Aspire

Cyber Security, Managed Services, and Digital Infrastructure Solutions

  • Solutions
    • Aspire: Digital Transformation
    • Cyber Security
    • Data Center
    • Enterprise Mobility
    • Unified Communications
    • Network Infrastructure
    • Cloud Computing
  • Markets
    • Private Sector
    • Higher Education
    • Public Sector
    • Healthcare
    • Professional Services
  • Assurance
    • Aspire Guardian3 Assurance – Service Level Agreement
  • Managed Services
    • Overview
    • MSSP: Managed Security Services Provider
    • IT Contract Management
    • IT Infrastructure Management
    • UCaaS: Unified Communications as a Service
    • IaaS: Cloud Services
  • Resources
    • Digital Transformation Blog
    • Events
    • Press Releases
  • About
    • Aspire: Security, Managed Services, & Digital Infrastructure
    • Aspire Management
    • Aspire Locations
    • Aspire Solution Partners
    • Careers
  • Contact
  • Login
Aspirations - The Transformation Blog

A Common Flawed Approach to Vulnerability Management

Blog
By George Lazarou
May 25, 2016 5:36 pm

We do a lot of vulnerability assessment work against infrastructure and applications for our customers. We review the final report and recommend corrective actions once we’ve finished the work. The customer, in a lot of cases, feels overwhelmed by the number of “red lights” they see. Many choose to fix the “low-hanging fruit” or only the “critical” findings after we discuss the next steps. While they certainly need to address them, the “critical” findings don’t represent the whole picture. In these situations, our advice is to improve their overall Vulnerability Management Process to address all of the findings, as opposed to a narrow tactical approach of patching what the report illustrates.

You have to consider a few things for your organization once you’re aware of the total number of findings discovered during a Vulnerability Assessment; such as the number of issues found, the level of severity, how an attacker could leverage the vulnerability, what can be lost, and the likelihood of it happening.

Some standards exist to help us with this. CVSS, or Common Vulnerability Scoring System, is a popular one. It assists you in framing the risk regarding the vulnerabilities.

The CVSS quantifies the “characteristics and impacts of IT vulnerabilities”. CVSS is a useful tool for providing context about what a particular vulnerability might mean to your organization. CVSS provides “raw” value. The other values, Temporal and Environmental, take into account mitigations and environmental factors to adjust the value. Things like firewalls, access controls, and endpoint protections will, hopefully, mitigate the risk to a system. Also, really vulnerable systems might add to the risk.

Another point I’d like to make regarding the remediation of the “red” findings is that while they present a lot of risk to a system, they present only a portion of the total.

I created the following image using real data from a vulnerability assessment. I took out Low and Informational findings, but kept Medium, High, and Critical findings. I calculated the number of findings, multiplied it by the temporal CVSS score, and calculated the percentage of the total that each category contributes to the overall “risk”. This was not designed to be a complete academic study, but a simple metric to convey a point.

WeightedValue

If you remediate the “High” findings, you leave about 65% of your vulnerability on the table. If you remediate the “Highs” and “Mediums”, you still leave nearly 40% of it.

The question your organization has to answer is, “Is this an acceptable level of risk?” If it is not, your Vulnerability Management Program needs some help. I know from experience that most organizations don’t track their level of risk. Most organizations don’t come back after the initial critical findings have been remediated to work on the “Low” findings either. These residual findings accumulate and add more risk over time.

An attacker would love to be able attack a system that has “Critical” vulnerabilities that are remotely exploitable. But, in their absence, I think you would find that they would also be happy with a couple hundred “Mediums” to choose from as well.

HOW CAN WE HELP YOU ASPIRE?

If you’re ready for a digital transformation, let’s talk.

Contact Us


glasses

Read Our Newsletter

Learn how we can help you achieve your objectives through digital transformation.

Posts by Categories

  • Blog (25)
  • News (5)
  • Technology Trends (2)

Ready to Get Started?

Learn how we can help you achieve your objectives through digital transformation.

Get Started

Recent Articles

  • Aspire Technology Partners’ Top 5 2018 Achievements
  • How to Defend Against the Latest SamSam Ransomware Attacks
  • Cisco Workload Optimization Manager & Elastic Infrastructure: Making Complex Decisions at Scale
  • Application Performance Management 101
  • 4 Takeaways From Cisco Live

Solutions

  • Aspire: Digital Transformation
  • Cyber Security
  • Data Center
  • Enterprise Mobility
  • Unified Communications
  • Network Infrastructure
  • Cloud

Managed Services

  • Overview
  • MSSP: Managed Security Services Provider
  • IT Contract Management
  • IT Infrastructure Management
  • UCaaS: Unified Communications as a Service
  • IaaS: Cloud Services

Markets

  • Private Sector
  • Education
  • State and Local Governments
  • Healthcare
  • Legal and Professional Services

About

  • Aspire: Security, Managed Services, & Digital Infrastructure
  • Aspire Management
  • Aspire Solution Partners
  • Aspire Locations
  • Careers

Resources

  • Digital Transformation Blog
  • Events
  • Press Releases

Follow

©2017 Aspire Technology Partners, LLC. All rights reserved worldwide. Privacy | Disclaimer | Sitemap

footer-logo