Managing the Deluge of Vulnerabilities Using a Risk-Based Approach

Chuck Davis, VP of Global Information Security, Hikvision

Chuck Davis, VP of Global Information Security, Hikvision

There were more than 20,000 vulnerabilities listed in the CVE vulnerability database in 2021, and that number has already exceeded in October 2022. In fact, as of October 24, there have been an average of 68 vulnerabilities listed every day. Just six years ago, the daily average was 17 vulnerabilities listed in the CVE database.

Image from cvedetails.com

This massive increase in vulnerabilities has put a strain on many companies as system administrators work full-time to review, test and install patches. Some companies outsource their patch installation to third parties in order to remediate vulnerabilities in a timely manner. This is an effective way to augment IT staffing needs, but it also adds risk as those third-party employees need administrative privileges on systems to install patches.

While the goal is to quickly install all security patches, it is important to understand the risk that each vulnerability on each system poses, so a company can prioritize their vulnerability remediation efforts using a risk-based vulnerability management process. The first steps are outlined below.

1. Identify your digital assets

2. Run a vulnerability scanner regularly

3. Prioritize your remediation efforts based on risk

Identify Your Digital Assets

Even small companies likely have many more digital assets than they have employees. Laptops, desktops, mobile devices, IoT (Internet of Things) devices and OT (Operational Technology) systems are all computers that run on your network or are accessible by your employees. Knowing which systems are used to run your business is important. You can’t secure a device if you don’t know it exists. One method of identifying which systems are on your network is to run a network device discovery tool. This can be done quickly and easily on a flat network by running “arp -a” at the Windows, macOS or Linux command line. This provides a snapshot of the devices on a network, but most networks are dynamic, with systems coming and going regularly. For a more robust solution, network device discovery software will automatically scan and monitor networks and maintain an up-to-date asset inventory.

Run a Vulnerability Scanner

Once you know which devices are on your network, it’s important to know what is running on those systems. A network vulnerability scanner will scan your network to identify devices similar to the network device discovery software, but it will also attempt to identify what software and services are running on those systems and report any known vulnerabilities to you. These vulnerability scanners are updated regularly with new data from the CVE database and other vulnerability repositories. In a typical vulnerability scanner report, you would see a list of any known vulnerabilities for each IP address on your network, along with a severity score for each of those vulnerabilities.

Severity scores are determined using the CVSS (Common Vulnerability Scoring System) calculator. Severity scores use a ten-point numeric scale divided into five categories: none, low, medium, high, and critical.

There are three parts to a CVSS score. The base score, the temporal score, and the environmental score.

The base score determines the severity of a vulnerability with no other context. The calculator asks questions to determine the score. For example:

● If a vulnerability can be exploited over a network, the score goes up.

● If an attacker needs to physically touch the target system, the score goes down.

● If an attacker needs to have administrative or root access to the target system, the score goes down.

● If they don’t even need an account on the target system, the score goes up.

One popular source of CVSS scores for CVEs is the National Vulnerability Database (NVD) which is managed by the U.S. National Institute of Standards and Technology (NIST). However, the NVD database only provides the base score for each vulnerability. To determine the severity level for each vulnerability on each system in your environment, you need to go back to the CVSS calculator and determine the temporal score and environmental score, which can help you prioritize your remediation efforts based on risk.

Prioritize your remediation efforts based on risk

The temporal score reflects the risk of an attacker exploiting a vulnerability. For example:

● If there is known exploit code being used to attack vulnerable systems, the score goes up.

● If the vulnerability is only theoretical and has not been proven, the score goes down.

● If the vendor creates a patch for the vulnerability, the score goes down.

● If there are no patches or workarounds, the score goes up.

Answering these questions is not always easy because the answers could change from day to day. One of the best methods of determining if a vulnerability is being actively exploited by attackers is to reference the Known Exploited Vulnerabilities Catalog from the U.S. Cybersecurity & Infrastructure Security Agency (CISA). This is a list of CVEs that are known to be used by attackers, so anything on this list should be a priority on any systems that are accessible to attackers.

Finally, the environmental score reflects the criticality of a vulnerability that is running in your environment. For example, you may have a web server that is accessible from the Internet and has a critical vulnerability. In this environment, vulnerability is arguably critical. However, if you have an exact copy of that web server running in an isolated lab that is not connected to a network and is physically and logically accessible only by the one person who needs to access that system, the score is likely much lower and can be patched at a less urgent pace.

In addition to the environmental score, you can also use a threat matrix to determine the probability that a vulnerability may be exploited against the impact that exploitation would have on your business.

What is YOUR Severity Score?

The CVSS base score is an important metric in determining the severity of a vulnerability, but it is not the only metric that should be considered. Using a risk-based approach to vulnerability management allows you to focus on the greatest risks to your organization and prioritize your remediation efforts.

Read Also

Strengthening Enterprise Security via a Multi-Faceted Approach

Strengthening Enterprise Security via a Multi-Faceted Approach

David Jenkins, Chief Information Security Officer,The Lottery Corporation
Effective Communications between CISOs and Key Stakeholders

Effective Communications between CISOs and Key Stakeholders

Kevin P. Gowen, Chief Information Security Officer, Synovus
Giving Cybersecurity a Business Lens

Giving Cybersecurity a Business Lens

Grant McKechnie, Chief Information Security Officer at Endeavour Group
Setting the Right Security Culture

Setting the Right Security Culture

Mackenzie Muir, Chief Information Security Officer at Allianz Australia
Ways to Thrive in the Ever-Evolving Cybersecurity Landscape

Ways to Thrive in the Ever-Evolving Cybersecurity Landscape

Yonesy Núñez, the Chief Information Security Officer at Jack Henry™
Future Of Cyber Security: Responding To Threats With Confidence

Future Of Cyber Security: Responding To Threats With Confidence

Bernard Gavgani, Group CIO, BNP Paribas