Some Thoughts on Vulnerability Management

September 30, 2017 | Views: 8876

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

You’ve carried out a vulnerability scan of your organization and now how a report totaling possibly thousands of pages, listing hundreds of vulnerabilities over multiple devices. Chances are, adding to the problem will likely be the total lack of resources to be able to deal this in anything but an ad-hoc manner (one-player, whack-a-mole scenario).

Not all vulnerabilities are the same.
Some research from the web indicates that while there are over 6,000 new CVE vulnerabilities detected per year, (though this year has seen a distinct rise in number, 10800 through to September 2017), only 7% of vulnerabilities have exploits. Of these exploits, only 1% is available via exploit kits. Added to this, some vulnerabilities are harder to exploit than others, (around 80% are remotely exploitable), not all vulnerabilities are currently patchable and other mitigations may need to be evaluated, how severe is the issue, also not all exploitable assets have the same level importance or value.

What to do:
Prioritization is a critical risk management process that ranks known risks according to a predefined set of characteristics. So both vulnerabilities and assess need to be ranked in order of importance and then dealt with accordingly. Since each organization is different, the following criteria are for guidance only as are just some of the questions to ask:

Vulnerability Prioritization

  • Does Exploit exist for this vulnerability
  • Can the vulnerability be exploited remotely or does it require local access
  • Is it part of a freely available exploit kit
  • Does exploit result in privilege escalation or lateral movement
  • Is the device hosting public facing services
  • CVE threat level score
  • Is the vulnerability easily exploited
  • Does the vulnerability rely on chaining to achieve results
  • What type of data is the affected server hosting / Data loss
  • What’s the fallout of a successful exploit
  • Does a patch exist

Asset Prioritization

  • What Service is the asset hosting
    • is this service dependent on another server/service
    • How important to business is service
  • Redundancy
    • Multiple Servers
    • Clustered
    • Load Balanced
  • How vulnerable is the asset?
    • Is the vulnerable device on a publicly accessible network?
  • Do the assets contain sensitive data?
  • Device Recovery Points/Recent Backups
  • VM/Physical
  • Is another server/service dependent on this server?

The final results from this exercise should be an ordered list of which vulnerabilities on which assists to mitigate first. The following graphic portrays my own thought process when working through these issues.mind-map

Hope this has shed some light on how to end the game of wack-a-mole and has been of some use. Thanks for reading.


Want to learn more? Check out Cybrary’s vulnerability management course.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. can I get a copy of digram in PDF.

  2. Any idea of open source tools which simplify vulnerability reporting and tracking? Thanks for the simplified explanation for vulnerability management.

  3. The mindmap was originally produced using Xmind. I can make that file available if it’s of use, or I can export the image or pdf that’s more convenient.

  4. Can we get this diagram somehow?

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?