{"product_id":"effective-vulnerability-management-isbn-9781394221202","title":"Effective Vulnerability Management","description":"\u003cp\u003e\u003cb\u003eInfuse efficiency into risk mitigation practices by optimizing resource use with the latest best practices in vulnerability management\u003c\/b\u003e \u003c\/p\u003e\u003cp\u003eOrganizations spend tremendous time and resources addressing vulnerabilities to their technology, software, and organizations. But are those time and resources well spent? Often, the answer is no, because we rely on outdated practices and inefficient, scattershot approaches. \u003ci\u003eEffective Vulnerability Management\u003c\/i\u003e takes a fresh look at a core component of cybersecurity, revealing the practices, processes, and tools that can enable today's organizations to mitigate risk efficiently and expediently in the era of Cloud, DevSecOps and Zero Trust. \u003c\/p\u003e\u003cp\u003eEvery organization now relies on third-party software and services, ever-changing cloud technologies, and business practices that introduce tremendous potential for risk, requiring constant vigilance. It's more crucial than ever for organizations to successfully minimize the risk to the rest of the organization's success. This book describes the assessment, planning, monitoring, and resource allocation tasks each company must undertake for successful vulnerability management. And it enables readers to do away with unnecessary steps, streamlining the process of securing organizational data and operations. It also covers key emerging domains such as software supply chain security and human factors in cybersecurity. \u003c\/p\u003e\u003cul\u003e \u003cli\u003eLearn the important difference between asset management, patch management, and vulnerability management and how they need to function cohesively\u003c\/li\u003e \u003cli\u003eBuild a real-time understanding of risk through secure configuration and continuous monitoring\u003c\/li\u003e \u003cli\u003eImplement best practices like vulnerability scoring, prioritization and design interactions to reduce risks from human psychology and behaviors\u003c\/li\u003e \u003cli\u003eDiscover new types of attacks like vulnerability chaining, and find out how to secure your assets against them\u003c\/li\u003e \u003c\/ul\u003e \u003cp\u003e\u003ci\u003eEffective Vulnerability Management\u003c\/i\u003e is a new and essential volume for executives, risk program leaders, engineers, systems administrators, and anyone involved in managing systems and software in our modern digitally-driven society. \u003c\/p\u003e\u003cp\u003eForeword xvii\u003c\/p\u003e \u003cp\u003eIntroduction xix\u003c\/p\u003e \u003cp\u003e\u003cb\u003e1 Asset Management 1\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003ePhysical and Mobile Asset Management 3\u003c\/p\u003e \u003cp\u003eConsumer IoT Assets 4\u003c\/p\u003e \u003cp\u003eSoftware Assets 5\u003c\/p\u003e \u003cp\u003eCloud Asset Management 6\u003c\/p\u003e \u003cp\u003eMulticloud Environments 7\u003c\/p\u003e \u003cp\u003eHybrid Cloud Environments 7\u003c\/p\u003e \u003cp\u003eThird-Party Software and Open Source Software (OSS) 9\u003c\/p\u003e \u003cp\u003eThird-Party Software (and Risk) 10\u003c\/p\u003e \u003cp\u003eAccounting for Open Source Software 11\u003c\/p\u003e \u003cp\u003eOn-Premises and Cloud Asset Inventories 11\u003c\/p\u003e \u003cp\u003eOn-Premises Data Centers 12\u003c\/p\u003e \u003cp\u003eTooling 13\u003c\/p\u003e \u003cp\u003eAsset Management Tools 13\u003c\/p\u003e \u003cp\u003eVulnerability Scanning Tools 14\u003c\/p\u003e \u003cp\u003eCloud Inventory Management Tools 15\u003c\/p\u003e \u003cp\u003eEphemeral Assets 16\u003c\/p\u003e \u003cp\u003eSources of Truth 17\u003c\/p\u003e \u003cp\u003eAsset Management Risk 18\u003c\/p\u003e \u003cp\u003eLog4j 18\u003c\/p\u003e \u003cp\u003eMissing and Unaccounted-for Assets 19\u003c\/p\u003e \u003cp\u003eUnknown Unknowns 20\u003c\/p\u003e \u003cp\u003ePatch Management 21\u003c\/p\u003e \u003cp\u003eRecommendations for Asset Management 22\u003c\/p\u003e \u003cp\u003eAsset Manager Responsibilities 22\u003c\/p\u003e \u003cp\u003eAsset Discovery 23\u003c\/p\u003e \u003cp\u003eGetting the Right Tooling 24\u003c\/p\u003e \u003cp\u003eDigital Transformation 25\u003c\/p\u003e \u003cp\u003eEstablishing and Decommissioning Standard Operating Procedures 26\u003c\/p\u003e \u003cp\u003eSummary 27\u003c\/p\u003e \u003cp\u003e\u003cb\u003e2 Patch Management 29\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eFoundations of Patch Management 29\u003c\/p\u003e \u003cp\u003eManual Patch Management 30\u003c\/p\u003e \u003cp\u003eRisks of Manual Patching 31\u003c\/p\u003e \u003cp\u003eManual Patching Tooling 32\u003c\/p\u003e \u003cp\u003eAutomated Patch Management 34\u003c\/p\u003e \u003cp\u003eBenefits of Automated vs Manual Patching 35\u003c\/p\u003e \u003cp\u003eCombination of Manual and Automated Patching 36\u003c\/p\u003e \u003cp\u003eRisks of Automated Patching 37\u003c\/p\u003e \u003cp\u003ePatch Management for Development Environments 38\u003c\/p\u003e \u003cp\u003eOpen Source Patching 38\u003c\/p\u003e \u003cp\u003eNot All Software Is Equal 39\u003c\/p\u003e \u003cp\u003eManaging OSS Patches Internally 39\u003c\/p\u003e \u003cp\u003eResponsibilities of Infrastructure vs Operations Teams 40\u003c\/p\u003e \u003cp\u003eWho Owns Patch Management? 41\u003c\/p\u003e \u003cp\u003eSeparation of Duties 42\u003c\/p\u003e \u003cp\u003eTools and Reporting 43\u003c\/p\u003e \u003cp\u003ePatching Outdated Systems 43\u003c\/p\u003e \u003cp\u003eEnd-of-Life Software 44\u003c\/p\u003e \u003cp\u003eUnpatched Open Source Software 45\u003c\/p\u003e \u003cp\u003eResidual Risk 46\u003c\/p\u003e \u003cp\u003eCommon Attacks for Unpatched Systems 47\u003c\/p\u003e \u003cp\u003ePrioritizing Patching Activities 48\u003c\/p\u003e \u003cp\u003eRisk Management and Patching 49\u003c\/p\u003e \u003cp\u003eBuilding a Patch Management Program 50\u003c\/p\u003e \u003cp\u003ePeople 50\u003c\/p\u003e \u003cp\u003eProcess 51\u003c\/p\u003e \u003cp\u003eTechnology 51\u003c\/p\u003e \u003cp\u003eSummary 52\u003c\/p\u003e \u003cp\u003e\u003cb\u003e3 Secure Configuration 53\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eRegulations, Frameworks, and Laws 53\u003c\/p\u003e \u003cp\u003eNSA and CISA Top Ten Cybersecurity Misconfigurations 54\u003c\/p\u003e \u003cp\u003eDefault Configurations of Software and Applications 55\u003c\/p\u003e \u003cp\u003eImproper Separation of User\/Administrator Privilege 57\u003c\/p\u003e \u003cp\u003eInsufficient Internal Network Monitoring 57\u003c\/p\u003e \u003cp\u003eLack of Network Segmentation 58\u003c\/p\u003e \u003cp\u003ePoor Patch Management 58\u003c\/p\u003e \u003cp\u003eBypass of System Access Controls 60\u003c\/p\u003e \u003cp\u003eWeak or Misconfigured Multifactor Authentication Methods 60\u003c\/p\u003e \u003cp\u003eLack of Phishing-Resistant MFA 61\u003c\/p\u003e \u003cp\u003eInsufficient Access Control Lists on Network Shares and Services 61\u003c\/p\u003e \u003cp\u003ePoor Credential Hygiene 61\u003c\/p\u003e \u003cp\u003eUnrestricted Code Execution 62\u003c\/p\u003e \u003cp\u003eMitigations 62\u003c\/p\u003e \u003cp\u003eDefault Configurations of Software Applications 63\u003c\/p\u003e \u003cp\u003eImproper Separation of User\/Administration Privilege 64\u003c\/p\u003e \u003cp\u003eInsufficient Network Monitoring 64\u003c\/p\u003e \u003cp\u003ePoor Patch Management 64\u003c\/p\u003e \u003cp\u003eWrapping up the CIS Misconfigurations Guidance 65\u003c\/p\u003e \u003cp\u003eCIS Benchmarks 65\u003c\/p\u003e \u003cp\u003eDISA Security Technical Implementation Guides 66\u003c\/p\u003e \u003cp\u003eSummary 68\u003c\/p\u003e \u003cp\u003e\u003cb\u003e4 Continuous Vulnerability Management 69\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eCIS Control 7—Continuous Vulnerability Management 70\u003c\/p\u003e \u003cp\u003eEstablish and Maintain a Vulnerability Management Process 70\u003c\/p\u003e \u003cp\u003eEstablish and Maintain a Remediation Process 71\u003c\/p\u003e \u003cp\u003ePerform Automated Operating System Patch Management 71\u003c\/p\u003e \u003cp\u003ePerform Automated Application Patch Management 72\u003c\/p\u003e \u003cp\u003ePerform Automated Vulnerability Scans of Internal Enterprise Assets 73\u003c\/p\u003e \u003cp\u003ePerform Automated Vulnerability Scans of Externally Exposed Enterprise Assets 73\u003c\/p\u003e \u003cp\u003eRemediate Detected Vulnerabilities 74\u003c\/p\u003e \u003cp\u003eContinuous Monitoring Practices 74\u003c\/p\u003e \u003cp\u003eSummary 77\u003c\/p\u003e \u003cp\u003e\u003cb\u003e5 Vulnerability Scoring and Software Identification 79\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eCommon Vulnerability Scoring System 79\u003c\/p\u003e \u003cp\u003eCVSS 4.0 at a Glance 80\u003c\/p\u003e \u003cp\u003eBase Metrics 84\u003c\/p\u003e \u003cp\u003eExploitability Metrics 84\u003c\/p\u003e \u003cp\u003eThreat Metrics 86\u003c\/p\u003e \u003cp\u003eEnvironmental Metrics 88\u003c\/p\u003e \u003cp\u003eSupplemental Metrics 89\u003c\/p\u003e \u003cp\u003eQualitative Severity Rating Scale 91\u003c\/p\u003e \u003cp\u003eVector String 92\u003c\/p\u003e \u003cp\u003eExploit Prediction Scoring System 92\u003c\/p\u003e \u003cp\u003eEPSS 3.0—Prioritizing Through Prediction 92\u003c\/p\u003e \u003cp\u003eEpss 3.0 94\u003c\/p\u003e \u003cp\u003eMoving Forward 95\u003c\/p\u003e \u003cp\u003eStakeholder-Specific Vulnerability Categorization 97\u003c\/p\u003e \u003cp\u003eCISA SSVC Guide 99\u003c\/p\u003e \u003cp\u003eDecision Tree Example 106\u003c\/p\u003e \u003cp\u003eSoftware Identification Formats 107\u003c\/p\u003e \u003cp\u003eCommon Platform Enumeration 108\u003c\/p\u003e \u003cp\u003ePackage URL 110\u003c\/p\u003e \u003cp\u003eSoftware Identification Tags 110\u003c\/p\u003e \u003cp\u003eCommon Weaknesses and Enumerations 112\u003c\/p\u003e \u003cp\u003eSummary 114\u003c\/p\u003e \u003cp\u003e\u003cb\u003e6 Vulnerability and Exploit Database Management 115\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eNational Vulnerability Database (NVD) 115\u003c\/p\u003e \u003cp\u003eSonatype Open Source Software Index 118\u003c\/p\u003e \u003cp\u003eOpen Source Vulnerabilities 119\u003c\/p\u003e \u003cp\u003eGitHub Advisory Database 120\u003c\/p\u003e \u003cp\u003eExploit Databases 121\u003c\/p\u003e \u003cp\u003eExploit-DB 122\u003c\/p\u003e \u003cp\u003eMetasploit 122\u003c\/p\u003e \u003cp\u003eGitHub 122\u003c\/p\u003e \u003cp\u003eSummary 123\u003c\/p\u003e \u003cp\u003e\u003cb\u003e7 Vulnerability Chaining 125\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eVulnerability Chaining Attacks 125\u003c\/p\u003e \u003cp\u003eExploit Chains 127\u003c\/p\u003e \u003cp\u003eDaisy Chains 128\u003c\/p\u003e \u003cp\u003eVendor-Released Chains 129\u003c\/p\u003e \u003cp\u003eMicrosoft Active Directory 129\u003c\/p\u003e \u003cp\u003eVMware vRealize Products 130\u003c\/p\u003e \u003cp\u003eiPhone Exploit Chain 130\u003c\/p\u003e \u003cp\u003eVulnerability Chaining and Scoring 131\u003c\/p\u003e \u003cp\u003eCommon Vulnerability Scoring System 132\u003c\/p\u003e \u003cp\u003eEPSS 132\u003c\/p\u003e \u003cp\u003eGaps in the Industry 133\u003c\/p\u003e \u003cp\u003eVulnerability Chaining Blindness 134\u003c\/p\u003e \u003cp\u003eTerminology 135\u003c\/p\u003e \u003cp\u003eUsage in Vulnerability Management Programs 136\u003c\/p\u003e \u003cp\u003eThe Human Aspect of Vulnerability Chaining 138\u003c\/p\u003e \u003cp\u003ePhishing 138\u003c\/p\u003e \u003cp\u003eBusiness Email Compromise 139\u003c\/p\u003e \u003cp\u003eSocial Engineering 140\u003c\/p\u003e \u003cp\u003eIntegration into VMPs 141\u003c\/p\u003e \u003cp\u003eLeadership Principles 142\u003c\/p\u003e \u003cp\u003eSecurity Practitioner Integration 142\u003c\/p\u003e \u003cp\u003eIT and Development Usage 143\u003c\/p\u003e \u003cp\u003eSummary 144\u003c\/p\u003e \u003cp\u003e\u003cb\u003e8 Vulnerability Threat Intelligence 145\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eWhy Is Threat Intel Important to VMPs? 145\u003c\/p\u003e \u003cp\u003eWhere to Start 146\u003c\/p\u003e \u003cp\u003eTechnical Threat Intelligence 146\u003c\/p\u003e \u003cp\u003eTactical Threat Intelligence 147\u003c\/p\u003e \u003cp\u003eStrategic Threat Intelligence 148\u003c\/p\u003e \u003cp\u003eOperational Threat Intelligence 149\u003c\/p\u003e \u003cp\u003eThreat Hunting 150\u003c\/p\u003e \u003cp\u003eIntegrating Threat Intel into VMPs 151\u003c\/p\u003e \u003cp\u003ePeople 151\u003c\/p\u003e \u003cp\u003eProcess 152\u003c\/p\u003e \u003cp\u003eTechnology 153\u003c\/p\u003e \u003cp\u003eSummary 154\u003c\/p\u003e \u003cp\u003e\u003cb\u003e9 Cloud, DevSecOps, and Software Supply Chain Security 155\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eCloud Service Models and Shared Responsibility 156\u003c\/p\u003e \u003cp\u003eHybrid and Multicloud Environments 158\u003c\/p\u003e \u003cp\u003eContainers 159\u003c\/p\u003e \u003cp\u003eKubernetes 165\u003c\/p\u003e \u003cp\u003eServerless 169\u003c\/p\u003e \u003cp\u003eDevSecOps 170\u003c\/p\u003e \u003cp\u003eOpen Source Software 174\u003c\/p\u003e \u003cp\u003eSoftware-as-a-Service 182\u003c\/p\u003e \u003cp\u003eSystemic Risks 183\u003c\/p\u003e \u003cp\u003eSummary 186\u003c\/p\u003e \u003cp\u003e\u003cb\u003e10 The Human Element in Vulnerability Management 187\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eHuman Factors Engineering 189\u003c\/p\u003e \u003cp\u003eHuman Factors Security Engineering 191\u003c\/p\u003e \u003cp\u003eContext Switching 191\u003c\/p\u003e \u003cp\u003eVulnerability Dashboards 193\u003c\/p\u003e \u003cp\u003eVulnerability Reports 194\u003c\/p\u003e \u003cp\u003eCognition and Metacognition 196\u003c\/p\u003e \u003cp\u003eVulnerability Cognition 197\u003c\/p\u003e \u003cp\u003eThe Art of Decision-.Making 197\u003c\/p\u003e \u003cp\u003eDecision Fatigue 198\u003c\/p\u003e \u003cp\u003eAlert Fatigue 199\u003c\/p\u003e \u003cp\u003eVolume of Vulnerabilities Released 199\u003c\/p\u003e \u003cp\u003eRequired Patches and Configurations 200\u003c\/p\u003e \u003cp\u003eVulnerability Management Fatigue 201\u003c\/p\u003e \u003cp\u003eMental Workload 202\u003c\/p\u003e \u003cp\u003eIntegration of Human Factors into a VMP 202\u003c\/p\u003e \u003cp\u003eStart Small 203\u003c\/p\u003e \u003cp\u003eConsider a Consultant 204\u003c\/p\u003e \u003cp\u003eSummary 205\u003c\/p\u003e \u003cp\u003e\u003cb\u003e11 Secure-by-Design 207\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eSecure-by-Design\/Default 208\u003c\/p\u003e \u003cp\u003eSecure-by-Design 209\u003c\/p\u003e \u003cp\u003eSecure-by-Default 210\u003c\/p\u003e \u003cp\u003eSoftware Product Security Principles 211\u003c\/p\u003e \u003cp\u003ePrinciple 1: Take Ownership of Customer Security Outcomes 211\u003c\/p\u003e \u003cp\u003ePrinciple 2: Embrace Radical Transparency and Accountability 214\u003c\/p\u003e \u003cp\u003ePrinciple 3: Lead from the Top 216\u003c\/p\u003e \u003cp\u003eSecure-by-Design Tactics 217\u003c\/p\u003e \u003cp\u003eSecure-by-Default Tactics 218\u003c\/p\u003e \u003cp\u003eHardening vs Loosening Guides 218\u003c\/p\u003e \u003cp\u003eRecommendations for Customers 219\u003c\/p\u003e \u003cp\u003eThreat Modeling 220\u003c\/p\u003e \u003cp\u003eSecure Software Development 222\u003c\/p\u003e \u003cp\u003eSSDF Details 223\u003c\/p\u003e \u003cp\u003ePrepare the Organization (PO) 223\u003c\/p\u003e \u003cp\u003eProtect Software (PS) 225\u003c\/p\u003e \u003cp\u003eProduce Well-Secured Software (PW) 226\u003c\/p\u003e \u003cp\u003eRespond to Vulnerabilities (RV) 227\u003c\/p\u003e \u003cp\u003eSecurity Chaos Engineering and Resilience 229\u003c\/p\u003e \u003cp\u003eSummary 231\u003c\/p\u003e \u003cp\u003e\u003cb\u003e12 Vulnerability Management Maturity Model 233\u003c\/b\u003e\u003c\/p\u003e \u003cp\u003eStep 1: Asset Management 234\u003c\/p\u003e \u003cp\u003eStep 2: Secure Configuration 236\u003c\/p\u003e \u003cp\u003eStep 3: Continuous Monitoring 238\u003c\/p\u003e \u003cp\u003eStep 4: Automated Vulnerability Management 240\u003c\/p\u003e \u003cp\u003eStep 5: Integrating Human Factors 242\u003c\/p\u003e \u003cp\u003eStep 6: Vulnerability Threat Intelligence 244\u003c\/p\u003e \u003cp\u003eSummary 245\u003c\/p\u003e \u003cp\u003eAcknowledgments 247\u003c\/p\u003e \u003cp\u003eAbout the Authors 249\u003c\/p\u003e \u003cp\u003eAbout the Technical Editor 251\u003c\/p\u003e \u003cp\u003eIndex 253\u003c\/p\u003e  \u003cp\u003e\u003cb\u003eCHRIS HUGHES, M.S., MBA, \u003c\/b\u003e currently serves as the Co-Founder and President at Aquia and has 20 years of IT\/Cybersecurity experience in the public and private sectors. He is also an adjunct professor for M.S. Cybersecurity programs. Chris co-hosts the Resilient Cyber Podcast and also serves as a Cyber Innovation Fellow at CISA.  \u003c\/p\u003e\u003cp\u003e\u003cb\u003eNIKKI ROBINSON, DSc, PhD, \u003c\/b\u003e is a Security Architect and Professor of Practice at Capitol Technology University. She holds a DSc in Cybersecurity and a PhD in Human Factors.   \u003c\/p\u003e\u003cp\u003e \u003cb\u003eSUPPORT ORGANIZATIONAL SUCCESS BY MINIMIZING IT RISK IN THE CLOUD ERA\u003c\/b\u003e \u003c\/p\u003e\u003cp\u003eModern businesses employ dozens of third-party, cloud-based tools to get work done. Technology managers need to be well versed in the holistic practice of knowing their systems, their interconnections, and the resulting risk exposure. Armed with that knowledge, it becomes possible to plan and prioritize limited budgets to mobilize a cost-effective vulnerability management program. From two leading minds in cybersecurity, \u003ci\u003eEffective Vulnerability Management \u003c\/i\u003eexplores the multifaceted approach that today’s organizations must take to effectively mitigate risk introduced by complex software ecosystems. \u003c\/p\u003e\u003cp\u003eWith this book, readers will learn why it isn’t enough to simply “apply a patch” to fix known software flaws. True vulnerability management requires consistently monitoring systems and vulnerability databases. It also requires addressing the human element, identifying and addressing psychological factors that interact with software ecosystems to create emergent vulnerabilities. Authors Chris Hughes and Nikki Robinson provide a comprehensive discussion of these issues and their solutions. \u003c\/p\u003e\u003cp\u003eIt is essential to dedicate time and resources to preventing attacks and exploitations, yet it can be challenging to justify these expenditures, and indeed many outdated and disengaged vulnerability management practices offer inadequate protection. \u003ci\u003eEffective Vulnerability Management \u003c\/i\u003eshows the way toward more efficient, more effective strategies that respond to today’s unique threats.\u003c\/p\u003e","brand":"Wiley","offers":[{"title":"Default Title","offer_id":47989107917029,"sku":"NP9781394221202","price":35.0,"currency_code":"USD","in_stock":false}],"thumbnail_url":"\/\/cdn.shopify.com\/s\/files\/1\/1842\/7735\/files\/9781394221202.jpg?v=1761782826","url":"https:\/\/k12savings.com\/es\/products\/effective-vulnerability-management-isbn-9781394221202","provider":"K12savings","version":"1.0","type":"link"}