https://wiki.gccollab.ca/index.php?title=Enterprise_Vulnerability_Management_System_Initiative&feed=atom&action=history
Enterprise Vulnerability Management System Initiative - Revision history
2024-03-28T12:45:41Z
Revision history for this page on the wiki
MediaWiki 1.35.2
https://wiki.gccollab.ca/index.php?title=Enterprise_Vulnerability_Management_System_Initiative&diff=46214&oldid=prev
Greggory.elton at 17:33, 20 April 2021
2021-04-20T17:33:11Z
<p></p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 17:33, 20 April 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l23" >Line 23:</td>
<td colspan="2" class="diff-lineno">Line 23:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|} </div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>|} </div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div></div>{{<del class="diffchange diffchange-inline">TOCright}}</del></div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div></div></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>{{<ins class="diffchange diffchange-inline">Delete</ins>|<ins class="diffchange diffchange-inline">reason</ins>=<ins class="diffchange diffchange-inline">Expired Content</ins>}}</div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">== Overview ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">The discipline of vulnerability management is described in the [[Media:GC ESA ConOps - ANNEX E GC Enterprise VMS v0.6.pdf| GC ESA ConOps Annex E: Vulnerability Management System]] document as "a process for identifying vulnerabilities, assessing the risk posed by any identified vulnerabilities, and taking action to reduce or eliminate the risk". The sections below will identify and define the technical capabilities necessary to gather vulnerability information from internal and external sources, identify and report vulnerabilities present in the GC IT/IS infrastructure, and participate in vulnerability remediation activities. Vulnerability management capabilities may also support automated mitigation of vulnerabilities by interacting with other capabilities, such as a configuration management that pushes software updates to endpoints. Technical capabilities that directly mitigate vulnerabilities through the installation of software updates, application of patches, modification of configuration files, updating firewall policy rules, etc. are identified, but as they are not specific to vulnerability management they are not described in detail. </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">A comprehensive Vulnerability Management system encompasses all aspects of the GC IT/IS infrastructure. The Vulnerability Management system's purpose is to continuously monitor GC IT/IS assets and reduce the attack surface wherever possible. In this respect the Vulnerability Management system supports the cyber resiliency goals of anticipating and withstanding attacks on the GC IT/IS infrastructure. From a security operations (OPS) perspective, the Vulnerability Management system is expected to integrate with supporting security technical capabilities, such as configuration and assets management systems, and inter-operate with other security services, such as identity credential and asset management (ICAM), audit, and evolving enterprise security services in order to support automated OPS work flows and increase situation awareness. </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><br></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">== Vulnerability Management Concepts and Architecture ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">=== ''Vulnerability Process'' ===</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">When a new vulnerability is identified, the first step is to determine the presence of vulnerable GC IT/IS assets by querying asset and configuration management databases for the presence of vulnerable versions and configuration settings of software, hardware, firmware on GC IT/IS assets. This allows for rapid implementation of mitigation procedures to reduce risk to the GC. However, the information in the asset and configuration management databases may be incomplete and/or out of date. It is therefore necessary to perform routine and ad-hoc scanning to obtain a complete list of vulnerable assets connected to GC networks.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">Discover and scanning of assets should be performed at regular intervals. To maximize efficiency and minimize the effect on performance, regular scans should serve multiple purposes including:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* Detecting rogue assets (i.e. assets not registered in asset and configuration management databases)</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* Detecting vulnerable versions of installed software and vulnerable configuration settings</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* Detecting installations of unauthorized software</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* Synchronizing asset and configuration management information such that it accurately reflects the actual state of the GC IT/IS infrastructure</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* Verifying compliance with GC standards and regulations by performing compliance scans</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">When a vulnerability with a high severity level is reported, it may be necessary to perform an ad-hoc query of an asset that is purely focused on detecting that vulnerability. Routine scans are scheduled by a centralized vulnerability management capability. Scans may also be initiated locally when an asset attempts to connect to a GC network (a new asset or an asset that is being powered up). The primary job of a network access control (NAC) capability implemented in a switch or VPN server is to authenticate an endpoint attempting to connect, but it may also be able to verify the integrity of the endpoint and initiate a vulnerability scan. If authentication is successful and no vulnerabilities are found, only then will the NAC device be authorized to enable access to network services.