Log in

goodpods headphones icon

To access all our features

Open the Goodpods app
Close icon
Cyber Compliance & Beyond - 4 - Vulnerability Management

4 - Vulnerability Management

Cyber Compliance & Beyond

07/02/24 • 52 min

plus icon
bookmark
Share icon

Vulnerabilities are everywhere and on every IT asset within an organization. This makes vulnerability management one of the most important – if not the most important – risk mitigation activities an organization undertakes. But, the complexities inherent in many organizations combined with the sheer number of vulnerabilities leaves many not knowing where to even begin when it comes to vulnerability management. On today’s episode, we’ll demystify vulnerability management by defining some context, outlining an effective vulnerabilities management program, discussing potential challenges, tying it all to compliance, and decoupling vulnerability management from the inherent complexities.

Today’s guest is Andrew Overmyer, Security Assessor, subject matter expert, and general cybersecurity jack-of-all-trades at Kratos. During our conversation, we distill this often-nebulous concept into the concrete tenets necessary to build an effective program to drive vulnerability remediation efforts.

Resources:

· The Core Tenets of Vulnerability Management

o Asset Management: a tool or set of tools accompanied by a process that build and maintain an accurate asset inventory; an asset inventory must include but not be limited to network segments and IT assets across all types

o Patch Management: a tool or set of tools accompanied by a process that supports identifying and applying patches

o Vulnerability Scanning: a tool or set of tools accompanied by a process that support identifying vulnerabilities on IT assets; vulnerability scans must be run with credentials, to the greatest extent possible, to fully identify vulnerabilities present

o Compliance Scanning: a tool or set of tools accompanied by a process that support identifying misconfigurations on IT assets; misconfigurations are deviations from a defined baseline (e.g., Center for Internet Security benchmarks)

· Vulnerability Scanning Schedule

o Daily: Asset scans to identify assets on the network; these are not vulnerability scans, but rather simple scans to identify assets on the network

o Weekly: Vulnerability scans of all assets on the network

o Monthly: Compliance scans of all applicable assets on the network

· CVSS: Common Vulnerability Scoring System Version 4.0

· EPSS: Exploit Prediction Scoring System

· SSVC: Stakeholder-Specific Vulnerability Categorization

07/02/24 • 52 min

plus icon
bookmark
Share icon

Generate a badge

Get a badge for your website that links back to this episode

Select type & size
Open dropdown icon
share badge image

<a href="https://goodpods.com/podcasts/cyber-compliance-and-beyond-372459/4-vulnerability-management-59328120"> <img src="https://storage.googleapis.com/goodpods-images-bucket/badges/generic-badge-1.svg" alt="listen to 4 - vulnerability management on goodpods" style="width: 225px" /> </a>

Copy