Vulnerabilities Databases and Asset Management
As Alexander V. Leonov has spent quite some time in the sector, his posts on the topic are usually enlightening. Even more so are the latest ones. He prepared a great visual of the registrars of vulnerabilities around and if you want to have a look at the full article, please do kindly go here.
The NIST has their own, like many other governments globally, and there are many aggregators around classifying, sorting and publishing the vulnerabilities CISOs and CIOs and their respective teams should be aware of. Then there are a number of different private organisations collecting and publishing dangerous vulnerabilities. I am taking the liberty to link to Alexander’s visualization:
The main issue in an organisation is, to turn that kind of information available into actionable recommendations. Once the info is out there, rest assured someone will try to use it against your organisation.
Tools to check and test abound, but red-teaming/blue-teaming approaches may not be an option for a cash-limited SME, school, or associations and clubs.
This type of organisation is also prone to be lost when it comes to knowing which assets they actually have (being modified over time both in hardware components as well as in software).
Or, in other words, a suitable asset register is missing. Even if there is a great analysis done to the assets on the estate at a certain point in time, the computers might evade being remedied for a number of reasons:
- Asset-Management missing
- change of vendors during life-cycle of the assets
- change of organisation during the life cycle
- change of focus in the organisation and economic struggles
- fluctuation in the IT department
- assets being changed in location, or assignment to employees
Hence, having the information does not imply remediating the vulnerabilities.
Not to mention, that having an updated registry of assets every now and then can mean a lot of difference.
It might make much more sense to check in to a service provider which performs the asset – registration (HW, Software, licenses) on a regular schedule and combines the resulting asset-register with the information from vulnerability-checking in a suitable, actionable dashboard.