Risk Assessment - Threat & Vulnerability Management standard

1. Introduction

The ISO/IEC 27002:2013 standard defines a vulnerability: as “A weakness of an asset or group of assets that can be exploited by one or more threats” (International Organization for Standardization, 2005).

Vulnerability management is the process in which vulnerabilities in IT are identified, and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g., in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization). The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning involves using a computer program to identify the network, computer infrastructure, or application vulnerabilities. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation, etc.

2. Purpose and Scope

This document is a security standard and, as such, describes security control requirements.
Detailed configuration and implementation requirements must be contained within
operational procedure and guidelines documentation.

This standard defines the controls relating to the management of threats & vulnerabilities.
That can potentially disrupt Resolver’s IT systems and business processes and compromise the confidentiality, integrity, and availability (CIA) of Resolver’s data and company reputation.
This standard also defines Resolver’s strategy and approach to routine vulnerability scanning
and penetration testing, plus a mandated remediation schedule.

This standard applies to all servers and infrastructure components that provide or support
Resolver IT services hosted inside the corporate network, third-party data center(s), or cloud
service provider(s); and extends to apps available via public app stores.

3. Audience

  • Information Technology (IT) Team.
  • DevOps Team (DevOps).
  • Informational Security (InfoSec) Team.
  • Development (R&D) Team.
  • Product Management (PM) Team.
  • Resolver’s 3rd parties, suppliers, and vendors

4. Reference documents

  • ISO/IEC 27001:2013 standard, clauses 6.1.2, 6.1.3, 8.2, 8.3 and control 12.6
  • ISO/IEC 27701:2019 standard clause 5.6.1
  • Information Security and Data Privacy Policy
  • Statement of Acceptance of ISMS documents
  • Resolver Risk Assessment Sheet

5. Objectives

The objective is to ensure a consistent, repeatable, and auditable approach for conducting threat and vulnerability management within the Resolver environments. This should be achieved regardless of the source of the threat or the platform in which a vulnerability is located.

6. Roles and responsibilities

  • Chief Informational Security Officer (CISO): The CISO is the owner and the main person in charge of the overall Vulnerability and Threat Management process.
  • Informational Security & Compliance Lead: The person in the role is responsible for overall monitoring and investigating detected vulnerabilities and providing the risk assessment (In collaboration with the asset owner) and mitigation steps.
  • IT System Engineer: The IT system engineer role is typically responsible for implementing remediating actions defined as a result of detected vulnerabilities for Resolver’s Corporate network-attached assets.
  • DevOps Engineers: The DevOps engineers are responsible for implementing remediating actions defined as a result of detected vulnerabilities for Resolver’s Hosted production environments.
  • Asset Owner: The asset owner is responsible for the IT asset that is scanned by the vulnerability management process. This role should decide whether identified vulnerabilities are mitigated or their associated risks are accepted.

7. Risk Assessment and Threats and Vulnerability Management Components

  • Assets Management
  • Building assets inventory
  • Categorizing assets into groups
  • Vulnerability Scan (Initial)
  • Risk Assessment
  • Consequences and likelihood
  • Remediating actions
  • Rescan
  • External penetration test
  • Continuous monitoring
  • Regular reviews of vulnerabilities risk assessment and risk treatment
  • Reports

8. Vulnerability Management Process Standards

The first step in risk assessment is the identification of all assets in the ISMS scope – i.e., of all assets which may affect confidentiality, integrity, and availability of information at Resolver. Assets may include documents in paper or electronic form, applications and databases, people, IT equipment, infrastructure, and external services/outsourced processes. When identifying assets, it is also necessary to identify their owners – the person or organizational unit responsible for each asset.

The next step is to identify all threats and vulnerabilities associated with each asset. Threats and vulnerabilities are identified using the catalogs included in the Risk Assessment Table. Every asset may be associated with several threats, and every threat may be associated with several vulnerabilities.

8.1. Assets Management

8.1.1. Build an asset inventory

  • It is difficult to properly address the inherent cybersecurity risk without an updated asset inventory.
  • Resolver’s networks should be scanned at least once a quarter in order to discover new systems.
  • The vulnerability assessment tool scans specified network subnets for assets in this step. Systems discovered during the scan are added to the asset inventory. This process helps to ensure that all systems are identified and patched accordingly.

8.1.2. Categorizing assets

Asset categories or groups are created from the asset inventory. Asset groups are used to scan specific assets, like Web Servers, File Servers, and Database Servers (rather than subnets). These categories also allow for vulnerability scan customization, addressing asset or business requirements, and assisting with assigning risk rankings.

8.2. Determining the risk owners

For each risk, a risk owner has to be identified – the person or organizational unit responsible for each risk. This person may or may not be the same as the asset owner.

8.3. Vulnerability Scanning (Initial)

  • There are two major aspects to vulnerability scanning – the scan and a report. The vulnerability scan tests and analyzes systems and services for known vulnerabilities. The scan comprises a list of scan options (ports, protocols, and network packet behavioral characteristics used for scanning) and assets. The report contains the prioritized list of vulnerabilities, vulnerability description, calculated risk, and remediation activities.

This standard provides requirements for the ongoing identification, prioritization, and remediation of vulnerabilities within the environment. All vulnerability management activities must align with the Common Vulnerability Scoring System Version 3.1 (CVSS v3.1).

·       All information system must be scanned regularly for known vulnerabilities

·       The maximum time period allowed between scans is one quarter.

·       Data sensitive systems containing highly confidential information (as per Information Asset Inventory) and systems hosting critical applications (according to data owner) must be scanned monthly.

·       All hosted production environments must be scanned monthly.

Information systems could be Hardware, Software, Appliances, IoT, Mobile, recording media (e.g., external storage) and include but are not limited to;

  • Network devices and systems include firewalls, Network Switches, Servers, NAS or SAN storage solutions, Wi-Fi Access points, Wi-Fi Routers, desktop workstations, laptop computers, printers, and IP telephones.
  • Mobile devices such as tablets and smartphones
  • Servers and web applications, ERP & SCM applications, and cloud-based applications
  • Client applications run on desktop workstations, laptop computers, and mobile devices.
  • System and software vulnerabilities associated with business applications, information systems, and network devices must be managed through scanning each of these for system and software vulnerabilities.

Patches must then be applied as per the defined patching processes described in Resolver Corporate Patch Management Policy.

8.3.1. Vulnerability scanning must be:

  • Restricted to a limited number of authorized individuals (e.g., using a dedicated account that is only used for vulnerability scanning)
  • Using approved and dedicated systems (e.g., using predetermined, static IP addresses)
  • Monitored (e.g., to identify misuse by authorized individuals or help detect unauthorized
    scanning).

The system and software vulnerability management process should be supported by performing vulnerability scans of critical and sensitive business applications, information systems, and network devices to help:

  • Identify system and software vulnerabilities that are present in business applications,
    information systems and network devices
  • Determine the extent to which business applications, information systems, and network
    devices are exposed to threats
  • Prioritize the remediation of vulnerabilities (e.g., using the vendor’s patch release schedule)
  • Provide a high-level view of vulnerabilities across the organization’s technical infrastructure (e.g., to make comparisons and identify trends).

8.3.2. Risk Assessment:

The calculated business risk prioritizes risks. Assets and asset groups are assigned a business criticality rating. When a vulnerability is discovered, the vulnerability assessment tool (CVSS v3.1) helps to calculate the business risk of an asset, together with the interviewing of asset owners and their evaluation of asset criticality.

The Remediation effort is subsequently prioritized on a risk basis.

For example, an Internet web server susceptible to a vulnerability granting administrative-level access should be remediated before an internal system requires a low-severity security patch.

8.3.3. Consequences/impact and likelihood

Once risk owners have been identified, it is necessary to assess the consequences for each combination of threats and vulnerabilities for an individual asset if such a risk materializes:

Table: Impact

Digital equivalent of the Impact raitingDescriptor of ImpactDefinition 
5Very HighCustomer data is very high-impact information and must be considered as an immediate high-risk impact.

Loss of confidentiality, availability, or integrity has considerable and/or immediate impact on the organization’s cash flow, operations, legal or contractual obligations, or its reputation.

·       No scenario planning performed

·       Lack of enterprise level/process level capabilities to address risks

·       Responses not implemented

·       No contingency or crisis management plans in place

4HighLoss of confidentiality, availability, or integrity has considerable and/or immediate impact on the organization’s cash flow, operations, legal or contractual obligations, or its reputation.

·       Scenario planning for key strategic risks performed

·       Low enterprise level/process level capabilities to address risks

·       Responses partially implemented or not achieving control objectives

·       Some contingency or crisis management plans in place

3MediumLoss of confidentiality, availability or integrity incurs costs and has a low or moderate impact on legal or contractual obligations, or the organization’s reputation.

·       Stress testing and sensitivity analysis of scenarios performed

·       Medium enterprise level/process level capabilities to address risks

·       Responses implemented and achieving objectives most of the time

·       Most contingency and crisis management plans in place, limited rehearsals

2LowLoss of confidentiality, availability, or integrity does not affect the organization’s cash flow, legal or contractual obligations, or its reputation.

·       Strategic options defined

·       Medium to high enterprise level/process level capabilities to address risks

·       Responses implemented and achieving objectives except under extreme conditions

·       Contingency and crisis management plans in place, some rehearsals

1Very LowLoss of confidentiality, availability, or integrity does not affect the organization’s cash flow, legal or contractual obligations, or its reputation.

·       Real options deployed to maximize strategic flexibility

·       High enterprise level/process level capabilities to address risks

·       Redundant response mechanisms in place and regularly tested for critical risks

·       Contingency and crisis management plans in place and rehearsed regularly

 

After the assessment of consequences, it is necessary to assess the likelihood of occurrence of such a risk, i.e. the probability that a threat will exploit the vulnerability of the respective asset:

Table: Likelihood

Digital
equivalent of the Likelihhod
Probability (Likelihood) ScaleAnnual Frequency or Expected Event Frequency in years. Probability in Next 5 yearsVerbal description of the applicable implemented controls.
5Very LikelyUp to once in 2 years or more (> 1 in 2) > 95%Existing security controls are low or ineffective. Such incidents have a high likelihood of occurring in the future.
4LikelyOnce in 2 years up to once in 5 years
(1 in 2 to 1 in 5)
 65%-96%Existing security controls are low or ineffective. Such incidents have a high likelihood of occurring in the future.
3MediumOnce in 5 years up to once in 20 years
(1 in 5 to 1 in 20)
 25%-65%Existing security controls are moderate and have mostly provided an adequate level of protection. New incidents are possible, but not highly likely.
2UnlikelyOnce in 20 years up to once in 100 years
(1 in 20 to 1 in 100)
5%-25%Existing security controls are strong and have so far provided an adequate level of protection. No new incidents are expected in the future.
1RemoteOnce in 100 years or less
(1 in 100)
 <5%Existing security controls are strong and have so far provided an adequate level of protection. No new incidents are expected in the future.

By entering the values of consequence and likelihood into the Risk Assessment Table, the level of risk is calculated automatically by adding up the two values. Existing security controls are to be entered in the last column of the Risk Assessment Table.

8.4. Vulnerability Risk Acceptance Criteria

Risk acceptance criteria are criteria used as a basis for decisions about acceptable risk.

  • CVSS v3.1 base scored severity level of 3.9 and lower risks are acceptable risks.
  • The ISMS team should assess each risk for its Consequences and likelihood on a weekly Change Control Committee and/or Monthly Security Review with the Development team’s leaders and/or Monthly DevOps Security Review meeting.
  • All risks with Attack Vectors, External Networks, and Confidentiality, Privacy, and Integrity, and Availability with impact High should be equated as Unacceptable risks and must be treated.

8.5 Cyber Security Risk Acceptance Criteria for In-house Developed Products

This section describes Product Level Cyber Risk acceptance criteria for in-house developed solutions and their hosting environments.

