ISO27002:2022 - control 8.8 ‘Management of technical vulnerabilities’ (control 12.6.1 within ISO27002:2013) is a preventative control to prevent exploitation of technical vulnerabilities. The control forms part of security assessment and testing domain (CISSP Domain 6) to notify information security professionals of technical vulnerabilities that threaten the confidentiality, integrity and availability of company systems which include but are not limited to: -
- On premise, hybrid or cloud based infrastructure (e.g. servers sitting in your company server room, hosted within third party cloud hosting platforms such as Azure, AWS or Digital Ocean or a mixture of both)
- Third party supplied software (everything from Microsoft Office to industry specific specialist software)
- Company specific software or web applications that have been built in house or by a third party specifically for your business.
- Database management systems.
- Network or endpoint devices (e.g. laptops, wireless routers).
Vulnerability identification
Companies should maintain an accurate inventory of assets (see ISO27002:2022” control 5.9 and control 5.14) to enable them to effectively conduct vulnerability management activity through one or more of the following:-
- Network discovery scanning - Network discovery scanners do not actually probe systems for weaknesses but instead use a range of techniques (TCP SYNC, TCP Connect, TCP ACK and Xmas scanning) ) to scan IP addresses looking to open network ports which can allow malicious third to map company networks as a precursor to further malicious activity. The most common network discovery scanner is a open-source tool called NMap which has been well maintained for public consumption since its initial release in 1997.
- Network vulnerability scanning - Network vulnerability scanners operate in a similar manner to network discovery scanners but identify the presence of known vulnerabilities in addition to detecting open ports. Qualys Cloud Platform is arguably the market leading network vulnerability scanner however other popular tools include Invicti (formerly Netsparker), Zscaler and Rapid7 InsightVM.
- Web vulnerability scanning - Web vulnerability scanners are becoming increasingly popular as the web application development becomes more commonplace within companies of all sizes. The specialist tools probe web applications for known vulnerabilities and adopt a more deep dive approach than the similar network vulnerability scanners. Whilst many network vulnerability scanners also provide web vulnerability scanning functionality (for example Qualys Cloud Platform) a large number of suppliers are available providing both open-source and paid Software-As-A-Service (SaaS) models. Popular open-source tools include Burp Suite and paid tools include Pen-Test-Tools and OnSecurity.
It is highly recommended (and often a regulatory or contractual requirement) for companies to undertake penetration testing in addition to one or more of the above types of network discovery and vulnerability scanning. Penetration testing (sometimes referred to as ‘ethical hacking’) goes far beyond vulnerability scanning by employing a third party CREST or CHECK accredited individual (or a suitably qualified individual within large enterprises) to try and defeat security controls and demonstrate flaws (within infrastructure, applications or both). Penetration testing adopts a phased approach (planning - information gathering and discovery - vulnerability scanning - exploitation - reporting) and professionals commonly utilise toolsets such as Metasploit and Kali Linux.
It is also recommended that companies with inhouse developers / engineers additionally consider deploying Static Application Security Testing (SAST) software which evaluates the security of software by analysing the source code (or compiled application) as developed.
To align with ISO27002:2022 control 8.1 ‘Management of technical vulnerabilities’ companies are also required to take the additional steps to identify technical vulnerabilities:-
- Define and establish the roles and responsibilities associated with vulnerability management. This is best accomplished through the creation of a regularly reviewed ‘Vulnerability Management Policy’ or similar that details; how vulnerabilities are identified, how they are scored, triaged and prioritised upon discovery and how they are remediated. Many companies adopt the Common Vulnerability Scoring System (CVSS) and Common Vulnerabilities and Exposures (CVE) to score and classify vulnerabilities before triaging them for remediation.
- Identify how inventories of assets (see ISO27002:” control 5.9 and control 5.14) are to be used to identify when hardware and software patching is required to mitigate publicly reported vulnerabilities. This can be achieved through software supplier email alerts, the monitoring of information security and IT news blogs and vulnerability scanning.
- Ensure that third party suppliers/ vendors utilise similar vulnerability management systems and where appropriate verify where patching has been successful.
- Track the use of third-party libraries and source code for vulnerabilities.
- Develop a Vulnerability Disclosure Policy or similar to allow third parties to report and contact the business to report identified vulnerabilities.
Vulnerability remediation
To align with ISO27002:2022 control 8.1 ‘Management of technical vulnerabilities’ companies are also required to take the additional steps to address technical vulnerabilities:-
- Take appropriate and timely action to mitigate identified potential or actual vulnerabilities where appropriate ensuring that such mitigation is conducted in accordance with change management (see ISO27002:2022” control 8.32 ‘Change Management’) and information security incident response procedures (see ISO27002:2022 control 5.26 ‘Information security incident response procedures).
- Ensure that patches are only installed from legitimate known sources and tested within test (staging or UAT) environments before being deployed.
- Ensure that vulnerabilities are addressed using a risk based approach (high risk vulnerabilities first) and put in place mechanisms to verify authenticity and remediation.
- Procedures are to be put in place to detail what steps are to be taken where updates are not available to remediate identified vulnerabilities e.g.turning off systems, applying workarounds, adding additional controls, increasing monitoring and logging and/or raising staff awareness to the vulnerability.
Other vulnerability considerations
The additional considerations should be made to ensure alignment with ISO27002:2022 control 8.1 ‘Management of technical vulnerabilities’:-
- An audit log should be maintained to track vulnerability remediation. This can be produced through a simple spreadsheet, through vulnerability and pentesting software or through specialist vulnerability tracking and remediation tools.
- Technical vulnerability responsibilities should be identified and documented during the procurement of Software-as-a-Service (SaaS) and other cloud services through Service Level Agreements (SLA’s) where appropriate to ensure responsibilities are identified.
- Identified vulnerabilities should be added to risk registers where remediation can not be tested prior to deployment and/or where remediation can not be performed due to cost or other technical reason.
- Specialist patching software may be procured to automatically deploy patches without the intervention of staff to company systems. Similar software may be used by third-party/ vendors to automatically apply to patches to company software.
Control Mapping
