Chapter 18. Vulnerability Management

Contrary to what some vendors’ marketing materials would have us believe, a huge proportion of successful breaches do not occur because of complex zero-day vulnerabilities lovingly handcrafted by artisanal exploit writers. Although such attacks do happen, a lack of patching, failure to follow good practices for configuration, or neglect to change default passwords is to blame for a far larger number of successful attacks against corporate environments. Even those capable of deploying tailor-made exploits against your infrastructure will typically prefer to make use of these types of vulnerabilities.

Vulnerability management is the term used to describe the overall program of activities that oversees everything from vulnerability scanning and detection right through to remediation. An effective vulnerability management program raises the security of your network by identifying, assessing, and addressing potential flaws. 

Vulnerability assessment is a different discipline from penetration testing, typically carried out by different people; however, the two terms are often used interchangeably by those who are not aware of the differences. Unlike penetration testing, vulnerability assessment is automated or semiautomated, continuous, and less focused on bespoke systems and applications. Vulnerability assessment tools generally search for flaws such as missing patches, outdated software, common configuration errors, and default passwords. Vulnerability ...