  • Cybersecurity risk should be assessed based on impact and likelihood of the risk (Ref. Sec 8.3.3 above).
  • Risk should be assessed for cost-benefit analysis, and only financially reasonable mitigation steps should be taken.
  • Raw Risk can be acceptable if the level is lower than 10.

8.6. Risk treatment / Remediating actions

8.6.1. Define responsibility

Once an asset is discovered, the vulnerability scan is done, and the risk assessment phase provides the criticality for business and priority, an appropriate task should be created for DevOps (Jira ticket) teams in order to:

  • Monitor the vulnerability remediation flow.
  • Evaluate the mitigation steps.
  • Compliance requirements

8.6.2. Vulnerability Remediation

In general, remediation could be done by the following four methods:

·       Installation of a software patch.

·       Adjustment of a configuration setting.

·       Removal of the affected software.

·       Implementation of compensation control.

These remediation targets are based on CVSS V3.1 and industry best practices (e.g., SANS, NIST).

Vulnerability Severity RatingCloud Hosted systemsCorporate externally exposed systemsCorporate internal system
Critical8 days8 days14 days
High8 days8 days30 days
Medium30 days30 days30 days
LowRisk assessment-based decision, but not later than 60 daysRisk assessment-based decision, but not later than 60 daysRisk assessment-based decision, but not later than 90 days

Critical Applications                                           
Critical applications must be regularly scanned for application logic vulnerabilities.
Note: A critical application is any system that, if compromised, would significantly impact business operations.

Zero-Day Vulnerabilities
Once a zero-day vulnerability becomes known, the relevant software must be updated according to the threat level and its relevance to Resolver (priority must be given in the next available window) when the relevant patch becomes available.
Anti-virus software definitions must be up-to-date on all relevant systems.

8.6.3. Patch Management

Patches must then be applied as per the defined patching processes described in Resolver Corporate Patch Management.

User Access Rights:

Ensuring users have access rights commensurate to one’s roles and responsibilities within the organization is a constant challenge, given the continuous user provisioning and the de-provisioning process undertaken, the numerous systems requiring access for such users, along with requests for changes and modifications in access rights.

  • Adhere to the least privilege or principle depends on system predestination.
  • “need to know.”
  • Utilize/Implement Role-Based Access control (RBAC), whereby users are granted permissions based on defined roles for specific systems.
  • Utilizing provisioning and de-provisioning documentation for onboarding and off-boarding all users, such as authorization and checklists, termination and checklists, etc.
  • Maintain password policy
  • Enforcing appropriate segregation of duties for users having access to company system resources.
  • Documented policy and procedure detailing the provisioning and de-provisioning for all users/roles accessing the company system resources.

Configuration Standards

Provisioning, hardening, securing, and locking down all critical system resources within Resolver’s environment is crucial for ensuring a baseline of information systems security, one that can be built upon over time by continuous monitoring and updating of such systems with security patches.

  • Configuration standards have been appropriately identified, reviewed, and approved by Information Security (InfoSec) team members.
  • Relevant and timely updated actual configuration standards documentation should be created – such as guides, checklists, scripts, policies, and other supporting hardening material should be provided.
  • All critical system resources within Resolver have been adequately provisioned, hardened, secured, and locked down according to the stated configuration documentation.

Network Architecture and Topology

Insecure network topology and weak security architectures – even if the system is properly secured and hardened – could cause a significant vulnerability for organizations.

Resolver’s network security architecture and supporting documentation should be created and follow the:

  • Various industry best practices standards like; “AWS Security Best Practices.”
  • Should implement a “Defense in Depth” approach described in the “Resolver System Description” document.

8.6.4. Removal of the affected software

Once an asset is discovered, the vulnerability scan is done, the risk assessment phase provides the criticality for business and priority, and you have all information from the asset owner, you may conclude it will be much simpler to avoid usage of the asset:

  • Uninstall all unnecessary packages
  • Uninstall all unnecessary OS Components.

E.g., FTP server running on your Web server. Uninstall the component and consider the installation of a separate server SFTP Virtual appliance.

