IAVM Executive Summary Report

Patch management is one of the most important and essential components in protecting a network from vulnerabilities. Network assets that have unpatched or outdated software can leave critical systems vulnerable, which can result in stolen confidential data, compromised personally identifiable information (PII), and seized control of critical systems. Government agencies have an added responsibility in protecting the integrity of critical network infrastructures. Attackers have used increasingly sophisticated methods to gain unauthorized entry into government networks that can severely impact government operational and/or mission readiness. 

The Information Assurance Vulnerability Management (IAVM) program is an automated system that provides alerts on existing vulnerability threats, and automates the deployment of patches within Department of Defense (DoD) networks.  The IAVM also acknowledges the receipt of an appropriate countermeasure by an analyst, and specifies a timeframe to mitigate the corresponding vulnerability.  In addition, the IAVM program addresses all types of vulnerabilities from critical to informational, vulnerability bulletins, and technical advisories. The US Cyber Command (USCYBERCOM) and the Defense Information Systems Agency (DISA) jointly manage and publish IAVM Notices for the DoD.  IAVM Notices are published at several levels with differing priority categories. The IAVM Notices are posted on a USCYBERCOM website and also entered into the Defense Information Systems Agency (DISA) operated Vulnerability Management System (VMS). 

The IAVM Executive Summary report provides an executive summary to the current IAVM program, which includes a detailed list of the vulnerabilities identified since 2002. The report template is comprised of two chapters, the first of which focuses on summary charts and graphs to display an overview of the IAVM program.  The second chapter provides a pair of indicator matrices showing a more detailed view of IAVM program by the year of the IAVM Notice and by software vendor.

The report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, assurance report cards and assets. The report can be easily located in the Tenable.sc Feed under the category Executive. The report requirements are:

• Tenable.sc 4.8.2
• Nessus 8.5.1

When appropriate risk management utilizing IAVM is applied, government agencies can strengthen their network security posture, and ensure enterprise-wide compliance. Any type of vulnerability could compromise the confidentiality, availability, and integrity of critical assets and classified data. Any delay in patching assets can cause critical delays, compromise missions, and disrupt national security.

Tenable.sc Continuous View (Tenable.sc CV) is the market-defining continuous network monitoring platform. Tenable.sc CV includes active vulnerability detection with Nessus, which enables the organization to react to advanced threats, zero-day vulnerabilities and new forms of regulatory compliance. Using Tenable.sc CV, an organization will obtain the most comprehensive and integrated view of its network, in order to best prioritize its administration and mitigation efforts.

The following chapters are included in the report:

Executive Summary - The Executive Summary chapter presents several components that provide a high level overview of IAVM vulnerabilities detected within a network. The first component presents a chart of the top assets with IAVM vulnerabilities. The next component presents the number of vulnerabilities by software vendor. The software vendors displayed include Microsoft, Adobe, Sun, PHP, and Apple, which have the most frequent, high-impact types of security vulnerabilities. The respective vendors make up for a large number of vulnerabilities that are being actively exploited and used in targeted attacks. The last component presents the top ten IP addresses with outstanding vulnerabilities identified by IAVM alerts. Any vulnerability that is presented should be assessed, prioritized, and remediated in a timely manner to reduce overall risk.

IAVM Summary Charts and Graphs - The IAVM Summary Charts and Graphs chapter presents a series of charts that display critical and high severities IAVM vulnerabilities. In addition, this chapter presents a 25-day trend analysis of IAVM alerts per year, and a summary of IAVM alerts per plugin family. The information provided within this chapter can assist the analyst in identifying areas of high-risk, and aid in ongoing risk mitigation efforts.

IAVM Summary Matrix - The IAVM Summary Matrix Chapter presents two matrices that display severity levels by year and by vendor. The first matrix present the number of vulnerabilities identified by severity level for the corresponding year. The last matrix presents the number of vulnerabilities identified by software vendor. The respective vendors make up for a large number of vulnerabilities that are being actively exploited and used in targeted attacks. This information can assist the analyst in targeting vendor-specific vulnerabilities, prioritize mitigation efforts, and reduce overall risk.