Skip to Content

Managing Risk in the Vulnerable Digital Ecosystem: Effective Vulnerability Management by Chris Hughes and Nikki Robinson

By: Author Nina Norman

Posted on

Categories Technology

In today’s rapidly evolving digital landscape, effective vulnerability management is crucial for organizations to protect their assets and maintain a robust security posture. “Effective Vulnerability Management: Managing Risk in the Vulnerable Digital Ecosystem” by Chris Hughes and Nikki Robinson provides valuable insights and practical strategies to help you navigate the complexities of vulnerability management.

Dive into this comprehensive guide to learn how you can proactively identify, assess, and mitigate vulnerabilities in your digital ecosystem. Discover the tools and techniques that will empower you to stay one step ahead of potential threats.

Genres

Cybersecurity, Risk Management, Information Security, IT Governance, Threat Intelligence, Vulnerability Assessment, Penetration Testing, Incident Response, Security Automation, Compliance

Managing Risk in the Vulnerable Digital Ecosystem: Effective Vulnerability Management by Chris Hughes and Nikki Robinson

“Effective Vulnerability Management” offers a holistic approach to managing vulnerabilities in the digital ecosystem. The authors provide a clear understanding of the vulnerability management lifecycle, from discovery and prioritization to remediation and reporting.

They emphasize the importance of establishing a risk-based framework that aligns with business objectives and regulatory requirements. The book covers key topics such as vulnerability scanning techniques, threat intelligence integration, patch management strategies, and the role of automation in streamlining vulnerability management processes.

It also addresses the human aspect of vulnerability management, highlighting the need for effective communication, collaboration, and stakeholder engagement.

Review

Chris Hughes and Nikki Robinson have created an invaluable resource for security professionals, IT managers, and executives seeking to enhance their vulnerability management practices. The book strikes a perfect balance between technical depth and practical guidance, making it accessible to readers with varying levels of expertise.

The authors’ extensive experience in the field shines through as they provide real-world examples, case studies, and actionable recommendations. The book’s structure is well-organized, allowing readers to easily navigate to the sections most relevant to their needs.

One of the standout features is the emphasis on aligning vulnerability management with business objectives, ensuring that security efforts are prioritized based on risk and impact. The authors also provide valuable insights into the latest trends and technologies in vulnerability management, such as the use of machine learning and AI for threat detection and prioritization.

While the book is comprehensive, some readers may find certain sections to be slightly technical. However, the authors do an excellent job of explaining complex concepts in a clear and concise manner.

Overall, “Effective Vulnerability Management” is a must-read for anyone responsible for securing digital assets and managing cyber risks. It provides a solid foundation for building a robust vulnerability management program and offers practical guidance for continuous improvement.

Recommendation

As of 2022, 60% of the world’s gross domestic product depended on digital technologies. Hence, many leaders worry about the possible impact of a “catastrophic cyber incident.” The crucial issue, cyber experts Chris Hughes and Nikki Robinson say, is managing your digital systems’ vulnerability to attack. Digital vulnerability emerged as a concern in US Department of Defense studies in the 1970s and is a daily issue now. In today’s internet saturated business environment, people and organizations need to manage their digital vulnerability in advance of any problem or attack – just ask the US car dealerships who struggled through a calamitous, summer 2024 ransomware attack.

Take-Aways

  • Asset management is crucial in protecting against digital vulnerability.
  • Companies need a continuous, automated patch management protocol.
  • Individuals and firms should institute systems of digital regulations.
  • Vulnerability management requires absolute vigilance and continuous monitoring (“ConMon”).
  • Assign your vulnerabilities specific values so you can prioritize them.
  • Cyber system attackers exploit numerous vulnerabilities.
  • Use open-source information to determine threats.
  • Human involvement is crucial in managing vulnerability.
  • Leaders should construct their organizations with security in mind.

Summary

Asset management is crucial in protecting against digital vulnerability.

Digital environments all differ, but any “vulnerability management program” (VMP) must include digital asset management tailored to fit an organization’s needs. Each company’s supply of digital assets varies. For instance, it could include smartphones and laptops, a selection of applications, and software as a service (SaaS). In the past, an IT manager could handle digital asset management with a spreadsheet. However, standard asset management approaches can’t contend with today’s dynamic digital environment, which includes the use of cloud infrastructure and open-source applications and which faces serious threats, such as ransomware attacks and cybertheft.​​​​

“Without a modern approach to asset management, organizations have limited visibility of the hardware and software used by employees.”

