Identifying a security vulnerability in your system or application is a crucial step towards protecting your digital assets. Afterwards, you need to swiftly and effectively fix the issue to prevent potential threats from becoming a full-blown crisis. In this article, we will guide you through the important steps to take when a security vulnerability is uncovered.

Discovering Vulnerabilities

Activities such as periodic vulnerability scans or vulnerability assessments, penetration testing, and continuous security monitoring can help identify weaknesses in your systems or applications, provide risk evaluations and uncover bugs. Below are the right steps to take:

Step 1: Verify the Vulnerability

First, make sure the weakness is real and not a false alarm. Use tools such as OpenApi Security, OpenVAS by Greenbone, OSTE Meta Scanner or Pentest-Tools.com etc to test in a controlled environment to understand what is affected and how severe it is. Common vulnerabilities include unpatched operating systems, weak account credentials, cross-site scripting (XSS), insecure direct object references (IDOR), and device misconfigurations. Document your findings with notes, screenshots, and logs.

Step 2: Rate the Risk

Once you have confirmed the vulnerability, determine its severity using methods such as the common vulnerability scoring system (CVSS). Having knowledge of the severity helps you decide the response and resources needed.

For instance, the Heartbleed bug was a serious flaw in the OpenSSL encryption library and was given a CVSS score of 7.5, indicating a high severity rating. This rating helped determine the appropriate response and resources needed to address the vulnerability.

• Low: Minor issues that don't pose a significant security risk.
• Medium: Problems that could lead to unauthorized access or minor data leaks.
• High: Serious flaws that could lead to major data breaches or system failures.

Step 3: Report Internally

Notify your team about the vulnerability through internal channels by reaching out to the IT department, security team, designated reporting or ticketing systems like HP Services Mananger  and servicenow. Ensure all relevant stakeholders are informed to yield a coordinated response. 

Facebook's security team identified a vulnerability that existed between July 2017 and September 2018 in the "View As" feature. On September 14, 2018, the team noticed an unusual spike of activity and so started investigating it. 11 days later, it became clear that it was a vulnerability that was exploited by attackers. So, the security team worked with the developers to stop the attack, patch the vulnerability and protect the affected accounts. They patched the vulnerability and protected the accounts of those who were exposed. In addition, they created a report providing detailed information to help fix the issue, reducing the damage from the breach.

Step 4: Practice Responsible Disclosure

For vulnerabilities found in third-party software or systems, follow responsible disclosure practices as outlined by frameworks like ISO/IEC 29147:

• Contact the Vendor: Reach out to the vendor or developer responsible for the software through secure communication channels, such as encrypted emails.
• Include Detailed Information: Provide detailed information about the vulnerability, including steps to reproduce it and potential impact.
• Set a Timeline: Allow the vendor a reasonable amount of time to acknowledge and address the vulnerability before making any public disclosures.

Step 5: Fix the Problem

Once you have reported the issue, start working on a solution. This can involve:

• Temporary Solutions: Adopt a quick fix or workaround to reduce the risk while a permanent solution is being developed.
• Permanent Fixes: Develop and test a patch that resolves the problem without causing new issues. 

Microsoft regularly releases security patches to fix vulnerabilities in their software. You need to stay updated to always secure your systems and protect them from threat actors.

Step 6: Monitor and Report: 

Use vulnerability management systems to visualize and export vulnerability data. Implement real-time alert systems and log collection tools for in-depth analysis. Ongoing monitoring, retesting, and re-scanning of systems are essential. Ensure compliance with standards like HIPAA, GDPR, or PCI-DSS, which may require documentation of the patching process and continuous compliance reporting. Compliance to these standards are usually industry specific. For example, HIPAA is for organizations offering (or affiliated to) healthcare services, PCI-DSS is for organizations in the payments and financial services industry. 

Plan Remediation: Remediation timelines vary depending on the vulnerability's impact and the complexity of the fix. The National Institute of Standards and Technology (NIST) provides guidance on planning remediation timelines based on the vulnerability's impact and complexity of the fix.

Final Thoughts 

Addressing security vulnerabilities promptly is necessary to maintain the safety of your digital assets. Following these steps will help reduce the risk of cyber threats such as zero day attacks. Want to stay ahead of potential security threats? Check out the Cyberkach blog for the latest resources on vulnerability management and cybersecurity.