8.6.5. Compensation control implementation

Since not all vulnerabilities could be patched, fixed or may require a disproportionate amount of time or resources and as a consequence, could not be implemented in the required time frame, we should be able to implement compensating controls, e.g.:

If some vulnerability scan discovers SQL injection on a Web server, we could configure a Web Application Firewall (WAF) to protect against the SQL injection until an application patch is available.

8.6.6. Malware Awareness

User awareness activities should include appropriate awareness relating to threats, viruses and
general malware. Through these training activities, End Users must be informed about the following:

  • Prevalence of malware and associated risks (e.g., unauthorized access to critical business
    applications, corruption of critical business information, or leakage of sensitive information)
  • Ways in which malware can install itself on computing devices
  • Common symptoms of malware infection (e.g., poor system performance, unexpected
    application behavior, sudden termination of an application).
  • Not installing software from untrusted sources, opening untrusted attachments, or clicking on suspicious or unknown hyperlinks within emails or documents.
    End users should be:

    • Advised to manually scan files when attaching portable storage devices or when receiving unknown or questionable files
    • Notified quickly of significant new malware-related risks (e.g., by email, freeware, or suspicious websites)

8.6.7. Malware Protection

A defense-in-depth approach is taken for malware protection covering networks to all applications, including email.
Malware protection software must be installed on systems that are exposed to malware, including:

  • Servers (e.g., servers that are at risk from malware, such as file and print servers, application servers, web servers, and database servers).
  • Computing devices (e.g., desktop computers and laptops).
  • Information systems that support or enable the organization’s critical infrastructure (e.g., embedded systems and industrial control systems where malware protection software is available.
  • Malware protection software should protect against all forms of malware (e.g., computer viruses, worms, Trojan horses, spyware, rootkits, botnet software, keystroke loggers, and adware).
  • Malware protection software should be distributed automatically and within defined timescales to reduce the likelihood of systems being exposed to the most recent malware (including those that are associated with ‘zero-day attacks).
  • A patch management process/procedure must exist for each protected asset, including those managed by third parties.
  • Malware protection software should be configured to scan:
    • The master boot record (MBR) of hard disk drives (a popular target for boot sector-infecting viruses).
    • Targeted files (including executables, image files such as JPEG, document formats such as Adobe PDF, and macro files in desktop software).
    • Protected files (e.g., compressed or password-protected files) where possible
    • portable storage media (e.g., CDs, DVDs, and USB storage devices) immediately upon loading or connection to computer equipment.
    • Network folders immediately upon being mounted/shared.
  • network traffic entering the corporate network (including email and downloads from the
    Internet).
  • Network traffic leaving the corporate network (including email attachments and shared
    documents).
  • Malware protection software should be configured to be active at all times (e.g., by scanning files as they are accessed to provide real-time protection or by being configured to be active at all times and to restart if stopped)
  • Perform scheduled scanning at predetermined times
  • provide a notification when suspected malware is identified (e.g., by producing an event log entry and providing an alert)
  • Disable and quarantine files suspected of containing malware (e.g., for further investigation)
  • Remove malware and any associated files immediately upon detection
  • Ensure that important settings cannot be disabled or functionality minimized.

8.6.8. Methods of Malware Detection to be used.

  • Signature-based anti-virus detection: This must be implemented by default.
  • Behavior-based malware detection: Where installed, behavior-based malware detection should be implemented.

8.6.9. Mobile devices

  • No BYOD connected to the Resolver’s networks (except Guest).
  • Encryption – devices must be encrypted.
  • Rooted/Jailbroken devices must be blocked.
  • Remote wipe – all devices must be able to be wiped remotely.
  • Password – suitable strength password policies must be enforced.

8.6.10. Security Event Logging

  • New systems deployed should be compatible with Logging Standard.

8.6.11. System and Network Monitoring

  • System and network activity should be monitored for potentially suspicious activity based on their criticality.