Companies can use a variety of tools to manage their digital assets, potentially including inventories on the cloud, software that detects vulnerabilities, and configuration management software. Smaller firms might manage their assets manually – particularly their physical assets, such as servers and networking devices. But today’s digital workforce relies on multiple devices, which companies must manage and keep secure.

First, organizations must understand their digital assets and their vulnerabilities so they can assess the risks those vulnerabilities pose in an accurate, effective way and institute the necessary levels of security.

Companies need a continuous, automated patch management protocol.

Without a rigorous patch protocol, systems can fall out of date and become vulnerable for days and even weeks – which means an open window of time when disaster can strike.

Vintage vulnerabilities are vulnerabilities in existing, already installed patches. IT managers recognize that malicious hackers will exploit patch vulnerabilities, but most companies can deal with only one out of 10 new vulnerabilities each month.

“Despite all the industry buzz about the latest flashy zero-day vulnerability, malicious actors are regularly targeting ‘vintage vulnerabilities’.”

Many companies do not have the ability to patch vulnerabilities as they arise, though cybersecurity experts emphasize the importance of this capacity.

An effective patch management system establishes a pyramid of responsibilities. This pyramid includes operations people who handle maintenance and scheduled patching work, managers who determine procedures and conduct ongoing asset inventories, and IT people who handle applications, the cloud, mobile devices, and other platforms.

Your firm can execute patching manually, but automated patching is more efficient because it doesn’t demand the time and attention of skilled professionals. Automated systems address vulnerabilities as they arise. This keeps your overall digital function at full strength, a benefit for your workers and customers. However, automation may require additional employee training in managing patches, and some vulnerabilities may demand patches that are not yet in the system.

Individuals and firms should institute systems of digital regulations.

Some vulnerabilities inevitably accompany software and the various services available from the cloud. Other vulnerabilities arrive with particular software products and their specific configurations. Firms must adopt professionally designed, regulatory guidelines that focus on instituting the best security practices. For examples of such guidelines, consult the Center for Internet Security (CIS) or the Cybersecurity Framework (CSF) of the National Institute of Standards and Technology (NIST).

“While cybersecurity headlines are often dominated by the latest zero-day or other notable vulnerability….The reality is that many significant data breaches have and will continue to be due to misconfigurations.”

A misconfiguration is an error or inadequacy within an information system that creates vulnerabilities. Misconfigurations occur for a number of reasons. For example, software and other applications may configure data using nonsecure default arrangements.

In addition, some services don’t sufficiently control access to vulnerable settings. Despite being aware of likely risks, many companies provide too many employees with unnecessary access privileges. They may fail to monitor their networks carefully, be unable to respond quickly to security or misconfiguration incidents, or, as noted, lack an effective patch management strategy.

Vulnerability management requires absolute vigilance and continuous monitoring (“ConMon”).

Vulnerability management cannot be an occasional activity. It must be ongoing and constant because assets and configurations change over time. New people join your organization, and others move from one job to another. When that happens, your company should adjust each employee’s internal privileges and permissions accordingly. Given the dynamic of a rapidly shifting workplace environment, new vulnerabilities continually emerge.

“Malicious actors…continuously seek…to identify vulnerabilities, exploit weaknesses, and compromise vulnerable systems, software, and products.”

Ongoing vulnerability management involves a number of steps. First – in a step many firms fail to take – set up a vulnerability management process capable of identifying your weaknesses. Determine what your organization will do when your team identifies these problems. Monitor and document the team’s approach to see how well your organization resolves issues as they arise.

Because vulnerabilities increase exponentially over time, firms must automate patch management and then perform automated vulnerability scans of both internal and external assets at regular intervals.

Assign your vulnerabilities specific values so you can prioritize them.

Objectively rating your vulnerabilities supports your staff members’ internal efforts to mitigate potential harm. Whether managers use quantitative or qualitative rankings, “vulnerability scoring” helps them prioritize their response to a vulnerability or possible data breach. Most firms institute the Common Vulnerability Scoring System (CVSS), which the Forum of Incident Response and Security Teams (FIRST) adopted in 2005.

“At its core, the aim of CVSS is to output a numerical score indicating the severity of a vulnerability among the broader collection of known vulnerabilities.”

After undergoing a number of version updates since inception, the current program is CVSS 4.0. It divides vulnerabilities into these four categories:

  1. Base – This score reflects the intrinsic properties of the digital environment at issue, and it doesn’t change.
  2. Threat – This estimates various hazards and their levels.
  3. Environmental – This catalogs the vulnerabilities that emerge due to the digital environment and its structure.
  4. Supplemental – This adds further aspects of a system’s vulnerability and provides context to increase the precision of your scoring. The Supplemental metric captures human factors, such as the vulnerability’s urgency and whether it could create a safety risk for the person using the system.

