Vulnerability Management
Pre-Checks
Scanning
Change Control
Remediation
Analyse vulnerability Scans
Tools
Commercial
Opensource
Network Vulnerabilities
Virtual Environment Vulnerabilities
Host Vulnerabilities
False Positives
Exceptions
Vulnerability Rating
Web Vulnerabilities
Cloud server vulnerabilities
Type of scan
Authenticated
Non-authenticated
Agent based scans
DNS
Internal IP exposure
SSL and TLS
VPN
Updates
Endpoints
ICS and SCADA
Servers
Virtual Guest Concern
Virtual Network Concern
Virtual host patching
VM Escaping
Admin interface access
PaaS
SaaS
IaaS
Other 3rd party vendor
1.) Sync remediation and maintenance schedule
- Scheduling an emergency maintenance window for critical findings.
2.) Choose a risk-based remediation- Scan first the important assets
3.) Scheduling - Set a sensible scanning schedule
4.) Installation and Configuration of tools - Configure tools based on the requirements.
- Configure to avoid too much false positives.
5.) Define Business Risk - Categorize business asset based on risk.
- Rank Group of assets based on importance.
6.) Training - Continuous learning. Online courses
7.) Know the resources - Understand what the environment is.
- Know the assets.
- Know who is responsible for those assets.
8.) No Hoarding - Explain the seriouness of the findings
9.) Document Everthing - Everybody know's what to do.
10.) Who's who? - Who is the contact person for a specific problem.
- Scan first the important assets