READ THIS: To get a sense of the scale of the vulnerability issue, follow the links attached to this
assignment for the US-CERT’s “Current Activity” and “Bulletins” pages and view some of the weekly
bulletins. If your organization only did a full scan once per year, imagine how many new vulnerabilities
could be discovered between scans. In fact, when performing a scan on a mid-sized organization without a
formal management and remediation program, it is not uncommon to find thousands of vulnerabilities that
need to be addressed.
This week’s reading discusses the process of systems hardening and scanning for vulnerabilities. Day-today management of this can be one of the most time intensive tasks in information security. This increases
dramatically with the number of devices and applications on the network. If there is a lack of uniformity with
respect to hardware platforms, software applications, and patch levels in the organization, this problem can
grow significantly. This implicates two processes that relate to ongoing management: Patch Management
and Vulnerability Management.
In many ways, these are essentially two sides of the same coin. However, there are patches that don’t
address security issues (e.g. bug fixes and feature enhancements) and vulnerabilities for which something
other than a patch is necessary (e.g. system upgrades or external mitigation such as firewall rules).
ANSWER THIS: using your own research, compare and contrast “Patch Management” and “Vulnerability
Management”. Include a discussion about the focus of each approach and ways to manage problems of
scale.
Additional resources for assignment
https://www.us-cert.gov/ncas/bulletins ( 1 KB; Aug 23, 2020 2:49 am )
https://www.us-cert.gov/ncas/current-activity ( 1 KB; Aug 23, 2020 2:49 am )