System/network monitoring activities should be conducted to help identify the following:

  • Unauthorized scanning of business applications, information systems, and networks.
  • Successful and unsuccessful attempts to access protected resources (e.g., DNS servers, web portals, and file shares).
  • Unauthorized changes to user accounts and access rights (to detect privilege escalation) The results of monitoring activities should be reviewed by the owners of business applications, information systems, and networks and presented to the business owners to whom services are provided.

8.6.12. Intrusion Detection

  • Network ingress/egress points must be monitored for malicious activity.
  • Any intrusion monitoring system must be configured with updated detection mechanisms as they become available.
  • Network intrusion detection systems should be installed and configured such that they are difficult to detect or attack.
  • Intrusion detection alerts must be monitored and responded to as appropriate.
  • Intrusion detection software should be:
    • updated automatically and within defined timescales (e.g., delivery of distribution attack signature files to intrusion detection sensors via a central management console)
    • configured to provide an alert when suspicious activity is detected
  • Suspected intrusions should be analyzed, and the potential business impact assessed. The initial analysis should include the following;
    • Confirming whether an attack is actually occurring (e.g., by eliminating false positives)
    • Determining the type of attack (e.g., worms, buffer overflows, or denial of service)
    • Identifying the original point of attack
    • Quantifying the possible impact of an attack.
    • The status of an attack should be assessed in terms of both scale and time elapsed since the start of the attack & since the detection of the attack.
      All attacks should be reported to infosec@resolver.com.

8.6.13. Configuration standard

Provisioning, hardening security, and locking down all critical system resources are crucial to ensure a baseline of information security and privacy.

All Information systems mentioned in the vulnerability scanning paragraph configuration:

  • Must follow vendor security configuration best practices if such exist.
  • If it does not exist, it must be securely configured
  • And must NOT use system configuration defaults, like a:
    • Users name
    • Password
    • Ports (if applicable)

8.6. Rescan

Follow-up remediation scan – confirms vulnerability addressed.

8.7. External Penetration testing

At least an annual external penetration test must be done, as per PCI DSS requirements and GDPR recommendations.

8.8. Continuous Monitoring

A Threat to Resolver’s company information systems landscape and all critical system resources is dynamic and persistent– creating enormous challenges for Resolver; this standard identified the significant purposes of vulnerability management and one of the critical components of the process; continuous monitoring.

  • Users Access Right: Periodic review of the entire user identity, provisioning, and access rights lifecycle, with findings, analysis, and recommendations reported to senior management within Resolver.
  • Configuration Standards: Periodic review of critical system resources for ensuring the applicable hardening is reported to senior management within Resolver.
  • Network Architecture and Topology: Periodic review of the entire Resolver security architecture to ensure a layered, Defense in Depth approach is being utilized, with findings, analysis, and recommendations reported to senior management within Resolver.
  • Vulnerability scanning:  Continues vulnerability scanning, as mentioned a few times in this document.

8.9. Report

Reports will be produced identifying compliance with the ongoing security activities defined in this standard and outlining detected security exceptions and incidents.

8.10. Regular reviews of risk assessment and risk treatment

Risk owners must review existing risks and update the Risk Assessment Table in line with newly identified risks. The review is conducted at least once a year (annually), or more frequently in the case of significant organizational changes, a significant change in technology, a change of business objectives, changes in the business environment, etc.

9. Exceptions

Exceptions to this document can only be granted in accordance with the Resolvers Information Security Department’s written approval.

10. Non-Conformance / Incident Reporting

Any failure to comply with this document or security incident that materializes relating to the
requirements within this document must be reported to the Resolver Information Technology Security Incident team by email at infosec@resolver.com.

11. Validity and document management

This document is valid as of August 2023.

The owner of this document is an Information Security Analyst who must check and, if necessary, update the document at least once a year.

When evaluating the effectiveness and adequacy of this document, the following criteria need to be considered:

  • The number of incidents arising from the unclear definition of the ISMS scope.
  • The number of corrective actions taken due to an inadequately defined ISMS scope.
  • The Time put in by employees implementing the ISMS to resolve dilemmas concerning the unclear scope.

EFFECTIVE ON: August 2023

REVIEW CYCLE: Annual at least and as needed