什么是漏洞管理?

四步漏洞管理流程

1. 执行漏洞扫描
2. 漏洞评估
3. 优先考虑 & 修复漏洞
4. 持续漏洞管理

步骤1：执行漏洞扫描

典型漏洞管理工具的核心是漏洞扫描程序. 扫描包括四个阶段：

1. 通过ping或发送TCP/UDP数据包扫描网络可访问的系统
2. 识别在扫描系统上运行的开放端口和服务
3. 尽可能远程登录系统，收集详细的系统信息
4. 将系统信息与已知漏洞关联起来

漏洞扫描器能够识别网络上运行的各种系统, 比如笔记本电脑和台式电脑, 虚拟和物理服务器, 数据库, 防火墙, 开关, 打印机, 等. 探测已识别的系统的不同属性：操作系统, 开放端口, 安装的软件, 用户帐户, 文件系统结构, 系统配置, 和更多的.

然后使用此信息将已知漏洞与扫描的系统关联起来. 来执行这个关联, vulnerability scanners will use a vulnerability 和 exploit database 那 contains a list of publicly known vulnerabilities.

Properly configuring vulnerability scans is an essential component of a vulnerability management solution. 漏洞扫描器有时会破坏它们扫描的网络和系统. 如果可用的网络带宽在组织的高峰时段变得非常有限, 然后，漏洞扫描应该安排在非工作时间运行.

如果网络上的某些系统在扫描时变得不稳定或行为不正常, 它们可能需要从漏洞扫描中排除, 或者，扫描可能需要微调，以减少干扰. Adaptive scanning is a new approach to further automating 和 streamlining vulnerability scans based on changes in a network.

例如, 当一个新系统第一次连接到网络时, a vulnerability scanner will scan just 那 system as soon as possible instead of waiting for a weekly or monthly scan to start scanning 那 entire network.

但是，漏洞扫描器不再是收集系统漏洞数据的唯一方法. Endpoint agents allow vulnerability management tools to continuously gather vulnerability data from systems without performing network scans.

这有助于组织维护最新的系统漏洞数据，无论是否如此, 例如, 员工的笔记本电脑连接到组织的网络或员工的家庭网络.

不管漏洞管理解决方案如何收集这些数据, 它可以用来创建报告, 指标, 以及针对不同受众的仪表板.

步骤2：脆弱性评估

在识别漏洞之后, they need to be assessed so the risks posed by them are dealt with appropriately 和 in accordance with an organization’s 漏洞管理程序框架. 脆弱性 management platforms will provide different risk ratings 和 scores for vulnerabilities, 例如通用漏洞评分系统（CVSS）分数. These scores are helpful in telling organizations which vulnerabilities they should focus on first, but the true risk posed by any given vulnerability depends on some other factors beyond these out-of-the-box risk ratings 和 scores.

脆弱性风险评估因素：

• 这个漏洞是真阳性还是假阳性?
• 有人会从互联网上直接利用这个漏洞吗?
• 利用这个漏洞有多困难?
• 是否有已知的、公开的针对此漏洞的利用代码?
• 如果这个漏洞被利用，对业务会有什么影响?
• Are there any other security controls in place 那 reduce the likelihood 和/or impact of this vulnerability being exploited?
• 这个漏洞存在多久了/它在网络上存在多久了?

像任何安全工具一样，漏洞扫描器也不是完美的. 它们的漏洞检测误报率虽然低，但仍然大于零. 执行漏洞验证 渗透测试工具 和 techniques helps weed out false-positives so organizations can focus their attention on dealing with real vulnerabilities.

The results of vulnerability validation exercises or full-blown penetration tests can often be an eye-opening experience for organizations 那 thought they were secure enough or 那 the vulnerability wasn’t 那 有风险的.

3 .优先排序 & 纠正 漏洞

一旦漏洞被验证并被视为风险, the next step is prioritizing how to treat 那 vulnerability with original stakeholders to the business or network. 处理漏洞有不同的方法，包括：

• 修复：完全修复或修补漏洞，使其无法被利用. 这是组织所追求的理想治疗方案.
• 缓解: 减少漏洞被利用的可能性和/或影响. 这 is sometimes necessary when a proper fix or patch isn’t yet available for an identified vulnerability. 这 option should ideally be used to buy time for an organization to eventually remediate a vulnerability.
• 验收: Taking no action to fix or otherwise lessen the likelihood/impact of a vulnerability being exploited. 当一个漏洞被认为是低风险时，这通常是合理的, 和 the cost of fixing the vulnerability is substantially greater than the cost incurred by an organization if the vulnerability were to be exploited.

漏洞管理解决方案 提供针对漏洞的推荐修复技术.  Occasionally a remediation recommendation isn’t the optimal way to remediate a vulnerability; in those cases, 正确的补救方法需要由组织的安全团队确定, 系统所有者, 系统管理员. 修复 can be as simple as 应用ing a readily-available software patch or as complex as replacing a fleet of physical servers across an organization’s network.

当补救活动完成时, it’s best to run another vulnerability scan to confirm 那 the vulnerability has been fully resolved.

然而，并非所有的漏洞都需要修复. 例如, if an organization’s vulnerability scanner has identified vulnerabilities in Adobe Flash Player on their computers, but they completely disabled Adobe Flash Player from being used in web browsers 和 other client applications, 然后，可以认为这些漏洞可以通过补偿控制得到充分缓解.

步骤4：持续漏洞管理

Performing regular 和 continuous vulnerability assessments enables organizations to underst和 the speed 和 efficiency of their vulnerability management program over time. 脆弱性 management tools typically have different options for exporting 和 visualizing vulnerability scan data with a variety of customizable reports 和 dashboards.

Not only does this help IT teams easily underst和 which remediation techniques will help them fix the most vulnerabilities with the least amount of effort, or help security teams monitor vulnerability trends over time in different parts of their network, 但它也有助于支持组织 遵从性和法规要求.

漏洞管理自动化

A 漏洞管理系统 可以帮助自动化这个过程吗. They’ll use a vulnerability scanner 和 sometimes endpoint agents to inventory a variety of systems on a network 和 find vulnerabilities on them.

一旦识别出漏洞, the risk they pose needs to be evaluated in different contexts so decisions can be made about how to best treat them. 例如, vulnerability validation can be an effective way to contextualize the real severity of a vulnerability.

漏洞管理vs. 漏洞评估

Generally, a 漏洞评估 is a portion of the complete 脆弱性管理 program. Organizations will likely run multiple 漏洞评估s to get more information on their 脆弱性管理 action plan.

在持续漏洞监控方面保持领先

威胁和攻击者在不断变化, 就像企业不断增加新的移动设备一样, 云服务, 网络, 以及应用程序对其环境的影响. 每一次变化都有可能在你的网络中打开一个新的漏洞, 让攻击者溜进去带走你的王冠.

每次你有了新的合作伙伴, 员工, 客户或顾客, 你为你的组织打开了新的机会, 但你也让它暴露了新的漏洞, 利用, 和威胁. Protecting your organization from these threats requires a vulnerability management solution 那 can keep up with 和 adapt to all of these changes. 如果没有这些，攻击者总是会领先一步.

最新的补丁更新、漏洞和漏洞利用

• 查看报告的最新补丁 Rapid7专家在周二补丁博客上发表的文章
• 搜索 脆弱性 & 利用数据库 更新的风险 
• 漏洞管理最新的博客文章