Publication Summary

Title	Technical Vulnerability Management Policy
Author(s)	Alessandro Cardinali
Issued by	CEO
Version doc. Review freq.	0.1 Yearly
Date of issue	December 11, 2023
Owner	Alessandro Cardinali
Document status	Draft – Final Draft - Final
Approval Date	n/a
Classification	Internal

Change Log

Version	Date	Author	Comments
0.1	December 11, 2023		First draft document
1.0	December 20, 2023

Contents

1 Introduction 8

2 Technical vulnerability management policy 10

2.1 What is a technical vulnerability? 10

2.2 Vulnerabilities in third party software 10

2.2.1 Sources of information 10

2.2.2 Patches and updates 11

2.2.3 Vulnerability assessment 12

2.2.4 Hardening 12

2.2.5 Awareness training 13

2.3 Reported vulnerabilities in software we create 13

2.4 Third party vulnerability disclosure 13

Introduction

Malware is any code or software that may be harmful or destructive to the information processing capabilities of the organization and is one of the primary tools used by attackers to circumvent security in order to make some kind of gain or to disrupt the normal operation of the business.

It is essential that effective precautions are taken by Soon Technologies B.V. to protect itself against this threat which can come from a number of sources including organized gangs, competitor organizations, politically motivated groups, rogue employees, nation state sponsored “cyber-warfare” units or simply individuals exercising curiosity or testing their skills.

Whatever the source, the result of a successful security breach is that the organization and its stakeholders are affected, sometimes seriously, and harm is caused.

Malware comes in many forms and is constantly changing as previous attack routes are closed and new ones are found. For malicious software to carry out its intended purpose it needs to be installed on the target device or computer. There are a number of key ways in which malware infects computers and networks, although new ways are being created all the time.

The most common infection techniques are as follows.

• Phishing

• Websites and Mobile Code

• Removable Media

• Hacking

But for these techniques to be used by an attacker, they must take advantage of a vulnerability in our defences.

This document sets out the organization’s policy on how it will assess and manage technical vulnerabilities within the IT environment, which includes the cloud services it uses. It further describes how vulnerabilities in software we write, that are discovered by others, will be handled, and lastly what we will do if we identify a vulnerability in third party software. Its intended audience is IT and information security management and support staff who will develop software and implement and maintain the organization’s defences.

This control applies to all systems, people and processes that constitute the organization’s information systems, including board members, directors, employees, suppliers and other third parties who have access to Soon Technologies B.V. systems.

The following policies and procedures are relevant to this document:

• Mobile Device Policy

• Remote Working Policy

• Cloud Services Policy

• Acceptable Use Policy

• Electronic Messaging Policy

• Internet Access Policy

• Change Management Process

• Software Policy

• Anti-Malware Policy

Technical vulnerability management policy

What is a technical vulnerability?

A vulnerability is commonly defined as “an inherent weakness in an information system, security procedures, internal controls, or implementation that could be exploited by a threat source.”

The software development process is complicated, and its output in the form of software programs is rarely bug free. Most of these bugs simply affect the functionality of the software so that it does not work as intended. However, if manipulated in the correct way, some can allow an attacker to gain some form of advantage or access which was not intended by the developer. This type of bug is considered to be a software vulnerability.

These vulnerabilities are constantly being found and corrected via software updates or patches. Unfortunately, it is not always the developer or user who discovers these vulnerabilities. When discovered by a potential attacker the vulnerability becomes something to be exploited for gain and kept secret for as long as possible. A newly discovered vulnerability is often referred to as a “zero-day exploit” and is difficult to defend against.

Soon Technologies B.V.’s policy with respect to technical vulnerabilities is to be aware of them and to close them where possible, either directly or via other means.

Vulnerabilities in third party software

This section covers the management of vulnerabilities in third party software that is used to provide internal Soon Technologies B.V. services.

Sources of information

The first step in managing technical vulnerabilities is to become aware of them. Since we are talking about technical vulnerabilities these will of course depend upon the technology employed within the organization. It is necessary then to gain a full appreciation of the technology components that make up the organization’s infrastructure and their versions (since most technical vulnerabilities are very version-specific).

This should include:

• Operating systems e.g. Windows, Linux, Cisco

• Databases e.g. SQL Server, MySQL

• Web servers e.g. IIS, Apache

• Desktop software e.g. Office, Acrobat

• Web technologies e.g. browsers, Java

• Application software e.g. SAP, Exchange

• Hardware e.g. servers, routers

Information about vulnerabilities with any of the above components is generally available from the vendor who will issue updates and patches to fix those that it becomes aware of.

A process must therefore be put in place to ensure that all relevant information about updates is being received and reviewed by competent staff members. This will usually give guidance about the level of urgency associated with each update.

Where configuration changes are recommended to close off vulnerabilities, these must be actioned through the organization change management process so that appropriate controls are in place for testing, risks assessment and backout.

