehensive vulnerability databases or email-lists. These sources often leave you to simply determine, which security issues are applicable to you.
But What About Those Zero-Days?
Vulnerability management is, however, or at least should be, much much more than looking at old stuff, the known stuff. Instead of just scanning for the known vulnerabilities, finding the unknown zero-day vulnerabilities is at least equally important. The unknown vulnerabilities are those bugs in software that are not (yet) discovered by the software developer, and which have not been publicly disclosed.