Vulnerability Management is a tough but essential part of business risk management. It is an ongoing process to assess and manage risk to a business or organization’s digital infrastructure and assets.
One of the most vexing and nuanced aspects of the vulnerability management process is deciding which detected vulnerabilities should be mitigated and in what priority order. Many guides to prioritizing vulnerabilities are extremely general, making them difficult to use in practice. As a Security as a Service provider working with hundreds of customer businesses, Cygilant has found that there are a handful of key, practical questions that you must ask every vulnerability in your scan results to determine the priority of their mitigation.
Imagine you just got the results of a vulnerability scan from a scanner like Qualys, Nessus, or OpenVAS. The data is overwhelming, hundreds or thousands of potential vulnerabilities detected. The report generated is longer than Margaret Hamilton’s Apollo Guidance Computer source code.
You cannot reasonably remediate every single vulnerability detected, and many may be false positives, but how do you determine which vulnerabilities to fix and which to accept the risk?
Prerequisite: Know Your Asset Inventory and Your Organization’s Business Strategy
Contextual knowledge is critical to determining if a vulnerability is a realistic threat and the likelihood that it could be exploited to damage your organization. Ensure you have a thorough IT Asset Inventory with all hardware, operating systems, and applications running documented. Additionally, know where business critical data or sensitive data is being stored in your environment.
Then, use your organization’s business strategy to determine the value of your digital assets and the consequences if any given asset or group of assets was compromised by a malicious actor. You may need to follow some internal or external compliance guidelines on which vulnerabilities to fix by a set deadline.
Armed with knowledge, you will be ready to ask these questions for every vulnerability and quickly prioritize your vulnerability scan’s results:
- How severe is the vulnerability?
The higher the severity level or CVSS score, the more you should weight the vulnerability for prioritization. Severity and CVSS score usually indicate how easily the vulnerability could be exploited, and the impact on your organization if exploited
- Was the vulnerability detected with an authenticated scan?
Unauthenticated scans often produce false positive results which must be carefully researched and verified, but if the vulnerability has been detected with an authenticated scan then it is likely a real result and should be prioritized. Authenticated scans may also detect vulnerabilities that an unauthenticated scan will not detect.
- How common is the vulnerability among your assets?
Whether the vulnerability affects just a handful of machines or it has been detected on over 80% of your machines is a huge factor in the priority and speed at which you may need remediate the vulnerability. The greater the percentage of your assets that are affected by a vulnerability, the more opportunity there is for an attacker to exploit it.
- What is the value of the asset(s) and their context?
Vulnerabilities on high value assets with sensitive data or revenue generating systems that are internet accessible should be high priorities, but if the systems are offline and strictly protected from unauthorized access then the vulnerabilities may not be an immediate priority to fix. Low value, internet accessible systems with a common, easily remotely exploitable vulnerabilities should be prioritized for remediation to prevent hackers from gaining a foothold in your network, then moving laterally through your network.
- What is the exposure time of the vulnerability?
The longer a vulnerability remains unmitigated in your environment, the more risk it poses. Additionally, the longer it has been since public disclosure of the vulnerability, the more likely hackers have developed an exploit script or Metasploit module that is easy to try against your systems. Another factor for exposure time is how common the affected software is; software like Windows, Java, and Firefox are all so common that hackers focus on exploiting them for the most return on investment.
- What is the context of the vulnerability and attack vector?
Your mitigation strategy should consider whether the software affected is critical to generating business revenue, the method of exploitation, and the impact of a successful attack (Information disclosure, privilege escalation, remote code execution, etc.). Mitigating business critical system vulnerabilities must be carefully considered to ensure that any remediation action will minimally impact business operations.
- What mitigation methods are available?
Many vulnerabilities have multiple methods to mitigate the risk of a vulnerability. The most common solutions are patches or upgrades to the software, but these always come with the risk of breaking systems or key functionality. Always read patch notes and test patches before deploying to production systems. Sometimes the vulnerability may be mitigated with a system configuration change that works around the problem, which may have less chance of impacting business operations. Sometimes there is no patch, configuration change, or other workaround. In this case, you have the option to accept the risk and revisit the issue later, or the option to uninstall the vulnerable software, or to entirely shut the machine down. The priority of remediating a vulnerability may be influenced by the available mitigations and your organization’s needs.
These are the top questions our customers use to overcome the challenge of vulnerability management prioritization. The answers to these questions will guide you toward the right path of action for your organization, and save you time struggling to prioritize vulnerabilities.
Prioritizing vulnerability scan results is only half the battle though, you need a platform that will provide the most remediation assistance possible, risk management processes, and automated tracking and reporting of your vulnerability management process to prove compliance. Cygilant’s SOCVue Security as a Service platform offers a robust Vulnerability Patch Management service that goes over and above what any other vulnerability scanner vendor can offer. Cygilant’s Vulnerability-Patch Management integration offers the most efficient solution to your Vulnerability and Patch headaches. Learn more about Vulnerability and Patch Management in this short video: