Skip to main content

Is an Effective Vulnerability Management Program in Your Future?

December 01, 2016

The sad truth about penetration tests is that they are almost always successful in demonstrating dramatic security events. Even junior assessors can go from minimal access, below the level of most employees, and gain administrative domain credentials for an internal corporate network. Typically, they accomplish this goal within a few days of having arrived in office environments where they have never even been before. It is even sadder that they can do all this with a limited set of attack techniques. 

However, some organizations are more resistant to conventional attack methodologies than others. Some companies gather vulnerability data on a regular basis, make informed decisions based on that data and assign remediation responsibility. Functional vulnerability management programs can mean the difference between long periods of pleasantly uneventful productivity and a catastrophic compromise from an attacker with limited to moderate skills. 

Optiv has created a white paper that outlines a general structure to guide organizations wishing to create their own vulnerability management programs. Based on analysis of successful programs from leading companies, this document spells out the components at a high-level and lays out some of the lessons learned from the evaluation and implementation of these programs.

Vulnerability Management

Anyone wishing to make informed decisions about their company’s security can benefit from the kind of program that this white paper outlines. Although not all companies have these programs in place, the ones that do tend to have far fewer surprises after penetration tests and compliance audits. They also, presumably, face fewer realized threats from actual attackers. The intent of this white paper is to guide security administrators in the beginning phases of the process of creating a fully realized vulnerability management program.

For clarity, this document breaks down vulnerability management into three parts. First, data acquisition includes components, like conventional vulnerability scanners and web application scanners that collect vulnerability and compliance data from across the enterprise. The white paper also discusses information storage and analysis technologies such as security information and event management (SIEM) solutions, and vulnerability classification and weighing. Finally, the discussion includes details about accountability engines, which organize and promote remediation efforts. 

Administrators wishing to enhance their own security programs can use this framework as a model to aid in future efforts. In addition to detection and remediation of critical vulnerabilities, these programs offer added benefits, including the facilitation of compliance efforts for internal policies and externally mandated standards such as the Payment Card Industry Data Security Standard (PCI DSS). Although it is not necessarily anyone’s intention to gather mundane information such as the presence of or support for weak or outdated communications protocols (i.e. Telnet), the same technology used in these programs also offers related policy or compliance benefits. Not only can a working vulnerability management program save organizations from security incidents, it can promote compliance by allowing administrators to know where non-compliance exists.

Download the White Paper

    John Ventura

By: John Ventura

Practice Manager, Research

See More

Related Blogs

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

May 24, 2017

Three Steps for Management and Remediation of Security Vulnerabilities with Third Parties

Over the years, security organizations have had to deal with many vulnerabilities that required quick response and remediation. Some examples that com...

See Details

April 10, 2014

Heartbleed Bug: Vendor Compensating Controls

A critical vulnerability in OpenSSL (CVE-2014-0160) known as the Heartbleed Bug was recently disclosed, affecting servers running OpenSSL 1.0.1 throug...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

September 28, 2016

Enterprise Security Program Assessment

Learn how Optiv's Executive Security Awareness program can find and address security vulnerabilities for your company's executives.

See Details

October 11, 2017

Managed Vulnerability Services

Optiv’s managed vulnerability services identify, prioritize and reduce network vulnerability exposure.

See Details

May 30, 2019

Risk Management and Transformation: Third-Party Risk Management

Learn how to plan, develop and manage your third-party risk program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.