Yesterday (12th February), saw the release of a new set of guidance documents by the National Cyber Security Centre (NCSC).
The guidance concerns vulnerability management, and is aimed at a wide range of users from SMEs (Small to Medium Sized organisations) through to large businesses and cyber security professionals.
The guidance also looks at what vulnerabilities are and how threat actors take advantage of them.
A vulnerability is a weakness in an IT system that can be exploited by an attacker to deliver a successful attack. They can occur through flaws, features or user error, and attackers will look to exploit any of them, often combining one or more, to achieve their end goal.
NCSC – Vulnerability Management guidance
Guidance documents
The latest guidance form the NCSC is split into 5 sections:
- “Update by default” policies
This section involves security updates and that organisations should implement a policy that stipulates “update by default” where software updates are implemented as soon as possible – ideally automatically - Identify assets
This section concerns the assets owned by an organisation – if you don’t know what assets you have, you cannot protect them and stop threat actors abusing them - Triage and prioritise assessments
This section details how organisations should triage and priorotise updates to assets, and how to mitigate any risks to systems which have not yet received security updates - Own the risks
Following on from the above section, this guidance looks at how organisations must own the risks associated with assets that have not been updated with the latest security patches - Review the vulnerability management process
This section is concerned with turning the vulnerability management process into an ongoing feature of the organisations day-to-day business. Keeping abreast of the latest vulnerability news, reviewing internal vulnerability management processes, validation of updates, the use of 3rd party vulnerability and penetration testing services, and much more.