By itself, CVSS may not prioritize issues with perfect accuracy. The Exploit Prediction Scoring System (EPSS) enhances the CVSS by providing information on the likelihood that a cybercriminal will exploit a particular vulnerability. Even so, bad actors actually exploit only 2% to 7% of most vulnerabilities.

Cyber system attackers exploit numerous vulnerabilities.

Cybercriminals can use older vulnerabilities to launch a cyberattack. If your organization continues to use older software within new infrastructures and technology, you could be creating vulnerabilities. Be aware that more than half of corporate vulnerabilities date back to 2016 or earlier.

“It’s absolutely possible for attackers to leverage older vulnerabilities to conduct critical vulnerability chaining attacks.”

In a vulnerability chaining attack, one vulnerability leads to others. Chaining can be “direct” or “indirect.” A direct vulnerability chaining attack might begin by circumnavigating a system’s authentication process. An indirect vulnerability chaining attack might begin with a stolen password. Any entry point opens multiple directions for attacks. Attackers move through a compromised system from application to application, exploiting vulnerabilities as they appear.

Use open-source information to determine threats.

Cybersecurity professionals use open-source information to assess the threat levels facing an organization. Intelligence teams investigate whether a system commonly features specific IP addresses, file types, or vulnerabilities. Then, they use this information to generate alerts, identify and block attacks, and bolster remediation efforts.

“It’s important to understand the various types of threat intelligence that are applicable to a Vulnerability Management Program.”

There are four types of threat intelligence to monitor.

  1. “Technical threat intelligence” assumes that an attack has taken place and that defenders can use evidence from the attack to find the perpetrator.
  2. “Tactical threat intelligence” surveys the methods a bad actor might use to initiate an attack, including malware, ransomware, phishing, and types of network scanning.
  3. “Strategic threat intelligence” gathers high-end information for leaders and policymakers. This data involves national and international regulations, plus regional, national, and international media, and information gleaned from social media.
  4. “Operational threat intelligence” collects information about bad actors’ incentives, motives, and methods.

Starting a threat intelligence program isn’t the same as creating and maintaining a vulnerability management program. Once a vulnerability management program is mature, companies can introduce threat intelligence to enhance it. Threat intelligence enables firms and individuals to sort and organize the cascade of vulnerabilities and helps a security team focus on resolving problems.

Human involvement is crucial in managing vulnerability.

In a world of advanced technologies and cybersecurity, everything still ultimately comes back to human beings and their psychological constitution. Yes, your company needs a vulnerability management program that makes use of many different tools, systems, and considerations – but your people will manage it, not your machines.

“Organizations can build better VPMs by understanding how their users as well as their IT and security practitioners interact with systems.”

“Human factors engineering” (HFE) deploys human capacities and limitations when designing tools and other products, including digital systems. Digital tools interact with their users, so designers increasingly are embracing design principles that incorporate aspects of how people think. “Human factor security engineering” considers psychological factors in training cybersecurity experts.

Cyberattacks are increasing in frequency. As artificial intelligence (AI) enters common use, attacks are becoming more sophisticated. The education of cybersecurity professionals should include knowledge about human psychology to give them insights into cybercrime perpetrators. That understanding also can help them shape their own work schedules to avoid the fatigue and burnout common among IT and cybersecurity personnel.

Leaders should construct their organizations with security in mind.

Apart from managing vulnerabilities and threats, the cybersecurity world demands a fundamental shift in its approach and attitude toward a “secure-by-design/default software” mentality. Firms must incorporate security into their initial development of systems and software.

Modern organizations are drowning in a sea of vulnerabilities. One issue is that engineers tend to develop software and digital systems without incorporating security measures in the development stage. However, increased professional demand for secure products will change that approach, shift the market dynamic, and influence suppliers, who must build digital products that protect users against malicious cyber actors.

“We’ve also begun to see organizations face legal and regulatory ramifications for not producing secure systems and software as well as [for] failing to follow security best practices.”

Manufacturers must take responsibility for their products’ security outcomes. This calls for secure-by-design digital products that are secure out of the box and don’t require users to take additional security measures. However, at the same time, buyers must insist on transparency and accountability, and manage their companies to support and promote their security goals.

About the Authors

Chris Hughes, MBA, is an adjunct professor for MS Cybersecurity programs and a co-founder and President at Aquia. Nikki Robinson, MS, DSc, teaches graduate courses at Capitol Technology University and Touro College.