IT Asset Management-Vulnerabilities and Patches.

The vulnerability management lifecycle is a continuous process for discovering, addressing, prioritizing vulnerabilities in an Organizations IT assets
A normal round of the lifecycle has five phases:

1. Asset inventory and vulnerability assessment.
2. Vulnerability prioritization.
3. Vulnerability resolution.
4. Verification and monitoring.
5. Reporting and improvement.

The vulnerability management lifecycle allows companies to improve security posture by taking a more strategic approach to vulnerability management. Instead of reacting to new vulnerabilities as they appear, security teams actively hunt for flaws in their systems. Organizations can identify the most critical vulnerabilities and put protections in place before threat strikes.

Every vulnerability is a risk for organization. Hackers have a growing pile of vulnerabilities at their disposal. In response, enterprises have made vulnerability management a key component of their Risk Management strategies. The vulnerability management lifecycle offers a proven model for effective vulnerability management programs in an ever-changing cyberthreat landscape. By adopting the lifecycle, organizations can see some of the following benefits:
• Proactive vulnerability discovery and resolution: Businesses often don’t know about their vulnerabilities until hackers have exploited them. The vulnerability management lifecycle is built around continuous monitoring so security teams can find vulnerabilities before adversaries do.

• Strategic resource allocation: Tens of thousands of new vulnerabilities are discovered yearly, but only a few are relevant to an organization. The vulnerability management lifecycle helps enterprises pinpoint the most critical vulnerabilities in their networks and prioritize the biggest risks for remediation.

• A more consistent vulnerability management process: The vulnerability management lifecycle gives security teams a repeatable process to follow, from vulnerability discovery to remediation and beyond. A more consistent process produces more consistent results, and it enables companies to automate key workflows like asset inventory, vulnerability assessment and patch management.

Planning and prep work
Formally, planning and prework happen before the vulnerability management lifecycle, During this stage, the organization irons out critical details of the vulnerability management process, including the following:
• stakeholders involved, and the roles they will have

• Resources, Tools and Funding available for vulnerability management

• Guidelines for prioritizing and responding to vulnerabilities

• Metrics for measuring the Project success
Organizations don’t go through this stage before every round of the lifecycle. Generally, a company conducts an extensive planning and prework phase before it launches a formal vulnerability management program. When a program is in place, stakeholders periodically revisit planning and prework to update their overall guidelines and strategies as needed.
Asset discovery and vulnerability assessment
The formal vulnerability management lifecycle begins with an asset inventory—a catalog of all the hardware and software on the organization’s network. The inventory includes officially sanctioned apps and endpoints and any IT assets employees use without approval.
Because new assets are regularly added to company networks, the asset inventory is updated before every round of the lifecycle. Companies often use software tools and platforms to automate their inventories.
After identifying assets, the security team assesses them for vulnerabilities. The team can use a combination of tools and methods, including automated vulnerability scanners, manual penetration testing and external model threat testing from the cybersecurity community.
Assessing every asset during every round of the lifecycle would be onerous, so security teams usually work in batches. Each round of the lifecycle focuses on a specific group of assets, with more critical asset groups receiving scans more often. Some advanced vulnerability scanning tools continuously assess all network assets in real-time, enabling the security team to take an even more dynamic approach to vulnerability discovery.
Vulnerability prioritization

The security team prioritizes the vulnerabilities they found in the assessment stage. Prioritization ensures that the team addresses the most critical vulnerabilities first. This stage also helps the team avoid pouring time and resources into low-risk vulnerabilities.
To prioritize vulnerabilities, the team considers these criteria:
• Criticality ratings from external threat intelligence: This can include MITRE’s list of Common Vulnerabilities or the Community Vulnerabilities Scoring System.

• Asset criticality: A noncritical vulnerability in a critical asset often receives higher priority than a critical vulnerability in a less important asset.

• Potential impact: The security team weighs what might happen if hackers exploited a particular vulnerability, including the effects on business operations, financial losses and any possibility of legal action.

