Vulnerability Management Presentation to Stakeholders

profileChye_aislyn06
Taylor-Melton_Memo.doc

MEMO

image1.jpg

February 2, 2021

April Taylor-Melton\CMIT 421

Greetings:

 

Overview

Vulnerability management is the practice of identifying, prioritizing, classifying, mitigating, and remediating software vulnerabilities. It is essential to identify the vulnerabilities in businesses systems and software and come up with effective mitigating strategies to reduce the risk of cyberattacks. In this case, a vulnerability management process for Mercury USA, will be provided. It will indicate the measures taken to reduce the risks of cyber threats and attacks. The vulnerability assessment software used in this case to provide the vulnerability report will be analyzed. That will help to identify whether it is effective. Recommendations on whether the company should use it will be given. Lastly, a business case example will be given. The business case example will identify the risks and threats that might occur if the business does not implement vulnerability assessment. 

Part 1: Vulnerability Management (VM) Process Recommendation 

Security vulnerabilities are the weaknesses that allow attackers to compromise a product or the information held. Thus, it raises the essence of vulnerability management. It is the process through which security vulnerabilities are identifying, evaluated, treated and reported. The vulnerability management process is divided into four processes. The processes are identifying the vulnerabilities, evaluating the vulnerabilities, treating the vulnerabilities, and reporting the vulnerabilities (Aleksic et al., 2017). Since Mercury USA is in the transport sector, the vulnerability management process is significant. It will enable the systems that the the company uses to be secure. It will also ensure that the company is secure as it carries on its transportation business. 

The vulnerability management system's scope will involve the company’s software systems and vessels of transport. That is because they will all be covered by the vulnerability management process. To plan the vulnerability management, the vulnerability management process's scope must first be identified. Thus, all the systems, software and vessels of transport used by the company must be involved in its vulnerability management plan. 

To identify the assets involved, an audit will be conducted on the company. That will help determine all the software, systems, and the vessels of transport that may be included in the vulnerability management process. Additionally, the audit will identify other significant assets in the company that might be involved in the vulnerability management test. 

The Open Vulnerability Assessment Scanner will be used to scan and assess the vulnerabilities. It is a software framework of several tools and services that offer vulnerability scanning and vulnerability management. It is a free software that has a high level of effectiveness. Thus, it will be used by the company to assess its vulnerabilities. The transport industry requires that the vulnerability tools to assess the vulnerabilities are approved scanning vendors. That minimizes the risks of using ineffective vulnerability assessment tools. The vulnerability assessment tools that are used should be licensed. In this case, the Open Vulnerability Assessment Scanner is licensed under the general public license. It is written in Nexus Attack Scripting Language, making it very effective. 

The desired frequency of scanning would be once monthly. That will ensure that there is regular vulnerability scanning in the company. Since the Open Vulnerability Assessment Scanner software is free, the company will not incur many expenses to assess the vulnerabilities. Thus, it is essential to assess the vulnerabilities frequently to avoid any cyber-attacks or threats that might occur due to unknown vulnerabilities. 

The report of the vulnerability scanning will be reported to the required authorities. They will be detailed to indicate any vulnerabilities that have been identified. It will also indicate the risks that the vulnerabilities expose the business to. Moreover, effective mitigation strategies will be identified.  

Part 2: Vulnerability Scanning Tool Evaluation and Recommendations

The tool used to scan the company and produce the report is Open Vulnerability Assessment Scanner. The software is open-source software that offers vulnerability scanning and vulnerability management. It is a free software and it is licensed under the general public license indicating that it meets the industry standards. It is written in the Nessus Attack Scripting Language. 

The OpenVAS software provided a comprehensive vulnerability assessment report. That indicates that the system may be used to effectively find the company's vulnerabilities (Rahalkar, 2019). One of the disadvantages that may arise is compatibility issues. Since it is an open-source software, it needs specialized drivers to be installed into its system. The overall impression about the software is that it is an effective software that may be utilized by the company. It identifies the vulnerabilities and indicates how the vulnerabilities may be used against the company by attackers. Thus, it will enable the analysts to correct the vulnerabilities. It can also be used to discern the most critical vulnerabilities since it also indicates the risks that result from the vulnerabilities. The report adequately covers the mitigation for the vulnerabilities. It indicates what should be done and how it should be done. 

The report's qualities make it effective to be used by the management. That is because it is a detailed report and it gives effective mitigation strategies. Thus, Mercury USA should use the tool to assess its vulnerabilities in the future. 

Part 3: Business Case Example  

If the recommendation is not implemented, the company may be exploited by remote attackers, thus leading to information disclosure from the server. To avoid that, the company should install the vendor's released updates to avoid such risks from occurring. OpenVAS would be adequate to identify such a vulnerability and identify the effective mitigation strategies that should be implemented.  

Closing  

The vulnerability management process should be carried out to identify the vulnerabilities so that effective strategies may be formulated to reduce the threats and risks that are exposed to the company. The OpenVAS software is an effective software to be used in vulnerability assessment by the company. That is because it provides a comprehensive report that includes the vulnerabilities identified, the risks they expose the business to, and the mitigation strategies that may be used. Considering that lack of implementing a vulnerability assessment software may lead to data loss and cyber attacks, the OpenVAS software should be implemented to identify the company's vulnerabilities.

Yours Sincerely.

April Taylor-Melton Cybersecurity Threat Analyst

Mercury USA

References

Aleksic, A., Puskaric, H., Tadic, D., & Stefanovic, M. (2017). Project management issues: vulnerability management assessment. Kybernetes.

"Chapter 5: Implementing an Information Security Vulnerability Management Process", Pearson CompTIA Cybersecurity Analyst (CySA+), 2020. [Online]. Available: https://www.ucertify.com/. [Accessed: 28- Apr- 2020].

Rahalkar, S. (2019). OpenVAS. In Quick Start Guide to Penetration Testing (pp. 47-71). Apress, Berkeley, CA.