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">The table below provides a high level abstraction of the asset types that may contain vulnerabilities and must therefore be considered in a vulnerability management program. </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><br></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">{| class="wikitable"</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">| style="background: #000000; color: #ffffff | '''Asset Categories''' || style="background: #000000; color: #ffffff | '''Vulnerability Description'''</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">|-</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">| style="background: #777777; color: #ffffff | '''''Software Assets (applications, APIs, application plug-ins, mobile apps, and OSs)'''''</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>| <del class="diffchange diffchange-inline">style</del>=<del class="diffchange diffchange-inline">"background: #e5e5e5; color: #000000 | Software coding flaws, bugs, and insecure coding practices are all possible sources of vulnerabilities in software. In order to management software vulnerabilities in the production environment, all executable software must be identified and monitored. As an example, the Dynamic Link Libraries within Microsoft's OS provide executables for application services. In order to monitor the executables, a digital signature or hash is required to compare the executable to a good known state. If the digital signatures/hashes do not match, then the executable has been changed from the known desired state.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">|-</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">| style="background: #777777; color: #ffffff | '''''Hardware Assets (endpoints, network appliances, storage devices, peripherals, etc.)'''''</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">| style="background: #e5e5e5; color: #000000 | Any hardware asset that runs code is likely to contain bugs that are exploitable. Hardware exploits contained in firmware or in CPUs are harder to fix and usually require the hardware to be taken offline to perform remediation. In some cases, there is no available patch and compensating controls may be required. An example of a hardware exploit is the BadUSB exploit that exploits the USB firmware with malicious code. Since the host cannot detect the firmware code the exploit bypasses traditional malware detectors and the code is used to exploit the subject host.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">|</del>}</div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">=== ''Vulnerability Management Actors'' ===</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">The primary user classes (actors) who are responsible for the operation of a Vulnerability Management solution are represented by:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* '''Security Operator:''' Provides the daily operation support and oversight of the Vulnerability Management operations. Security Operators directly interact with the Vulnerability Management system.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* '''System Administrator:''' Provides oversight of vulnerability management software and hardware components. Responsible for system administration of the vulnerability management solution. The System Administrator may also be responsible for remediation activities, such as the installation of the latest patches to software assets.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* '''Risk Manager:''' Provides risk assessments based on asset criticality, vulnerability scan results, threat/vulnerability information, and internally sources risk information, such as incident reports. Risk assessments may impact scan parameters, scan schedules, and scan rates.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">=== ''Relationship to the OPS Security Functional Model'' ===</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">The Vulnerability Management ConOps functional design is based upon the security operations functional model. The image to the below depicts the four lifecycle phases (Plan, Monitor, Assess, and Respond) superimposed on the security operations functional model. The [[Media:GC ESA ConOps - ANNEX E GC Enterprise VMS v0.6.pdf| GC ESA ConOps Annex E: Vulnerability Management System]] document identifies core and supporting functions from the ESA components depicted in the functional model.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><br></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">[[File:Vulnerability Management Functional Model.PNG|centre|thumb|711x711px|Vulnerability Management Functional Model]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">For more information about the Vulnerability Management System concepts and architecture, please read the [[Media:GC Enterprise VMS HLD v0.5.pdf|GC ESA Vulnerability Management System High-Level Design]] and the[[Media:GC ESA ConOps - ANNEX E GC Enterprise VMS v0.6.pdf| GC ESA ConOps Annex E: Vulnerability Management System]] documents.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><br></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">== Vulnerability Management High Level Design (HLD) ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">The vulnerability management high level design (HLD) objective is to describe a vulnerability management system that provides an integrated and hierarchically-managed vulnerability management capability across the GC enterprise and departments. The HLD describes a vulnerability management system composed of initiative components and interface relationships. Initiative components represent tightly-coupled technical capabilities that expose interfaces for data exchanges. The use of initiative components provides flexibility in deploying technical capabilities at the enterprise or department level while preserving the Report & Inform information sharing hierarchy.