• Likelihood of exploitation: The security team pays more attention to vulnerabilities with known exploits that hackers actively use in the wild.

• False positives: The security team ensures that vulnerabilities actually exist before dedicating any resources to them.

Vulnerability Resolution

The security team works through the list of prioritized vulnerabilities, from most critical to least critical. Organizations have three options to address vulnerabilities:

1. Remediation: Fully addressing a vulnerability so it can no longer be exploited, such as by patching an operating system bug, fixing a misconfiguration or removing a vulnerable asset from the network. Remediation isn’t always feasible. For some vulnerabilities, complete fixes aren’t available at the time of discovery. For other vulnerabilities, remediation would be too resource-intensive.

2. Mitigation: Making a vulnerability more difficult to exploit or lessening the impact of exploitation without removing the vulnerability entirely. For example, adding stricter authentication and authorization measures to a web application would make it harder for hackers to hijack accounts. Crafting Incident response plans for identified vulnerabilities can soften the blow of cyberattacks. Security teams usually choose to mitigate when remediation is impossible or prohibitively expensive.

3. Acceptance: Some vulnerabilities are so low-impact or unlikely to be exploited that fixing them wouldn’t be cost-effective. In these cases, the organization can choose to accept the vulnerability.

Verification and monitoring

To verify that mitigation and remediation efforts worked as intended, the security team rescans and retests the assets they just worked on. These audits have two primary purposes: to determine if the security team successfully addressed all known vulnerabilities and ensure that mitigation and remediation didn’t introduce any new problems.
As part of this reassessment stage, the security team also monitors the network more broadly. The team looks for any new vulnerabilities since the last scan, old mitigations that have grown obsolete, or other changes that may require action. All of these findings help inform the next round of the lifecycle.
Reporting and improvement

The security team documents activity from the most recent round of the lifecycle, including vulnerabilities found, resolution steps taken and outcomes. These reports are shared with relevant stakeholders, including executives, asset owners, compliance departments and others.
The security team also reflects on how the most recent round of the lifecycle went. The team may look at key metrics like mean time to detect (MTTD), mean time to respond (MTTR), total number of critical vulnerabilities and vulnerability recurrence rates. By tracking these metrics over time, the security team can establish a baseline for the vulnerability management program’s performance and identify opportunities to improve the program over time. Lessons learned from one round of the lifecycle can make the next round more effective.

What are security vulnerabilities?
A security vulnerability is any weakness in the structure, function or implementation of an IT asset or network. Hackers or other threat actors can exploit this weakness to gain unauthorized access and cause harm to the network, users or the business. Common vulnerabilities include:
• Coding flaws, such as web apps that are susceptible to cross-site scripting, SQL injection and other injection attacks because of how they handle user inputs.

• Unprotected open ports in servers, laptops and other endpoints, which hackers could use to spread malware, spyware etc.

• Misconfigurations, such as a cloud storage bucket with inappropriate access permissions that expose sensitive data to the public internet.

• Missing patches, weak passwords or other deficiencies in cybersecurity hygiene.

Patch management is the process of applying vendor-issued updates to close security vulnerabilities and optimize the performance of software and devices. Patch management is sometimes considered a part of vulnerability management.
In practice, patch management is about balancing cybersecurity with the business’s operational needs. Hackers can exploit vulnerabilities in a company’s IT environment to launch cyberattacks and spread malware. Vendors release updates, called “patches,” to fix these vulnerabilities. However, the patching process can interrupt workflows and create downtime for the business. Patch management aims to minimize that downtime by streamlining patch deployment.

Why the patch management process matters
Patch management creates a centralized process for applying new patches to IT assets. These patches can improve security, enhance performance, and boost productivity.
Security updates
Security patches address specific security risks , often by remediating a particular vulnerability.
Hackers often target unpatched assets, so the failure to apply security updates can expose a company to security breaches. Cybercriminals attacked networks where admins had neglected to apply the patch, infecting more than two lakh computers / devices in 100 plus countries.

Feature updates
Some patches bring new features to apps and devices. These updates can improve asset performance and user productivity.
Bug fixes
Bug fixes address minor issues in hardware or software. Typically, these issues don’t cause security problems but do affect asset performance.

Minimizing downtime
Most companies find it impractical to download and apply every patch for every asset as soon as it’s available. That’s because patching requires downtime. Users must stop work, log out, and reboot key systems to apply patches.
A formal patch management process allows organizations to prioritize critical updates. The company can gain the benefits of these patches with minimal disruption to employee workflows.
Regulatory compliance
Under regulations like the General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry Data Security Standard (PCI-DSS), companies must follow certain cyber security practices. Patch management can help organizations keep critical systems compliant with these mandates.

Patch Management Lifecycle.
Most companies treat patch management as a continuous lifecycle. This is because vendors release new patches regularly. Furthermore, a company’s patching needs may change as its IT environment changes.
To outline the patch management best practices that admins and end users should follow throughout the lifecycle, companies draft formal patch management policies.
The stages of the patch management lifecycle include:

1.Asset management
To keep tabs on IT resources, IT and security teams create inventories of network assets like third-party applications, operating systems, mobile devices, and remote and on-premises endpoints.
IT teams may also specify which hardware and software versions employees can use. This asset standardization can help simplify the patching process by reducing the number of different asset types on the network. Standardization can also prevent employees from using unsafe, outdated, or incompatible apps and devices.

2.Patch monitoring
Once IT and security teams have a complete asset inventory, they can watch for available patches, track the patch status of assets, and identify assets that are missing patches.

3.Patch prioritization
Some patches are more important than others, especially when it comes to security patches.
IT and security teams use resources like threat intelligence feeds to pinpoint the most critical vulnerabilities in their systems. Patches for these vulnerabilities are prioritized over less essential updates.
Prioritization is one of the key ways in which patch management policies aim to cut downtime. By rolling out critical patches first, IT and security teams can protect the network while shortening the time resources spend offline for patching.

4.Patch testing
New patches can occasionally cause problems, break integrations, or fail to address the vulnerabilities they aim to fix. Hackers can even hijack patches in exceptional cases.
By testing patches before installing them, IT and security teams aim to detect and fix these problems before they impact the entire network.

5.Patch deployment
“Patch deployment” refers to both when and how patches are deployed.
Patching windows are usually set for times when few or no employees are working. Vendors’ patch releases may also influence patching schedules. For example, Microsoft typically releases patches on Tuesdays, a day known as “Patch Tuesday” among some IT professionals.
IT and security teams may apply patches to batches of assets rather than rolling them out to the entire network at once. That way, some employees can continue working while others log off for patching. Applying patches in groups also provides one last chance to detect problems before they reach the whole network.
Patch deployment may also include plans to monitor assets post-patching and undo any changes that cause unanticipated problems.

6.Patch documentation
To ensure patch compliance, IT and security teams document the patching process, including test results, deployment results, and any assets that still need to be patched. This documentation keeps the asset inventory updated and can prove compliance with cybersecurity regulations in the event of an audit.

Patch management solutions
Because patch management is a complex lifecycle, organizations often look for ways to streamline patching. Some businesses outsource the process entirely to managed service providers (MSPs). Companies that handle patching in-house use patch management software to automate much of the process.
Most patch management software integrates with common OSs like Windows, Mac, and Linux. The software monitors assets for missing and available patches. If patches are available, patch management solutions can automatically apply them in real-time or on a set schedule. To save bandwidth, many solutions download patches to a central server and distribute them to network assets from there. Some patch management software can also automate testing, documentation, and system rollback if a patch malfunctions.
Patch management tools can be standalone software, but they’re often provided as part of a larger cybersecurity solution.
With automated patch management, organizations no longer need to manually monitor, approve, and apply every patch. This can reduce the number of critical patches that go unapplied because users can’t find a convenient time to install them.