CHAPTER 4Vulnerability Management


  • Managing vulnerabilities
  • OpenVAS
  • Continuous assessment
  • Remediation
  • Nexpose Community

I have years of vulnerability management experience. At first, it was theoretical when I was teaching at Louisiana State University. It became a more hands‐on role when I worked as an IT director for a small private school and then again when I worked for the U.S. Department of Defense (DoD) as a contractor. If you are planning to take any security certification exams—whether it's ISACA, ISC2, or CompTIA—you need to be aware that the management of the vulnerability lifecycle and risk is a key component on those exams.

Some ships are titanic, and some boats are small. Some boats, like a kayak, could represent your home network, while a Fortune 50 company would be more like the Queen Elizabeth II. The goal of both vessels is the same: Don't sink. If you have been tasked with vulnerability management, your task is the same: Don't sink.

Managing Vulnerabilities

As I mentioned earlier, you must know your environment better than an attacker and use that attacker's mind‐set in key controls to develop your security program. Now that you have all the open‐source tools to troubleshoot your network and you know what assets you have to protect, you have to be able to assess those assets for vulnerabilities. It is a cyclic endeavor, as shown in Figure 4.1.

Figure 4.1: The vulnerability management lifecycle

In the discovery phase, ...

Get Cybersecurity Blue Team Toolkit now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.