Ready to Start Your Career?
September 30, 2017
Some Thoughts on Vulnerability Management
September 30, 2017
You've carried out a vulnerability scan of your organization and now how a report totaling possibly thousands of pages, listing hundreds of vulnerabilities over multiple devices. Chances are, adding to the problem will likely be the total lack of resources to be able to deal this in anything but an ad-hoc manner (one-player, whack-a-mole scenario).Not all vulnerabilities are the same.Some research from the web indicates that while there are over 6,000 new CVE vulnerabilities detected per year, (though this year has seen a distinct rise in number, 10800 through to September 2017), only 7% of vulnerabilities have exploits. Of these exploits, only 1% is available via exploit kits. Added to this, some vulnerabilities are harder to exploit than others, (around 80% are remotely exploitable), not all vulnerabilities are currently patchable and other mitigations may need to be evaluated, how severe is the issue, also not all exploitable assets have the same level importance or value.What to do:Prioritization is a critical risk management process that ranks known risks according to a predefined set of characteristics. So both vulnerabilities and assess need to be ranked in order of importance and then dealt with accordingly. Since each organization is different, the following criteria are for guidance only as are just some of the questions to ask:Vulnerability Prioritization
- Does Exploit exist for this vulnerability
- Can the vulnerability be exploited remotely or does it require local access
- Is it part of a freely available exploit kit
- Does exploit result in privilege escalation or lateral movement
- Is the device hosting public facing services
- CVE threat level score
- Is the vulnerability easily exploited
- Does the vulnerability rely on chaining to achieve results
- What type of data is the affected server hosting / Data loss
- What's the fallout of a successful exploit
- Does a patch exist
- What Service is the asset hosting
- is this service dependent on another server/service
- How important to business is service
- Multiple Servers
- Load Balanced
- How vulnerable is the asset?
- Is the vulnerable device on a publicly accessible network?
- Do the assets contain sensitive data?
- Device Recovery Points/Recent Backups
- Is another server/service dependent on this server?