Related Reads
You’ve carried out a vulnerability scan of your organization and now how a report totaling possibly thousands of pages, listing hundreds of vulnerabilities over multiple devices. Chances are, adding to the problem will likely be the total lack of resources to be able to deal this in anything but an ad-hoc manner (one-player, whack-a-mole scenario).
Not all vulnerabilities are the same.
Some research from the web indicates that while there are over 6,000 new CVE vulnerabilities detected per year, (though this year has seen a distinct rise in number, 10800 through to September 2017), only 7% of vulnerabilities have exploits. Of these exploits, only 1% is available via exploit kits. Added to this, some vulnerabilities are harder to exploit than others, (around 80% are remotely exploitable), not all vulnerabilities are currently patchable and other mitigations may need to be evaluated, how severe is the issue, also not all exploitable assets have the same level importance or value.
What to do:
Prioritization is a critical risk management process that ranks known risks according to a predefined set of characteristics. So both vulnerabilities and assess need to be ranked in order of importance and then dealt with accordingly. Since each organization is different, the following criteria are for guidance only as are just some of the questions to ask:
Vulnerability Prioritization
Asset Prioritization
The final results from this exercise should be an ordered list of which vulnerabilities on which assists to mitigate first. The following graphic portrays my own thought process when working through these issues.
Hope this has shed some light on how to end the game of wack-a-mole and has been of some use. Thanks for reading.
Gary
Want to learn more? Check out Cybrary’s vulnerability management course.
Did You Know?
Cybrary training is FREE
Just create an account now for lifetime access. Members login here.
We recommend always using caution when following any link
Are you sure you want to continue?
can I get a copy of digram in PDF.
Any idea of open source tools which simplify vulnerability reporting and tracking? Thanks for the simplified explanation for vulnerability management.
The mindmap was originally produced using Xmind. I can make that file available if it’s of use, or I can export the image or pdf that’s more convenient.
Mind map file is also fine, I like Xmind as well.
http://www.30242.net/Prioritize_Vulnerabilities.rar
—————————
Checksum information
—————————
Name: Prioritize_Vulnerabilities.rar
Size: 127120 bytes (0 MB)
SHA1: 82B86847884D1DECA3C7F7B7B7C7C6E4D311B25A
—————————
OK
—————————
Many thanks for sharing.
Can we get this diagram somehow?
Cheers!!