For cloud services, the responsibilities of the cloud service provider (CSP) and Soon Technologies B.V. as the cloud service customer, must be defined and agreed. This may involve the CSP being responsible for vulnerability assessment and patching for some or all aspects of the service, depending on the cloud service model adopted (e.g. IaaS, PaaS or SaaS or similar service definitions).

Patches and updates

Patches and updates will typically be issued by software vendors on a regular schedule as cumulative packages. These will be linked to the specific version of software that they relate to and may have dependencies stipulated with other software modules, products or operating systems.

Procedures will be put in place to obtain copies of the software updates electronically when they are issued by the vendor. The scheduling of the installation of updates will depend upon several factors including:

• The criticality of the systems being updated

• The expected time taken to install the updates (and requirements for service outages to users)

• The degree of risk associated with any vulnerabilities that are closed by the updates

• Co-ordination of the updating of related components of the infrastructure

• Dependencies between updates

An update release plan must be created and maintained to keep track of when various systems will be updated, considering the factors listed above. The plan must be managed through the change management process. For updates that are low risk and regular, a standard change may be defined within the change management process to allow this to happen without excess administrative overhead (see Change Management Process).

Where appropriate, patching of software, particularly of security updates, will be automated and the success of the process regularly checked.

Vulnerability assessment

In addition to the regular application of vendor-supplied software updates, Soon Technologies B.V. will conduct a vulnerability assessment at least twice a year. The focus of the vulnerability assessment will be guided by the most recent risk assessment.

The purpose of this assessment is to identify existing vulnerabilities in systems that could be exploited by an attacker. These could include known software vulnerabilities that have not been patched, configuration errors that need to be corrected or examples of inadequate security practice that need to be addressed.

The assessment may be carried out in-house, by an external company or a combination of both and as a minimum should cover:

• Assessment of the security of all routes into the organization’s internal network from the Internet

• Externally-facing web servers

• Business critical servers on the internal network

• A selection of typical endpoint devices

• Virtual infrastructure hosted within the cloud

If resources permit, additional areas should be assessed such as the vulnerability of employees to phishing attacks.

It is not the organization’s policy to attempt to exploit the vulnerabilities found as a matter of course. This type of penetration test may be commissioned as required using external specialist resources as part of a carefully planned exercise performed outside of normal business hours. The permission of cloud or hosting providers must be obtained prior to testing starting.

Hardening

A further action that will be taken to reduce the number and extent of vulnerabilities within Soon Technologies B.V. systems is the hardening of server and other device configurations. This involves the shutting down of services and protocols that are not needed so that the attack surface is reduced.

These hardening activities will be carried out according to vendors’ guidelines and under the control of the change management process.

Awareness training

As a result of a vulnerability assessment it may be necessary to increase efforts in security awareness training for employees and contract staff. This training should explain the nature of vulnerabilities and what can be done to reduce them.

As part of awareness training, a phishing simulation exercise will be conducted on a regular basis. This will involve the sending of emails to employees that are intended to be similar to typical phishing messages, but which simply report to a central point within Soon Technologies B.V. if the requested action is performed by the employee, for example clicking on a link or opening an attachment. These exercises will help to assess the effectiveness of the awareness training delivered in recognising and avoiding malware disguised in emails.

Reported vulnerabilities in software we create

This section deals with how vulnerabilities that are found by others in software that Soon Technologies B.V. writes will be reported and managed.

Despite all reasonable efforts to create code that is error-free, third parties may discover vulnerabilities in software produced by Soon Technologies B.V.. Our policy is to encourage the confidential reporting of such vulnerabilities to our development team so that they may be examined and, if necessary, corrected.

Appropriately secure methods of reporting discovered vulnerabilities will be made available via our website.

All reported vulnerabilities will be examined by our development teams to verify that a vulnerability does exist and, if appropriate, to create an update to address it.

In some circumstances it may be necessary to recommend alternative methods of mitigating the vulnerability, for example via configuration changes.

Soon Technologies B.V. will liaise with the reporter of the vulnerability and keep them updated with progress. With their permission, the reporter will be credited with discovering the vulnerability within the release notes of the update that addresses it.

Third party vulnerability disclosure

From time to time Soon Technologies B.V. may discover new vulnerabilities in third party software. This section describes how these will be managed.

It is important that vulnerabilities in software are addressed in order to minimise risk and Soon Technologies B.V. will play its part in ensuring that such vulnerabilities are brought to the attention of those that have the power to fix them.

In the event that an employee of Soon Technologies B.V. (the reporter) identifies a vulnerability they believe is new and currently unpatched, they will make reasonable attempts to contact the developer of the software to make them aware of the issue. If the developer has a published vulnerability disclosure policy, this will be followed where possible.

The disclosure of the vulnerability will be kept confidential between Soon Technologies B.V. and the software developer for a period of 60 days so that appropriate action may be taken by the developer to fix the issue.

If Soon Technologies B.V. is not satisfied that the issue has received appropriate attention by the software developer by the end of the 60-day period, the reporter may take action to publish details of the vulnerability. In most cases, this should be done via an established vulnerability disclosure platform, such as HackerOne or CERT/CC.