Vulnerabilities are a flaw or weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat. The goal of this program is to develop a list of vulnerabilities (flaws or weaknesses) that could be exploited by potential threat sources. This list should focus on realistic technical and nontechnical areas where critical information can be disclosed without proper authorization, improperly modified, or made unavailable when needed.
What Does This Mean?
- Asset vulnerabilities are identified and documented
- Threat and vulnerability information is received from information sharing forums and sources
- Newly identified vulnerabilities are mitigated or documented as accepted risks
- A vulnerability management plan is developed and implemented
The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Reassess integrity processes continually as technology and operational environments change to determine if they need to be revised
What Does This Mean?
- The network is monitored to detect potential cybersecurity events
- The physical environment is monitored to detect potential cybersecurity events
- Personnel activity is monitored to detect potential cybersecurity events
- Malicious code is detected
- Unauthorized mobile code is detected
- External service provider activity is monitored to detect potential cybersecurity events
- Monitoring for unauthorized personnel, connections, devices, and software is performed
Anomaly detection in a timely manner and the potential impact of events is understood.
Statistical anomalies: If a measured, important value crosses a threshold or deviates from any type of mathematical norm, this can be used as an indicator or malicious activity. For example, if a user typically sends 2GB of data a day, but is sending 2TB, this might be a sign of data exfiltration.
Heuristic anomalies: These are general, suspicious behaviors that are related to actions a malicious actor takes during an attack cycle. For example, if an organization is seeing many open connections to a country where they don’t conduct business, this should be a warning sign. Likewise, if a point of sale system only ever runs a known group of processes, but then suddenly a new one appears, it should be treated as highly suspect.