Vulnerability Management

A vulnerability is defined in the ISO 27002 standard as “A weakness of an asset or group of assets that can be exploited by one or more threats”.

Vulnerability Management (VM) is the process in which vulnerabilities in IT are identified and the risks of these vulnerabilities are evaluated. This evaluation leads to correcting the vulnerabilities and removing the risk or a formal risk acceptance by the management of an organization (e.g. in case the impact of an attack would be low or the cost of correction does not outweigh possible damages to the organization). The term vulnerability management is often confused with vulnerability scanning. Despite the fact both are related, there is an important difference between the two. Vulnerability scanning consists of using a computer program to identify vulnerabilities in networks, computer infrastructure or applications. Vulnerability management is the process surrounding vulnerability scanning, also taking into account other aspects such as risk acceptance, remediation etc.

VM Program Team

The UMIT ISO's VM Program Team conducts routine scans of devices connected to University of Miami Network resources to identify system and application vulnerabilities.


Why Do We Need Vulnerability Management?

The increasing growth of cyber-crime and the associated risks are forcing most organizations to focus more attention on information security. A vulnerability management process should be part of an organization’s effort to control information security risks. This process will allow an organization to obtain a continuous overview of vulnerabilities in their IT environment and the risks associated with them. Only by identifying and mitigating vulnerabilities in the IT environment can an organization prevent attackers from penetrating their networks and stealing information.

Today, most univeristies only see about 40% of their systems with their network scans. The Vulnerability Management Project can broaden our network scanning capabilities and introduce credential scanning for a deeper look into the layers of our network. It will also provide role-based reporting, identify security gaps and allow for remediation.


The VM Process

A vulnerability management process consists of five phases:

  1. Preparation
  2. Vulnerability scan
  3. Define remediating actions
  4. Implement remediating actions
  5. Rescan

We require all administrators of systems connected to UM networks to routinely review the results of vulnerability scans and evaluate, test and mitigate system and application vulnerabilities appropriately. Should an administrator identify a reported vulnerability as a potential false positive, tplease engage our office to verify. 


Remediaiton

While conducting university business on the UM network, vulnerabilities must be remediated. This includes technical vulnerabilities related to security configuration of devices, and security updates for the operating system and all software applications. Take steps as advised by the ISO VM Program Team to remediate the vulnerabilities identified.

Remediation may include one or more of the following:

  • patching or upgrading vulnerable software (plan should include testing the patch/upgrade)
  • replacing the vulnerable software with a different product
  • consolidating or moving to a more controlled environment
  • changing the system configuration: 
    • disabling or turning off the vulnerable service
    • disabling a specific vulnerable feature or capability within the service
  • setting, changing or using a more complex password
  • limiting access using a firewall or filter
  • increase monitoring to detect anomalies
  • raising awareness of the vulnerability with your users

Depending on the urgency with which the vulnerability needs to be addressed, the actions taken should be carried out as directed by the Information Security Office, according to university security policies (Network Vulnerability Scanning and Penetration Testing Procedure) and procedures, and other escalation processes. 


Request A Scan

To request the services of the Vulnerabiltiy Management Program, please submit a service ticket through the UMIT IT Service Management System (UService) and assigned it to Security Compliance. 

For assistance, please contact the UMIT Service Desk: