In this episode of CISO Tradecraft, host G Mark Hardy delves into the critical subject of vulnerability management for cybersecurity leaders. The discussion begins with defining the scope and importance of vulnerability management, referencing Park Foreman's comprehensive approach beyond mere patching, to include identification, classification, prioritization, remediation, and mitigation of software vulnerabilities. Hardy emphasizes the necessity of a strategic vulnerability management program to prevent exploitations by bad actors, illustrating how vulnerabilities are exploited using tools like ExploitDB, Metasploit, and Shodan. He advises on deploying a variety of scanning tools to uncover different types of vulnerabilities across operating systems, middleware applications, and application libraries. Highlighting the importance of prioritization, Hardy suggests focusing on internet-facing and high-severity vulnerabilities first and discusses establishing service level agreements for timely patching. He also covers optimizing the patching process, the significance of accurate metrics in measuring program effectiveness, and the power of gamification and executive buy-in to enhance security culture. To augment the listener's knowledge and toolkit, Hardy recommends further resources, including OWASP TASM and books on effective vulnerability management.
Transcripts: https://docs.google.com/document/d/13P8KsbTOZ6b7A7HDngk9Ek9FcS1JpQij
OWASP Threat and Safeguard Matrix - https://owasp.org/www-project-threat-and-safeguard-matrix/
Effective Vulnerability Management - https://www.amazon.com/Effective-Vulnerability-Management-Vulnerable-Ecosystem/dp/1394221207
Chapters
#100 - 7 Ways CISOs Setup for Success
#99 - Cyberwar and the Law of Armed Conflict (with Larry Dietz)
#98 - Outrunning the Bear
#97 - Mobile Application Security (with Brian Reed)
#96 - The 9 Cs of Cyber
#95 - Got any Data Security (with Brian Vecci)
#94 - Easier, Better, Faster, & Cheaper Software
#93 - How to Become a Cyber Security Expert
#92 - Updating the Executive Leadership Team on Cyber
#91 - Hacker Summer Camp
#90 - A CISO’s Guide to Pentesting
#89 - Connecting the Dots (with Sean Heritage)
#88 - Tackling 3 Really Hard Problems in Cyber (with Andy Ellis)
#87 - From Hunt Team to Hunter (with Bryce Kunz)
#86 - The CISO MindMap (with Rafeeq Rehman)
#85 - The Fab 5 Security Outcomes Study (with Helen Patton)
#84 - Gaining Trust (with Robin Dreeke)
#83 - Cyber Defense Matrix Reloaded (with Sounil Yu)
#82 - Cyber Defense Matrix (with Sounil Yu)
#81- Career Lessons from a CISO (with John Hellickson)
Create your
podcast in
minutes
It is Free
Insight Story: Tech Trends Unpacked
Zero-Shot
Fast Forward by Tomorrow Unlocked: Tech past, tech future
The Unbelivable Truth - Series 1 - 26 including specials and pilot
A Prairie Home Companion: News from Lake Wobegon