WEBVTT 1 00:00:00.060 --> 00:00:01.320 In this lesson, 2 00:00:01.320 --> 00:00:04.440 we will learn about vulnerability management. 3 00:00:04.440 --> 00:00:08.220 Vulnerability management is the continuous process 4 00:00:08.220 --> 00:00:10.401 of identifying, assessing, 5 00:00:10.401 --> 00:00:13.710 and mitigating security vulnerabilities 6 00:00:13.710 --> 00:00:17.670 within an organization's systems and applications. 7 00:00:17.670 --> 00:00:20.160 Vulnerability management concepts 8 00:00:20.160 --> 00:00:23.610 include the Security Content Automation Protocol, 9 00:00:23.610 --> 00:00:25.380 or SCAP framework, 10 00:00:25.380 --> 00:00:30.360 and its associated Common Platform Enumeration, or CPE, 11 00:00:30.360 --> 00:00:34.140 Common Vulnerabilities and Exposures, or CVEs, 12 00:00:34.140 --> 00:00:39.140 and Common Vulnerabilities Scoring System, or CVSS tools. 13 00:00:39.570 --> 00:00:41.700 Within the SCAP framework, 14 00:00:41.700 --> 00:00:46.290 Common Platform Enumeration provides a standardized way 15 00:00:46.290 --> 00:00:51.270 to identify applications, operating systems, and hardware. 16 00:00:51.270 --> 00:00:54.210 While Common Vulnerabilities and Exposures 17 00:00:54.210 --> 00:00:58.770 offer a unique identifier for each known vulnerability. 18 00:00:58.770 --> 00:01:02.580 Additionally, the Common Vulnerability Scoring System 19 00:01:02.580 --> 00:01:04.980 is used to assess the severity 20 00:01:04.980 --> 00:01:07.290 of identified vulnerabilities, 21 00:01:07.290 --> 00:01:11.760 enabling organizations to prioritize their response 22 00:01:11.760 --> 00:01:15.090 based on the potential vulnerability impact. 23 00:01:15.090 --> 00:01:16.140 Let's learn more 24 00:01:16.140 --> 00:01:20.070 about Common Platform Enumeration, or CPE, 25 00:01:20.070 --> 00:01:23.760 Common Vulnerabilities and Exposures, or CVE, 26 00:01:23.760 --> 00:01:28.760 and the Common Vulnerability Scoring System, or CVSS. 27 00:01:28.980 --> 00:01:33.870 First, we have Common Platform Enumeration, or CPE. 28 00:01:33.870 --> 00:01:37.890 The Security Content Automation Protocol, or SCAP, 29 00:01:37.890 --> 00:01:40.590 is a standardized framework for managing 30 00:01:40.590 --> 00:01:45.180 and communicating security information across organizations, 31 00:01:45.180 --> 00:01:46.980 and one of its components 32 00:01:46.980 --> 00:01:49.860 is the Common Platform Enumeration. 33 00:01:49.860 --> 00:01:54.860 CPE provides a consistent way to identify IT platforms, 34 00:01:55.710 --> 00:01:57.840 including hardware devices, 35 00:01:57.840 --> 00:02:01.080 operating systems, and applications. 36 00:02:01.080 --> 00:02:03.960 So within the SCAP standard, 37 00:02:03.960 --> 00:02:07.680 each platform is assigned a unique identifier 38 00:02:07.680 --> 00:02:10.500 in a specific machine readable format, 39 00:02:10.500 --> 00:02:14.160 beginning with cpe: and a forward slash, 40 00:02:14.160 --> 00:02:16.320 and then followed by details 41 00:02:16.320 --> 00:02:20.760 such as a part type, application, operating system, 42 00:02:20.760 --> 00:02:24.510 hardware, vendor, product, and a version. 43 00:02:24.510 --> 00:02:28.410 This standardized format enables organization 44 00:02:28.410 --> 00:02:32.670 to identify and classify their assets consistently, 45 00:02:32.670 --> 00:02:35.880 allowing them to apply the SCAP framework 46 00:02:35.880 --> 00:02:39.570 specifically to assets within their networks. 47 00:02:39.570 --> 00:02:44.570 Think of CPE as a universal ID tag for IT assets, 48 00:02:44.970 --> 00:02:49.920 much like barcodes are used in retail to identify products. 49 00:02:49.920 --> 00:02:54.000 Just as that barcode scan provides specific information 50 00:02:54.000 --> 00:02:59.000 about a product, CPE identifiers offer detailed information 51 00:02:59.670 --> 00:03:04.470 about a system's hardware, operating system, or application. 52 00:03:04.470 --> 00:03:09.240 This consistency and detail are essential for organizations 53 00:03:09.240 --> 00:03:12.600 to manage their IT resources effectively 54 00:03:12.600 --> 00:03:15.480 and respond swiftly to vulnerabilities 55 00:03:15.480 --> 00:03:18.270 that impact specific platforms. 56 00:03:18.270 --> 00:03:21.870 For instance, a vulnerability management tool 57 00:03:21.870 --> 00:03:26.400 like Tenable.io uses CPE identifiers 58 00:03:26.400 --> 00:03:28.770 to pinpoint specific platforms 59 00:03:28.770 --> 00:03:31.770 within an organization's infrastructure. 60 00:03:31.770 --> 00:03:34.350 When the tool detects a vulnerability 61 00:03:34.350 --> 00:03:38.220 related to a specific version of software or hardware, 62 00:03:38.220 --> 00:03:42.240 it can immediately cross-reference the CPE identifier 63 00:03:42.240 --> 00:03:46.050 in the environment to see which systems are affected. 64 00:03:46.050 --> 00:03:50.280 This helps security teams understand and prioritize 65 00:03:50.280 --> 00:03:54.210 which assets require updates or security patches, 66 00:03:54.210 --> 00:03:57.210 enabling efficient vulnerability management. 67 00:03:57.210 --> 00:03:59.370 Second, we have CVE. 68 00:03:59.370 --> 00:04:02.790 The Common Vulnerabilities and Exposures, or CVE, 69 00:04:02.790 --> 00:04:05.190 is another component of SCAP 70 00:04:05.190 --> 00:04:07.680 that provides a unique identifier 71 00:04:07.680 --> 00:04:09.810 for each known vulnerability. 72 00:04:09.810 --> 00:04:14.100 Each CVE entry includes a unique identifier 73 00:04:14.100 --> 00:04:17.970 starting with CVE, followed by the year of discovery, 74 00:04:17.970 --> 00:04:20.430 and then an identification number. 75 00:04:20.430 --> 00:04:22.980 So it might look like CVE-2017-0144. 76 00:04:26.640 --> 00:04:30.750 This CVE identifies a particular vulnerability, 77 00:04:30.750 --> 00:04:34.170 and when looked up, includes essential information, 78 00:04:34.170 --> 00:04:36.990 such as a description of the vulnerability, 79 00:04:36.990 --> 00:04:41.070 affected systems, and links to mitigation resources. 80 00:04:41.070 --> 00:04:44.820 CVEs are widely recognized as the global standard 81 00:04:44.820 --> 00:04:46.950 for cataloging vulnerabilities, 82 00:04:46.950 --> 00:04:50.550 making it easier for security teams to communicate 83 00:04:50.550 --> 00:04:53.430 and manage vulnerabilities efficiently. 84 00:04:53.430 --> 00:04:58.430 So the CVE database serves as a universal reference library 85 00:04:58.860 --> 00:05:02.790 for vulnerabilities, similar to a medical database 86 00:05:02.790 --> 00:05:05.640 cataloging diseases and treatments. 87 00:05:05.640 --> 00:05:09.930 Just as healthcare providers consult a medical database 88 00:05:09.930 --> 00:05:13.110 to diagnose and treat patients accurately, 89 00:05:13.110 --> 00:05:17.610 cybersecurity teams rely on CVEs to identify, 90 00:05:17.610 --> 00:05:21.270 assess, and remediate vulnerabilities efficiently, 91 00:05:21.270 --> 00:05:24.960 ensuring their systems are secure and up-to-date. 92 00:05:24.960 --> 00:05:29.550 For example, if a security tool detects that CVE-2017-0144, 93 00:05:32.070 --> 00:05:34.800 it can automatically look up the information 94 00:05:34.800 --> 00:05:36.750 about this vulnerability, 95 00:05:36.750 --> 00:05:40.260 which affects certain versions of Microsoft Windows 96 00:05:40.260 --> 00:05:43.500 and is known as the EternalBlue vulnerability. 97 00:05:43.500 --> 00:05:48.500 This CVE was exploited by the WannaCry ransomware in 2017 98 00:05:49.320 --> 00:05:51.180 and can still be found 99 00:05:51.180 --> 00:05:54.210 on unpatched enterprise networks today. 100 00:05:54.210 --> 00:05:58.140 By checking the CVE database and implementing patches, 101 00:05:58.140 --> 00:06:02.370 organizations can mitigate the risk posed by vulnerabilities 102 00:06:02.370 --> 00:06:05.460 and protect their systems from exploitation. 103 00:06:05.460 --> 00:06:09.150 Third and last, we have CVSS. 104 00:06:09.150 --> 00:06:13.350 The Common Vulnerability Scoring System, or a CVSS, 105 00:06:13.350 --> 00:06:15.300 is a component of SCAP 106 00:06:15.300 --> 00:06:19.950 that assigns a numerical severity score to vulnerabilities, 107 00:06:19.950 --> 00:06:24.120 allowing organizations to prioritize vulnerabilities 108 00:06:24.120 --> 00:06:26.010 based on impact. 109 00:06:26.010 --> 00:06:31.010 CVSS scores range from 0.0 to 10.0 110 00:06:31.740 --> 00:06:36.740 and are divided into categories such as none, 0.0, 111 00:06:37.350 --> 00:06:42.350 low, 0.1 to 3.9, medium, 112 00:06:42.480 --> 00:06:47.480 4.0 to 6.9, high, 7.0 to 8.9, 113 00:06:48.540 --> 00:06:52.980 and critical, 9.0 to 10.0. 114 00:06:52.980 --> 00:06:55.650 These scores provide a quick understanding 115 00:06:55.650 --> 00:06:58.500 of how serious a vulnerability is. 116 00:06:58.500 --> 00:07:01.170 A CVSS score reflects factors, 117 00:07:01.170 --> 00:07:04.620 such as how easily a vulnerability can be exploited, 118 00:07:04.620 --> 00:07:07.860 the impact on confidentiality and integrity, 119 00:07:07.860 --> 00:07:09.960 and the potential damage. 120 00:07:09.960 --> 00:07:12.450 By assigning a standardized score, 121 00:07:12.450 --> 00:07:17.450 CVSS enables organizations to make informed decisions 122 00:07:17.550 --> 00:07:20.820 on which vulnerabilities to address first. 123 00:07:20.820 --> 00:07:25.620 Think of CVSS as a risk thermometer for vulnerabilities, 124 00:07:25.620 --> 00:07:28.890 similar to a triage system in a hospital. 125 00:07:28.890 --> 00:07:32.400 Just as triage assigns priority to patients 126 00:07:32.400 --> 00:07:35.370 based on the urgency of their condition, 127 00:07:35.370 --> 00:07:39.060 CVSS prioritizes vulnerabilities 128 00:07:39.060 --> 00:07:41.400 based on their potential impact, 129 00:07:41.400 --> 00:07:45.810 helping organizations address the most critical issues first 130 00:07:45.810 --> 00:07:48.300 and maintain robust security. 131 00:07:48.300 --> 00:07:53.300 For example, a vulnerability with a CVSS score of 9.0 132 00:07:53.460 --> 00:07:56.670 or higher is classified as critical, 133 00:07:56.670 --> 00:08:00.030 signaling that it should be remediated immediately 134 00:08:00.030 --> 00:08:02.880 due to the higher risk of exploitation. 135 00:08:02.880 --> 00:08:07.230 A vulnerability with a lower score, such as 4.5, 136 00:08:07.230 --> 00:08:09.060 which is considered medium, 137 00:08:09.060 --> 00:08:12.030 might not need immediate attention. 138 00:08:12.030 --> 00:08:14.970 This approach allows security teams 139 00:08:14.970 --> 00:08:17.880 to allocate resources effectively, 140 00:08:17.880 --> 00:08:20.550 focusing first on vulnerabilities 141 00:08:20.550 --> 00:08:24.960 that pose the most significant risks to the organization. 142 00:08:24.960 --> 00:08:29.960 So remember, vulnerability management is an ongoing process 143 00:08:30.810 --> 00:08:33.000 of identifying, assessing, 144 00:08:33.000 --> 00:08:35.490 and addressing security weaknesses 145 00:08:35.490 --> 00:08:38.190 within an organization's systems. 146 00:08:38.190 --> 00:08:39.810 Key components include 147 00:08:39.810 --> 00:08:44.490 the Security Content Automation Protocol, or SCAP framework, 148 00:08:44.490 --> 00:08:49.200 which uses tools like Common Platform Enumeration, or CPE, 149 00:08:49.200 --> 00:08:53.100 Common Vulnerabilities and Exposures, or CVE, 150 00:08:53.100 --> 00:08:57.690 and the Common Vulnerability Scoring System, or CVSS, 151 00:08:57.690 --> 00:09:00.510 to streamline security efforts. 152 00:09:00.510 --> 00:09:05.510 CPEs provide standardized identifiers for IT assets, 153 00:09:05.910 --> 00:09:08.580 such as hardware and applications, 154 00:09:08.580 --> 00:09:13.050 making it easier to classify resources across networks. 155 00:09:13.050 --> 00:09:17.640 CVE assigns unique identifiers to known vulnerabilities, 156 00:09:17.640 --> 00:09:21.720 allowing organizations to quickly access information 157 00:09:21.720 --> 00:09:24.000 and remediation resources. 158 00:09:24.000 --> 00:09:29.000 Finally, CVSS scores rate the severity of vulnerabilities, 159 00:09:29.070 --> 00:09:34.070 helping teams prioritize actions based on potential impact.