Identification of Vulnerability – Tell Me What You See

A corporate security program has many components. History has proven that an organizations vulnerability management program is not only one of those components, but a critical one. For the past 30 years, one of the most common recommendations from security assessments has been for organizations to establish and maintain an effective vulnerability management program.

Simply put, if you can reduce the number of high-impact vulnerabilities in your environment, you can reduce overall risk to your business.

And, reducing risk is a good thing. But it is not always easy, and in fact, it can be a complex problem.

In order to reduce that complexity, Evolve Security has designed and implemented Darwin Attack, and integrated it into our penetration testing services. Darwin Attack was designed to help Evolve Security communicate with clients, enable clients to access more timely and accurate information about discovered vulnerabilities, and manage remediation of those vulnerabilities in an efficient manner – all with the objective to reduce organizational risk.

Vulnerability Management

When assessing results of a penetration test, organizations need to answer some questions to fix the identified issues in an efficient manner.

1. What am I fixing?

2. How important is the fix?

3. How do I actually fix it?

The “fixes” will be managed by your vulnerability management solution. That solution obviously starts with finding vulnerabilities to which the organization is exposed – the vulnerability or penetration assessment. That process includes the output of identified vulnerabilities – a description of what was found – what you are fixing.

This can’t just include a list of Common Vulnerabilities and Exposures (CVEs) and affected systems. The provided information needs to include enough detail that the organization can prioritize and remediate the identified vulnerabilities.

To that end, Darwin simplifies the process of identifying vulnerabilities discovered as part of a contracted test. Like most assessments, Evolve includes a PDF report on all findings. But Evolve also enters all vulnerabilities into the Darwin portal. Vulnerability information tracked in Darwin includes:

1. Vulnerability CVE – the number assigned to vulnerabilities to track them as unique entities

2. Vulnerability description – common language description of the vulnerability with context for the environment in which it was observed

3. Criticality of the vulnerability (Common Vulnerability Scoring System – CVSS score) –  the raw CVSS score on a 1-10 scale, commonly used to represent severity

4. Criticality of the vulnerability in common language severity (Critical, Serious, Medium) – simplified representation of severity score to group vulnerabilities by related impact

5. Affected system(s) – the organization supplied description of the affected system(s) by IP address, domain or asset name

6. Recommended remediation –  including links to available patches, patch instructions, and mitigating controls

Darwin is designed to include everything about the vulnerability the organization needs to know to effectively manage each vulnerability, including prioritization and remediation recommendations. To this end, the feed in the Darwin Attack portal may include video evidence of a vulnerability, what was found and how it was found. In the event a particularly critical vulnerability was identified, our Offensive Security Services team will proactively escalate the finding to your organization during the assessment.

The organization does not need to wait until a published report to start processing vulnerabilities. The Darwin Attack platform functions as a collaboration portal, enabling the organization to start considering the impact of vulnerabilities without waiting for final report. All vulnerabilities will be included in the platform, with the most complete and timely information available, enabling the organization to act faster, leveraging accurate information.

As with many elements of an effective security program, “information” is key – an organization who has comprehensive vulnerability data related to their environment can make informed decisions about managing these risks.