A Common Flawed Approach to Vulnerability Management
We do a lot of vulnerability assessment work against infrastructure and applications for our customers. We review the final report and recommend corrective actions once we’ve finished the work. The customer, in a lot of cases, feels overwhelmed by the number of “red lights” they see. Many choose to fix the “low-hanging fruit” or only the “critical” findings after we discuss the next steps. While they certainly need to address them, the “critical” findings don’t represent the whole picture. In these situations, our advice is to improve their overall Vulnerability Management Process to address all of the findings, as opposed to a narrow tactical approach of patching what the report illustrates.
You have to consider a few things for your organization once you’re aware of the total number of findings discovered during a Vulnerability Assessment; such as the number of issues found, the level of severity, how an attacker could leverage the vulnerability, what can be lost, and the likelihood of it happening.
Some standards exist to help us with this. CVSS, or Common Vulnerability Scoring System, is a popular one. It assists you in framing the risk regarding the vulnerabilities.
The CVSS quantifies the “characteristics and impacts of IT vulnerabilities”. CVSS is a useful tool for providing context about what a particular vulnerability might mean to your organization. CVSS provides “raw” value. The other values, Temporal and Environmental, take into account mitigations and environmental factors to adjust the value. Things like firewalls, access controls, and endpoint protections will, hopefully, mitigate the risk to a system. Also, really vulnerable systems might add to the risk.
Another point I’d like to make regarding the remediation of the “red” findings is that while they present a lot of risk to a system, they present only a portion of the total.
I created the following image using real data from a vulnerability assessment. I took out Low and Informational findings, but kept Medium, High, and Critical findings. I calculated the number of findings, multiplied it by the temporal CVSS score, and calculated the percentage of the total that each category contributes to the overall “risk”. This was not designed to be a complete academic study, but a simple metric to convey a point.
If you remediate the “High” findings, you leave about 65% of your vulnerability on the table. If you remediate the “Highs” and “Mediums”, you still leave nearly 40% of it.
The question your organization has to answer is, “Is this an acceptable level of risk?” If it is not, your Vulnerability Management Program needs some help. I know from experience that most organizations don’t track their level of risk. Most organizations don’t come back after the initial critical findings have been remediated to work on the “Low” findings either. These residual findings accumulate and add more risk over time.
An attacker would love to be able attack a system that has “Critical” vulnerabilities that are remotely exploitable. But, in their absence, I think you would find that they would also be happy with a couple hundred “Mediums” to choose from as well.