Hii Guys!!,

This is the third article of the series on Vulnerability Response. In the first two parts, we developed an understanding of SEC-OPS in regards to ServiceNow. That was important before starting with the actual Vulnerability response. So if you have not gone through that kindly click [part 1](https://community.servicenow.com/community?id=community%5Farticle&sys%5Fid=69fe151cdbf05c104819fb243996190d) and then [part 2](https://community.servicenow.com/community?id=community%5Farticle&sys%5Fid=9b551664db70d0504819fb2439961915) and come back to this. So, let’s start:

It is a story of 4 friends from Delhi, India who use to play PUBG together. Their virtual names were:

* NVD
* CWE
* Qualys
* VR

So, in this team **NVD**, **CWE** and **Qualys** are much knowledgable they watch all training videos, do their research hence have all the information about pubg. During a match, they keep on providing the information to the team members that if you are using AMR(automatic rifles) like **Scarl** or **M4** (guns) without attachments like grips it increases the recoil hence makes you **vulnerable** to the enemy.

Now the fourth one **VR** he keeps on collecting data/information from NVD, CWE, and Qualys and matches them with the guns or attachments in his backpack, and whenever he founds a match he acts on it and prepares himself before the attack.

It sounds like a strategy right. Now let’s do one exercise read the above paragraph by reading:

* **‘Data/information’** as ‘_**vulnerabilities’**_
* **‘Backpack’** as **‘_CMDB_‘**
* **‘Guns or an attachment’** as **_‘CI’_**

**_And that will become the basics of vulnerability response._**

**_YESS!!!!!!!_**

So now let me put on the actual definition of VR(vulnerability response):Vulnerability Response is quite simply: 1:) The process of _**identifying, classifying**_ and _**prioritizing**_ vulnerabilities2:) Deciding upon an appropriate correct response:

* **Remediation:** Fix, change, patch, correct, amend, repair – something that reduces the vulnerability
* **No remediation:** Document the risk to the organization – something that accepts the vulnerability

Although vulnerabilities are flaws that affect business assets, this vulnerability must itself be exploited by a **threat** (such as an email-borne worm or virus). Consequently, if the risk of danger is **low**, the asset may retain the vulnerability and never be fixed due to the unlikelihood of the threat ever reaching the asset (e.g isolated air-gapped systems, or inoculation against rare diseases). Similarly, if the cost of remediation outweighs the value of the business value, a decision could be taken to justify no remediation and accept the risk (fixing a dripping roof that’s due to be demolished) Now time for some terminologies because:

Although ITIL views a **Configuration Item** to be either hardware, software, or peopleware. Service Now only considers hardware, software, and services as Cis. Software, in this case, may not necessarily be applications: consider business data like important documents, confidential information, restricted personnel details, commercially sensitive reports, etc. **Configuration Management**_is the process that tracks all Cis, maintaining the accuracy and upkeep of the CMDB. Without good configuration management, we don’t know what assets are present 50 have no idea what to protect, nor what the overall business impact a compromised CI has._**Vulnerabilities**_are the weaknesses through which security breaches occur (and are the leading cause 44% of data breaches”)_**The National Vulnerability Database (NVD):**_is a U.S. Government repository of vulnerability management data, security checklists, security-related software flaws, misconfigurations, product names, and impact metrics._**Common Vulnerability and Exposures (CVE):**_“International in scope and free for public use, CVE is a dictionary of publicly known information security vulnerabilities and exposures. CVE common identifiers enable data exchange between security products and provide a baseline index point for evaluating coverage of tools and services.”_**Common Weakness Enumeration (CWE)**: _A list of software weaknesses._**Vulnerability Scanner**: _Software system designed to perform automated scans/analysis of IT operating systems, software, network devices, and web services against repositories stated above to discover weaknesses known as vulnerabilities._ Now let’s look at the two main reasons why _**Vulnerability Response**_ is so popular among CXO’s 1:) Integrating VR with other platform capabilities make it a robust solution. See the Image below:

2:) It’s a one-stop-shop for all the info required: _**Single System of Records**_ The Vulnerable Item record represents an actual occurrence of a vulnerability in the organization, an actual de H an information to be displayed about the organization System Of Records h e past monitored throughout the remediation Relationships include:

* Configuration item
* Asset
* Vulnerable Software
* Vulnerability (sn\_vul\_entry)
* Other related Tasks
* Other impacted ci’s

The Vulnerable item table extends the **Task** table, meaning VIT records _**indicate work to be done.**_ Baseline integrations also include _**Change Problem and Security incident**_ with acl’s ensuring sensitive information is restricted to those hiding certain roles in the **sn\_vul** scope.

If you have understood then think about the image below and put your thoughts in the comments. Just a hint VR is proactive and Patching is reactive.