Some Thoughts on Vulnerability Management

You’ve carried out a vulnerability scan of your organization and now how a report totaling possibly thousands of pages, listing hundreds of vulnerabilities over multiple devices. Chances are, adding to the problem will likely be the total lack of resources to be able to deal this in anything but an ad-hoc manner (one-player, whack-a-mole scenario).

Not all vulnerabilities are the same.
Some research from the web indicates that while there are over 6,000 new CVE vulnerabilities detected per year, (though this year has seen a distinct rise in number, 10800 through to September 2017), only 7% of vulnerabilities have exploits. Of these exploits, only 1% is available via exploit kits. Added to this, some vulnerabilities are harder to exploit than others, (around 80% are remotely exploitable), not all vulnerabilities are currently patchable and other mitigations may need to be evaluated, how severe is the issue, also not all exploitable assets have the same level importance or value.

What to do:
Prioritization is a critical risk management process that ranks known risks according to a predefined set of characteristics. So both vulnerabilities and assess need to be ranked in order of importance and then dealt with accordingly. Since each organization is different, the following criteria are for guidance only as are just some of the questions to ask:

Vulnerability Prioritization

• Does Exploit exist for this vulnerability
• Can the vulnerability be exploited remotely or does it require local access
• Is it part of a freely available exploit kit
• Does exploit result in privilege escalation or lateral movement
• Is the device hosting public facing services
• CVE threat level score
• Is the vulnerability easily exploited
• Does the vulnerability rely on chaining to achieve results
• What type of data is the affected server hosting / Data loss
• What’s the fallout of a successful exploit
• Does a patch exist

Asset Prioritization

• What Service is the asset hosting
  • is this service dependent on another server/service
  • How important to business is service
• Redundancy
  • Multiple Servers
  • Clustered
  • Load Balanced
• How vulnerable is the asset?
  • Is the vulnerable device on a publicly accessible network?
• Do the assets contain sensitive data?
• Device Recovery Points/Recent Backups
• VM/Physical
• Is another server/service dependent on this server?

The final results from this exercise should be an ordered list of which vulnerabilities on which assists to mitigate first. The following graphic portrays my own thought process when working through these issues.

Hope this has shed some light on how to end the game of wack-a-mole and has been of some use. Thanks for reading.

Gary

Want to learn more? Check out Cybrary’s vulnerability management course.