IT Vulnerability Management

IT vulnerability assessment or vulnerability management is a branch of IT security.

It is concerned with identifying, assessing, and addressing vulnerabilities in computer systems and software.

This post reviews some aspects regarding IT vulnerabilities.

You can read a more general introduction to cybersecurity on this post.

Vulnerability Identification

Attack surface is the number of all possible points, or attack vectors, where an unauthorized user can access a system and extract data. The smaller the attack surface, the easier it is to protect.

Some products like Microsoft Defender for Endpoint has Attack Surface Reduction (ASR) functionalities.

A vulnerability scanner tool helps a organization to identify scanners.

You can read an introduction to IT vulnerabilities, including a list of IT vulnerability databases, on this post.

Vulnerability Standards

There are some standards to manage and measure vulnerabilities.

Security Content Automation Protocol (SCAP)

Security Content Automation Protocol (SCAP) is issued by the National Institute of Standards and Technology (NIST).

Components:

  • CVE
  • CVSS
  • Common Configuration Enumeration (CCE)
  • Common Platform Enumeration (CPE)
  • Extensible3 Configuration Checklist Description Format (XCCDF)
  • Open Vulnerability and Assessment Language (OVAL)

Script Check Engine (SCE) is an extension to the SCAP protocol.

Vulnerability Exploitability Exchange (VEX)

A Vulnerability Exploitability Exchange (VEX) document contains machine-readable statements about the status of software vulnerabilities with respect to a software product.

OpenVEX is an open implementation of VEX by the OpenSFF project of the Linux Foundation. You can read an article about OpenVEX on this external link.

Vulnerability Scoring Systems

You can find a list of IT vulnerability scoring systems on this post.

The most popular one is CVSS.

Vulnerability Databases

You can find a full list of vulnerabilty databases on this post.

MITRE

MITRE Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weakness types.

https://cwe.mitre.org/

CVEdetails.com

CVEdetails.com

Zero-Day Vulnerability Teams

This section lists some relevant teams within companies that are focused on finding and notifying to system owners zero-day vulnerabilites.

Zero-Day Vulnerability Teams featured on this post:

  • Google Project Zero
  • Trend Micro’s Zero Day Initiative

Google Project Zero

Project Zero is a team within by American company Google.

Official blog

Trend Micro’s Zero Day Initiative

Zero Day Initiative is an initiative by American company Trend Micro.

Official website

Vulnerability Assessment Tools

You can find vulnerability assessment tools for PC on this post.

You can find vulnerability assessment tools for mobile on this post.

You can find WiFi vulnerability scanning tools on this post.

AI Tools for Vulnerability Assessment

BurpGPT is a tool that uses ChatGPT for vulnerability assessment. You can find it on this external link.

Media related to IT & OT Security

You can find a list of media related to IT security on this post.

You can find a list of media related to OT security on this post.

You might also be interested in…

Leave a Reply

Your email address will not be published. Required fields are marked *