Related Reads
Some Thoughts on Vulnerability Management
September 30, 2017 | Views: 7776
You’ve carried out a vulnerability scan of your organization and now how a report totaling possibly thousands of pages, listing hundreds of vulnerabilities over multiple devices. Chances are, adding to the problem will likely be the total lack of resources to be able to deal this in anything but an ad-hoc manner (one-player, whack-a-mole scenario).
Not all vulnerabilities are the same.
Some research from the web indicates that while there are over 6,000 new CVE vulnerabilities detected per year, (though this year has seen a distinct rise in number, 10800 through to September 2017), only 7% of vulnerabilities have exploits. Of these exploits, only 1% is available via exploit kits. Added to this, some vulnerabilities are harder to exploit than others, (around 80% are remotely exploitable), not all vulnerabilities are currently patchable and other mitigations may need to be evaluated, how severe is the issue, also not all exploitable assets have the same level importance or value.
What to do:
Prioritization is a critical risk management process that ranks known risks according to a predefined set of characteristics. So both vulnerabilities and assess need to be ranked in order of importance and then dealt with accordingly. Since each organization is different, the following criteria are for guidance only as are just some of the questions to ask:
Vulnerability Prioritization
- Does Exploit exist for this vulnerability
- Can the vulnerability be exploited remotely or does it require local access
- Is it part of a freely available exploit kit
- Does exploit result in privilege escalation or lateral movement
- Is the device hosting public facing services
- CVE threat level score
- Is the vulnerability easily exploited
- Does the vulnerability rely on chaining to achieve results
- What type of data is the affected server hosting / Data loss
- What’s the fallout of a successful exploit
- Does a patch exist
Asset Prioritization
- What Service is the asset hosting
- is this service dependent on another server/service
- How important to business is service
- Redundancy
- Multiple Servers
- Clustered
- Load Balanced
- How vulnerable is the asset?
- Is the vulnerable device on a publicly accessible network?
- Do the assets contain sensitive data?
- Device Recovery Points/Recent Backups
- VM/Physical
- Is another server/service dependent on this server?
The final results from this exercise should be an ordered list of which vulnerabilities on which assists to mitigate first. The following graphic portrays my own thought process when working through these issues.
Hope this has shed some light on how to end the game of wack-a-mole and has been of some use. Thanks for reading.
Gary
Share with Friends
Use Cybytes and
Tip the Author!
Tip the Author!
Join
Share with Friends
Ready to share your knowledge and expertise?
7 Comments
Cybrary On The Go
Get the Cybrary app for Android for online and offline viewing of our lessons.
Support Cybrary
Donate Here to Get This Month's Donor Badge
can I get a copy of digram in PDF.
Any idea of open source tools which simplify vulnerability reporting and tracking? Thanks for the simplified explanation for vulnerability management.
The mindmap was originally produced using Xmind. I can make that file available if it’s of use, or I can export the image or pdf that’s more convenient.
Mind map file is also fine, I like Xmind as well.
http://www.30242.net/Prioritize_Vulnerabilities.rar
—————————
Checksum information
—————————
Name: Prioritize_Vulnerabilities.rar
Size: 127120 bytes (0 MB)
SHA1: 82B86847884D1DECA3C7F7B7B7C7C6E4D311B25A
—————————
OK
—————————
Many thanks for sharing.
Can we get this diagram somehow?
Cheers!!