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">The following sections, which can be expanded by clicking on 'Expand' on the far right, provide Vulnerability Management system design and rationale organized into five sub-sections:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><br></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div class="toccolours mw-collapsible mw-collapsed" style="width:100%"> </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">'''VM System Context''' <div class="mw-collapsible-content"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">---- {{:Vulnerability Management System Context}} </div></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div class="toccolours mw-collapsible mw-collapsed" style="width:100%"> </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">'''VM System Functional Design''' <div class="mw-collapsible-content"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">---- {{:Vulnerability Management System Functional Design</del>}<del class="diffchange diffchange-inline">} </div></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div class="toccolours mw-collapsible mw-collapsed" style="width:100%"> </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">'''VM System Component Design''' <div class="mw-collapsible-content"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">---- {{:Vulnerability Management System Component Design}} </div></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div class="toccolours mw-collapsible mw-collapsed" style="width:100%"> </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">'''VM System Communications Design''' <div class="mw-collapsible-content"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">---- {{:Vulnerability Management System Communications Design}} </div></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div class="toccolours mw-collapsible mw-collapsed" style="width:100%"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">'''VM System Design Collaborations''' <div class="mw-collapsible-content"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">---- {{:Vulnerability Management System Design Collaborations}} </div></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><div class="toccolours mw-collapsible mw-collapsed" style="width:100%"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">'''VM Communication Patterns''' <div class="mw-collapsible-content"></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">---- {{:Vulnerability Management Communication Patterns}} </div></div></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><br></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">For more information about the GC ESA Vulnerability Management System High-Level Design, please read the [[Media:GC Enterprise VMS HLD v0.5.pdf|GC ESA Vulnerability Management System High-Level Design]] document.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><br></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">== Vulnerability Management System Design Considerations ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">This section summarizes Vulnerability Management HLD design considerations for developing/acquiring a Vulnerability Management System that provides interoperability and extensibility across the GC enterprise and departments. The section below addresses GC integration considerations (GC architecture and assets). Trade study considerations for the Vulnerability Management System can be found in the [[Media:GC Enterprise VMS HLD v0.5.pdf|GC ESA Vulnerability Management System High-Level Design]]. For an overview of the trade study process and suitable selection criteria, please read the [[Media:GC ESA Framework.pdf|GC ESA Framework]] document. Additional information may be found at the following websites:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* [http://www.gsa.gov/portal/mediaId/199735/fileName/CDM_Product_Catalog.action US Department of Homeland Security and General Services Administration]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* [https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Open Web Application Security Project]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">=== ''Vulnerability Management System Integration Considerations'' ===</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">This section summarizes GC integration considerations for successfully implementing a Vulnerability Management System within the GC enterprise and departments. These considerations address concerns from a GC perspective rather than the Vulnerability Management System itself.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* The network environment, including perimeter defences and zoning, must be considered when selecting vulnerability management technologies and deployment strategies</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* The inventory IT/IS assets to be assessed and managed for vulnerabilities is a critical consideration when determining the required Vulnerability Management System. This is especially true when considering the types of vulnerability scanners and vulnerability scan agents required to monitor different assets in a variety of deployment environments. Complex assets, such as application servers and virtualized assets, require different agent assets, remote computing assets, and remote devices all present differing challenges to assessing and managing GC assets.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* The extensibility of the Vulnerability Management System technical capabilities must be considered within the context of the GC enterprise and departments, including:</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">** Geo-location of assets and remote management of assets</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">** Interoperability with other types of Vulnerability Management systems (MAM, MDM, Security as a Service providers, Virtualized security services, etc.)</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">** The capability to collect, synthesize, and report on assessment and compliance scans, vulnerability findings, and remediation status.</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline"><br></del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">== References ==</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* [[Media:GC Enterprise VMS HLD v0.5.pdf|GC ESA Vulnerability Management System High-Level Design]] </del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* [[Media:GC ESA ConOps - ANNEX E GC Enterprise VMS v0.6.pdf|GC ESA ConOps Annex E: Vulnerability Management System]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">* [[Media:GC ESA Framework.pdf|GC ESA Framework]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div> </div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">[[Category:Government of Canada Enterprise Security Architecture (ESA) Program]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">[[Category:Enterprise Security Architecture]]</del></div></td><td colspan="2"> </td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div><del class="diffchange diffchange-inline">[[Category:GC Enterprise Architecture]]</del></div></td><td colspan="2"> </td></tr>
</table>
Greggory.elton
https://wiki.gccollab.ca/index.php?title=Enterprise_Vulnerability_Management_System_Initiative&diff=45633&oldid=prev
Greggory.elton: Created page with "<div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549/gc-enterprise-secur..."
2021-04-07T16:00:44Z
<p>Created page with "<div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549/gc-enterprise-secur..."</p>
<p><b>New page</b></p><div><div style="float: right; z-index: 10; position: absolute; right: 0; top: 1;">[[File:JoinusonGCconnex.png|link=http://gcconnex.gc.ca/groups/profile/2785549/gc-enterprise-security-architecture-gc-esa]]<br />[[File:ESAcontactus.png|link=mailto:ZZTBSCYBERS@tbs-sct.gc.ca]]</div> [[File:GOC ESA.jpg|center|link=http://www.gcpedia.gc.ca/wiki/Government_of_Canada_Enterprise_Security_Architecture_(ESA)_Program]] <div class="center"><br />
{| style="border: 2px solid #000000; border-image: none;" width="1000px" <br />
|- <br />
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="175px" | [[Government of Canada Enterprise Security Architecture (ESA) Program|ESA Program Overview]] <br />
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ESA Backgrounder (Strategy)|ESA Foundation]] <br />
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ESA Requirements|ESA Artifacts]]<br />
! style="background: #C495F0; color: black" width="20%" scope="col" " width="125px" | [[ESA Initiatives|ESA Initiatives]] <br />
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[ ESA Tools and Templates]] <br />
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="125px" | [[GC ESA Artifact Repository|ESA Reference Materials]] <br />
! style="background: #e1caf7; color: black" width="20%" scope="col" " width="100px" | [[ESA Glossary| Glossary]] <br />
|} <br />
{| style="border-bottom: #000000 2px solid; border-left: #000000 2px solid; border-right: #000000 2px solid" width="1000px" <br />
|- <br />
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="100px" | [[Cloud Security Initiative]] <br />
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="100px" | [[HTTPS Initiative|HTTPS Initiative]]<br />
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="110px" | [[Data Loss Prevention Initiative]] <br />
! style="background: #9a9af8; color: black" width="20%" scope="col" " width="120px" | [[Enterprise Vulnerability Management System Initiative]]<br />
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="100px" | [[DevSecOps Initiative]]<br />
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="120px" | [[Integrated Risk Management Initiative]]<br />
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="150px" | [[Domain Message Authentication Reporting and Compliance|DMARC Initiative]]<br />
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="110px" | [[Zero Trust Security|Zero Trust Security Initiative]]<br />
! style="background: #c2c2fa; color: black" width="20%" scope="col" " width="110px" | [[GC Cyber Security Event Management]]<br />
<br />
|} <br />
</div>{{TOCright}}<br />
<br />
== Overview ==<br />
The discipline of vulnerability management is described in the [[Media:GC ESA ConOps - ANNEX E GC Enterprise VMS v0.6.pdf| GC ESA ConOps Annex E: Vulnerability Management System]] document as "a process for identifying vulnerabilities, assessing the risk posed by any identified vulnerabilities, and taking action to reduce or eliminate the risk". The sections below will identify and define the technical capabilities necessary to gather vulnerability information from internal and external sources, identify and report vulnerabilities present in the GC IT/IS infrastructure, and participate in vulnerability remediation activities. Vulnerability management capabilities may also support automated mitigation of vulnerabilities by interacting with other capabilities, such as a configuration management that pushes software updates to endpoints. Technical capabilities that directly mitigate vulnerabilities through the installation of software updates, application of patches, modification of configuration files, updating firewall policy rules, etc. are identified, but as they are not specific to vulnerability management they are not described in detail. <br />
<br />
A comprehensive Vulnerability Management system encompasses all aspects of the GC IT/IS infrastructure. The Vulnerability Management system's purpose is to continuously monitor GC IT/IS assets and reduce the attack surface wherever possible. In this respect the Vulnerability Management system supports the cyber resiliency goals of anticipating and withstanding attacks on the GC IT/IS infrastructure. From a security operations (OPS) perspective, the Vulnerability Management system is expected to integrate with supporting security technical capabilities, such as configuration and assets management systems, and inter-operate with other security services, such as identity credential and asset management (ICAM), audit, and evolving enterprise security services in order to support automated OPS work flows and increase situation awareness. <br />
<br />
<br><br />
<br />
== Vulnerability Management Concepts and Architecture ==<br />
<br />
=== ''Vulnerability Process'' ===<br />
When a new vulnerability is identified, the first step is to determine the presence of vulnerable GC IT/IS assets by querying asset and configuration management databases for the presence of vulnerable versions and configuration settings of software, hardware, firmware on GC IT/IS assets. This allows for rapid implementation of mitigation procedures to reduce risk to the GC. However, the information in the asset and configuration management databases may be incomplete and/or out of date. It is therefore necessary to perform routine and ad-hoc scanning to obtain a complete list of vulnerable assets connected to GC networks.<br />
<br />
Discover and scanning of assets should be performed at regular intervals. To maximize efficiency and minimize the effect on performance, regular scans should serve multiple purposes including:<br />
* Detecting rogue assets (i.e. assets not registered in asset and configuration management databases)<br />
* Detecting vulnerable versions of installed software and vulnerable configuration settings<br />
* Detecting installations of unauthorized software<br />
* Synchronizing asset and configuration management information such that it accurately reflects the actual state of the GC IT/IS infrastructure<br />
* Verifying compliance with GC standards and regulations by performing compliance scans<br />
When a vulnerability with a high severity level is reported, it may be necessary to perform an ad-hoc query of an asset that is purely focused on detecting that vulnerability. Routine scans are scheduled by a centralized vulnerability management capability. Scans may also be initiated locally when an asset attempts to connect to a GC network (a new asset or an asset that is being powered up). The primary job of a network access control (NAC) capability implemented in a switch or VPN server is to authenticate an endpoint attempting to connect, but it may also be able to verify the integrity of the endpoint and initiate a vulnerability scan. If authentication is successful and no vulnerabilities are found, only then will the NAC device be authorized to enable access to network services.<br />
<br />
The table below provides a high level abstraction of the asset types that may contain vulnerabilities and must therefore be considered in a vulnerability management program. <br />
<br />
<br><br />
<br />
{| class="wikitable"<br />
| style="background: #000000; color: #ffffff | '''Asset Categories''' || style="background: #000000; color: #ffffff | '''Vulnerability Description'''<br />
|-<br />
| style="background: #777777; color: #ffffff | '''''Software Assets (applications, APIs, application plug-ins, mobile apps, and OSs)'''''<br />
| style="background: #e5e5e5; color: #000000 | Software coding flaws, bugs, and insecure coding practices are all possible sources of vulnerabilities in software. In order to management software vulnerabilities in the production environment, all executable software must be identified and monitored. As an example, the Dynamic Link Libraries within Microsoft's OS provide executables for application services. In order to monitor the executables, a digital signature or hash is required to compare the executable to a good known state. If the digital signatures/hashes do not match, then the executable has been changed from the known desired state.<br />
|-<br />
| style="background: #777777; color: #ffffff | '''''Hardware Assets (endpoints, network appliances, storage devices, peripherals, etc.)'''''<br />
| style="background: #e5e5e5; color: #000000 | Any hardware asset that runs code is likely to contain bugs that are exploitable. Hardware exploits contained in firmware or in CPUs are harder to fix and usually require the hardware to be taken offline to perform remediation. In some cases, there is no available patch and compensating controls may be required. An example of a hardware exploit is the BadUSB exploit that exploits the USB firmware with malicious code. Since the host cannot detect the firmware code the exploit bypasses traditional malware detectors and the code is used to exploit the subject host.<br />
|}<br />
<br />
=== ''Vulnerability Management Actors'' ===<br />
The primary user classes (actors) who are responsible for the operation of a Vulnerability Management solution are represented by:<br />
* '''Security Operator:''' Provides the daily operation support and oversight of the Vulnerability Management operations. Security Operators directly interact with the Vulnerability Management system.<br />
* '''System Administrator:''' Provides oversight of vulnerability management software and hardware components. Responsible for system administration of the vulnerability management solution. The System Administrator may also be responsible for remediation activities, such as the installation of the latest patches to software assets.<br />
* '''Risk Manager:''' Provides risk assessments based on asset criticality, vulnerability scan results, threat/vulnerability information, and internally sources risk information, such as incident reports. Risk assessments may impact scan parameters, scan schedules, and scan rates.<br />
<br />
=== ''Relationship to the OPS Security Functional Model'' ===<br />
The Vulnerability Management ConOps functional design is based upon the security operations functional model. The image to the below depicts the four lifecycle phases (Plan, Monitor, Assess, and Respond) superimposed on the security operations functional model. The [[Media:GC ESA ConOps - ANNEX E GC Enterprise VMS v0.6.pdf| GC ESA ConOps Annex E: Vulnerability Management System]] document identifies core and supporting functions from the ESA components depicted in the functional model.<br />
<br />
<br><br />
<br />
[[File:Vulnerability Management Functional Model.PNG|centre|thumb|711x711px|Vulnerability Management Functional Model]]<br />
<br />
For more information about the Vulnerability Management System concepts and architecture, please read the [[Media:GC Enterprise VMS HLD v0.5.pdf|GC ESA Vulnerability Management System High-Level Design]] and the[[Media:GC ESA ConOps - ANNEX E GC Enterprise VMS v0.6.pdf| GC ESA ConOps Annex E: Vulnerability Management System]] documents.<br />
<br />
<br><br />
<br />
== Vulnerability Management High Level Design (HLD) ==<br />
The vulnerability management high level design (HLD) objective is to describe a vulnerability management system that provides an integrated and hierarchically-managed vulnerability management capability across the GC enterprise and departments. The HLD describes a vulnerability management system composed of initiative components and interface relationships. Initiative components represent tightly-coupled technical capabilities that expose interfaces for data exchanges. The use of initiative components provides flexibility in deploying technical capabilities at the enterprise or department level while preserving the Report & Inform information sharing hierarchy.<br />
<br />
The following sections, which can be expanded by clicking on 'Expand' on the far right, provide Vulnerability Management system design and rationale organized into five sub-sections:<br />
<br />
<br><br />
<br />
<div class="toccolours mw-collapsible mw-collapsed" style="width:100%"> <br />
'''VM System Context''' <div class="mw-collapsible-content"><br />
---- {{:Vulnerability Management System Context}} </div></div><br />
<div class="toccolours mw-collapsible mw-collapsed" style="width:100%"> <br />
'''VM System Functional Design''' <div class="mw-collapsible-content"><br />
---- {{:Vulnerability Management System Functional Design}} </div></div><br />
<div class="toccolours mw-collapsible mw-collapsed" style="width:100%"> <br />
'''VM System Component Design''' <div class="mw-collapsible-content"><br />
---- {{:Vulnerability Management System Component Design}} </div></div><br />
<div class="toccolours mw-collapsible mw-collapsed" style="width:100%"> <br />
'''VM System Communications Design''' <div class="mw-collapsible-content"><br />
---- {{:Vulnerability Management System Communications Design}} </div></div><br />
<div class="toccolours mw-collapsible mw-collapsed" style="width:100%"><br />
'''VM System Design Collaborations''' <div class="mw-collapsible-content"><br />
---- {{:Vulnerability Management System Design Collaborations}} </div></div><br />
<div class="toccolours mw-collapsible mw-collapsed" style="width:100%"><br />
'''VM Communication Patterns''' <div class="mw-collapsible-content"><br />
---- {{:Vulnerability Management Communication Patterns}} </div></div><br />
<br />
<br><br />
<br />
For more information about the GC ESA Vulnerability Management System High-Level Design, please read the [[Media:GC Enterprise VMS HLD v0.5.pdf|GC ESA Vulnerability Management System High-Level Design]] document.<br />
<br />
<br><br />
<br />
== Vulnerability Management System Design Considerations ==<br />
This section summarizes Vulnerability Management HLD design considerations for developing/acquiring a Vulnerability Management System that provides interoperability and extensibility across the GC enterprise and departments. The section below addresses GC integration considerations (GC architecture and assets). Trade study considerations for the Vulnerability Management System can be found in the [[Media:GC Enterprise VMS HLD v0.5.pdf|GC ESA Vulnerability Management System High-Level Design]]. For an overview of the trade study process and suitable selection criteria, please read the [[Media:GC ESA Framework.pdf|GC ESA Framework]] document. Additional information may be found at the following websites:<br />
* [http://www.gsa.gov/portal/mediaId/199735/fileName/CDM_Product_Catalog.action US Department of Homeland Security and General Services Administration]<br />
* [https://www.owasp.org/index.php/Category:Vulnerability_Scanning_Tools Open Web Application Security Project]<br />
<br />
=== ''Vulnerability Management System Integration Considerations'' ===<br />
This section summarizes GC integration considerations for successfully implementing a Vulnerability Management System within the GC enterprise and departments. These considerations address concerns from a GC perspective rather than the Vulnerability Management System itself.<br />
* The network environment, including perimeter defences and zoning, must be considered when selecting vulnerability management technologies and deployment strategies<br />
* The inventory IT/IS assets to be assessed and managed for vulnerabilities is a critical consideration when determining the required Vulnerability Management System. This is especially true when considering the types of vulnerability scanners and vulnerability scan agents required to monitor different assets in a variety of deployment environments. Complex assets, such as application servers and virtualized assets, require different agent assets, remote computing assets, and remote devices all present differing challenges to assessing and managing GC assets.<br />
* The extensibility of the Vulnerability Management System technical capabilities must be considered within the context of the GC enterprise and departments, including:<br />
** Geo-location of assets and remote management of assets<br />
** Interoperability with other types of Vulnerability Management systems (MAM, MDM, Security as a Service providers, Virtualized security services, etc.)<br />
** The capability to collect, synthesize, and report on assessment and compliance scans, vulnerability findings, and remediation status.<br />
<br />
<br><br />
<br />
== References ==<br />
* [[Media:GC Enterprise VMS HLD v0.5.pdf|GC ESA Vulnerability Management System High-Level Design]] <br />
<br />
* [[Media:GC ESA ConOps - ANNEX E GC Enterprise VMS v0.6.pdf|GC ESA ConOps Annex E: Vulnerability Management System]]<br />
<br />
* [[Media:GC ESA Framework.pdf|GC ESA Framework]]<br />
<br />
[[Category:Government of Canada Enterprise Security Architecture (ESA) Program]]<br />
[[Category:Enterprise Security Architecture]]<br />
[[Category:GC Enterprise Architecture]]</div>
Greggory.elton