everyone welcome back to the core. So in the last video, we talked about some of the different types of vulnerability assessments. In this video. We're to talk about the vulnerability management life cycle.
So we've got six parts of this life cycles. We've got our baseline. We got our vulnerability assessment itself. We got a risk assessment. Then we move into remediation verification and monitoring. And let's talk about all of those little bit in detail. So let's start off with creating that baseline.
We obviously have to understand, like where we starting from? So with the baseline,
what we want to do is want to actually identify and understand
the actual business process because we don't just do stuff just because we're in a business environment. So we need to understand that business process. What that means is that we need to understand the applications, the services, the data, all that stuff around
that supports that business process. So again we start with the business process,
and then we learned what actually supports that. What technology are we using that supports that process?
The next step is creating an inventory of all of our assets on then from there. We need to identify like Okay, well, what's the priority Asset, Right. So, yeah, we've got this printer over here that's part of this process or part of supporting this business process. But the reality is we can email these invoices to clients, right? We don't need to physically print them off,
so that's not a critical
asset in that situation, right? So we need to identify and then prioritize from rank all of our assets.
Next, we need a map. Are the network infrastructure identify any controls that we already have in place? Eso that defend going back to the defense and in depth I mentioned before
understanding any types of policies that we have around that or any types of standards or compliance that we need to address for that business process that we need to be mindful of as we're building this stuff out and actually performing the vulnerability scanning
and then we, of course, needed to find the scope of the assessment so that we are not touching things. We shouldn't be touching or potentially damaging things. We shouldn't be damaging. So I needed to find the actual scope of the assessment
create basically protection and procedures that's gonna support planning this, scheduling it, logistical stuff around it. So just developing that information so we could have a very smooth process, really smooth as possible.
We would move into the vulnerably actual assessment phase. This were to look at things like physical security. So I mentioned before Are we actually locking her door? Are we not? So we want to look at things like that.
We'll look for miss configurations. We talked about that right with the S three bucket. Remember our bag of candy? We want to keep that candy safe so we don't want to miss configure things. We want to make sure we're configuring properly to keep our favorite candy safe. Because again, me personally, I don't want someone swapping out the candy I like for whoppers. Right? And by the way, the candy one of the Kansas. I used to like
his Butterfinger candy. So
now you know a fun fact about me.
Uh, we also want to run vulnerability scans using various tools as part of this vulnerability assessment phase. And then once we find those vulnerabilities, identify and prioritize them, right? We talked about that before.
It may not. Just because we find a vulnerability doesn't mean that that's something we necessarily need to worry about too much in our particular situation, based off our company and the company's business processes that are critical.
the other thing that we want to do when we find vulnerabilities in our classifying them
is we want to use what's called Oh, since open source intelligence and we want to identify like number one. Are these things being exploited in what's called the Wild? So basically out there in the real world, are these things being exploited? Or was It may be something that some researchers in the lab found and there had to be certain
situations in place and certain controls for to actually allow them to do that thing. Ah, and if yes, maybe that's not something you necessarily worry about right off the bat, because there's there's gotta be a lot of factors involved. That's a lot of work. And unless you've really got something valuable,
a lot of people are lazy, right? A lot of ladies script kiddies especially, are lazy,
so just keep that in mind that you have to understand your risk appetite in that situation
and then creative US report of your actual skin. Right? So make sure that you communicate that properly,
and then we move into the things like the risk assessment, A re mediation verification, etcetera. So risk assessment, Basically.
Okay, we found these vulnerabilities.
Are these actually a risk? And if yes, what's the actual impact,
right? Is this gonna shut down our business? Is this Ah, kind of a minor thing? It's maybe it's an inconvenience. So we have to think through, like, what's the actual impact here? And then what's also are risk appetite Like, Are we okay with losing this system? Are we okay with this thing getting shut down?
Are we okay with losing this data? Because we do have backups.
So we're not too worried about if we get hit with a ransomware attack or something.
So just thinking through that type of stuff remediation,
we need to make recommendations to executive management in our management team. Whomever? Whoever the stakeholders are, say, Hey, we've noticed these things. We recommend that you do these things to fix it. And if we're doing external for an external company doing the vulnerability, scanning or pen testing
we need to be able to communicate that and say, Okay, look, we found these. We think these are the most critical. You should probably fix these. And by the way, we could fix him right now, or Hey, you could fix them this way. Blah, blah, blah, right.
Verification. This one we're talking about actually performing dynamic analysis and then reviewing that attack surface is saying Okay, was there actually vulnerability? So getting going back to things like pen testing
and then finally monitoring.
So this where we're talking about looking at, like, logs, like so our intrusion detection systems or I d. S or are true prevention. A lot of times air combined
those systems, they're looking at logs, also implementing things like policies, our procedures, various controls. By the way, if you're are brand new to all of this stuff Ah, good place to go look and get some information. Is the C s top 20 critical security controls. That's a good kind of fundamental, um,
source of information. You can kind of explore those different controls and understand some of the basic stuff that where the funnels mental stuff that companies should be doing. But many don't. So just keep that in mind.
So a quick quiz question here. We need to identify the data services and blank
that supported business process. If do you remember I actually mentioned this specifically.
All right, so if you guessed
number two applications, you are correct. So the rest of those were just smoke and mirrors.
So in this video, we focus primarily on the vulnerability management life cycle. In the next video, we're gonna jump into talking about a couple of different tool options you have for vulnerabilities scanning.