Vulnerability Management

Some of the most common tools I've used in vulnerability management efforts, include:

• Various databases (CMDB) of IT and software assets, such as ServiceNow
• Network discovery, reconnaissance, and footprinting tools like NMap
• OSINT tools like Shodan and Maltego,
• General vulnerability scanners, like Tenable Nessus and Enterprise, Rapid 7 Nexpose, Qualys
• Interactive application proxies, like OWASP ZAP and Burp Suite
• Man-in-the-middle tools, like ettercap and mitm
• Dynamic Application Security Testing (DAST) tools like Fortify
• Protocol analysis tools like Wireshark and tcpdump
• Password crackers, like John the Ripper, rainbow tables, Medusa, dictionary lists
• Phishing tools - mainly homebuilt, but also the Social Engineering Toolkit
• Common networking tools like net-snmp, nmbtool, arp, telnet, tracert, dig, netcat, ftp
• Issue trackers, like Jira

I began working with vulnerability management tooling and techniques back in 2005, as a security consultant with Info@Risk. While most client projects were more oriented toward penetration testing, many of the tools and techniques were the same. But, as with vulnerability management, many of these penetration testing engagements included components like working with IT, developers, and managed service providers to agree upon remediation steps and follow-up with testing to ensure remediations were successful.

The position I held as "Senior Ethical Hacking Analyst" with Jackson National Life Insurance for about two years was actually on the Vulnerability Management team. My role on the team focused on vulnerabilities in deployed software applications, but included servers, network infrastructure, and IoT (internet of things) devices as well. As a true vulnerability management function, I worked closely with other teams to ensure understanding and correct communication of risk to business processes and regulatory requirements, remediation approaches and timelines, as well as tracking and verification of the remediation efforts.

Prior to taking up the ethical hacking position, as Manager Information Security Controls Program, I had also authored the security standards that governed how vulnerability management must be done. In this position I also led development of new databases of IT and software assets based on consolidation of existing data into a more comprehensive inventories, contributing to enhanced coverage by vulnerability management processes.

Achievements are hard to measure in vulnerability management, since new vulnerabilities continue to emerge. Some areas where I've succeeded in reducing risk at Jackson include development of system baselines through identification of existing configurations and provision of feedback to configuration hardening efforts through measurement of compliance to required system baselines. In Zoom I provided challenge to requests from IT for exceptions to system hardening requirements in coordination with the Vulnerability Management team. In Jackson, I provided assurance that vulnerability remediation and patching SLAs were properly followed by the IT teams responsible for those processes. Other useful metrics on which I made improvements for Jackson include percentage of assets covered by vulnerability management processes and included in asset inventories.

Of course, I've also worked with a huge array of other security tools, but many of those I've used more in the context of penetration testing than vulnerability analysis or management, and the list would be long.

It helps that I've worked on nearly every common operating system and device type over the years, going back to my time as a sales and field services engineer. Configuration analysis is often critical to identifying, validating, and verifying remediation of vulnerabilities. The list of systems I've worked with includes ones I've installed, configured, performed controls testing on, and hacked:

• Windows desktop and server versions (previously certified as Microsoft Certified Systems Engineer, now lapsed)
• Linux - numerous flavors of desktops and servers, including RedHat flavors, Debian and Ubuntu, Amazon Linux, AlmaLinux, maybe a dozen others,
• Commercial UNIX versions, including AIX, HP-UX, SCO, Solaris (certified Sun Competency 2000)
• MacOS desktops and servers,
• Mid-range and mainframe operating systems, like DEC (HP) OpenVMS, IBM OS400 and OS360,
• IoT devices, like thin clients, phone systems, conferencing equipment, networked printers, and terminal servers,
• Industrial control systems (SCADA and DCS),
• Physical security systems, like badge access readers, security cameras, DVRs,
• Routers, switches, and firewalls from HP, Cisco, Juniper, WatchGuard, and numerous others,
• Cloud environments, including AWS, Azure, GCP, and kubernetes clusters,
• Databases, including SQL, Oracle, DynamoDB, proprietary

Professional certifications supporting this work include: CISSP, CISM, GWEB, GPYC