Vulnerability management is a tough but essential part of business risk management. It is an ongoing process to assess and manage risk.
Imagine you just got the results of a vulnerability scan from a scanner. The data is overwhelming, hundreds or thousands of potential vulnerabilities detected. You cannot reasonably remediate every single vulnerability detected, and many may be false positives, but how do you determine which vulnerabilities to fix and which to accept the risk?
Many guides to prioritizing vulnerabilities are extremely general, making them difficult to use in practice. As a cybersecurity-as-a-service provider, Cygilant has found that there are a handful of key, practical questions that you must ask every vulnerability in your scan results to determine the priority of their mitigation.
Prerequisite: Know Your Asset Inventory and Your Organization’s Business Strategy
Contextual knowledge is critical to determining if a vulnerability is a realistic threat and the likelihood that it could be exploited to damage your organization. Ensure you have a thorough IT Asset Inventory with all hardware, operating systems, and applications running documented. Additionally, know where business critical data or sensitive data is being stored in your environment.
Then, use your organization’s business strategy to determine the value of your digital assets and the consequences if any given asset or group of assets was compromised by a malicious actor. You may need to follow some internal or external compliance guidelines on which vulnerabilities to fix by a set deadline.
Armed with knowledge, you will be ready to ask these seven questions for every vulnerability and quickly prioritize your vulnerability scan’s results:
1. How severe is the vulnerability?
The higher the severity level or CVSS score, the more you should weigh the vulnerability for prioritization. Severity and CVSS score usually indicate how easily the vulnerability could be exploited, and the impact on your organization if exploited.
2. Was the vulnerability detected with an authenticated scan?
Unauthenticated scans often produce false positive results which must be carefully researched and verified, but if the vulnerability has been detected with an authenticated scan then it is likely a real result and should be prioritized. Authenticated scans may also detect vulnerabilities that an unauthenticated scan will not detect.
3. How common is the vulnerability among your assets?
Whether the vulnerability affects just a handful of machines or it has been detected on over 80% of your machines is a huge factor in the priority and speed at which you may need to remediate. The greater the percentage of your assets that are affected by a vulnerability, the more opportunity there is for an attacker to exploit it.
4. What is the value of the asset(s) and their context?
Vulnerabilities on high value assets with sensitive data or revenue generating systems that are internet accessible should be high priorities, but if the systems are offline and strictly protected from unauthorized access then the vulnerabilities may not be an immediate priority to fix. Low value, internet accessible systems with common, easily remotely exploitable vulnerabilities should be prioritized for remediation to prevent hackers from gaining a foothold in your network, then moving laterally through your network.
5. What is the exposure time of the vulnerability?
The longer a vulnerability remains unmitigated in your environment, the more risk it poses. Additionally, the longer it has been since public disclosure of the vulnerability, the more likely hackers have developed an exploit script or Metasploit module that is easy to try against your systems. Another factor for exposure time is how common the affected software is; software like Windows, Java, and Firefox are all so common that hackers focus on exploiting them for the most return on investment.
6. What is the context of the vulnerability and attack vector?
Your mitigation strategy should consider whether the software affected is critical to generating business revenue, the method of exploitation, and the impact of a successful attack (Information disclosure, privilege escalation, remote code execution, etc.). Mitigating business critical system vulnerabilities must be carefully considered to ensure that any remediation action will minimally impact business operations.
7. What mitigation methods are available?
Many vulnerabilities have multiple methods to mitigate the risk of a vulnerability. The most common solutions are patches or upgrades to the software, but these always come with the risk of breaking systems or key functionality. Always read patch notes and test patches before deploying to production systems. Sometimes the vulnerability may be mitigated with a system configuration change that works around the problem, which may have less chance of impacting business operations. Sometimes there is no patch, configuration change, or other workaround. In this case, you have the option to accept the risk and revisit the issue later, or the option to uninstall the vulnerable software, or to entirely shut the machine down. The priority of remediating a vulnerability may be influenced by the available mitigations and your organization’s needs.
These are the top questions we use to overcome the challenge of vulnerability management prioritization for our customers. The answers to these questions will guide you toward the right path of action for your organization, and save you time struggling to prioritize vulnerabilities.
Learn more about Cygilant Vulnerability Management.
Tags: Vulnerability Management