Risk exists as vulnerabilities in assets across your distributed environment. But not all vulnerabilities pose risk to your business. How do you determine which ones you should remediate? Use these 7 practical questions to help you prioritize vulnerabilities based on the risk to your business – and focus your mitigation efforts on the ones that matter most.
Vulnerability management is a difficult but essential part of business risk management –an ongoing process of detecting and remediating issues in your environment.
When reviewing the results of a vulnerability scan from a scanner, the data can be overwhelming, with hundreds or thousands of potential vulnerabilities detected. It’s not reasonable to expect anyone to remediate every single detected vulnerability, especially when many may be false positives. So how should you determine which vulnerabilities to remediate?
Prioritization is key. We’ve compiled 7 practical questions to help you establish which exposures pose the most risk to your organization.
Before you start
Contextual knowledge is critical to determining if a vulnerability is a realistic threat in your environment.
- You should have a thorough IT asset inventory that documents all hardware, operating systems, and applications running in your environment. Additionally, it’s crucial to know where all business-critical and sensitive data is stored. This includes business IP and customer data.
- Next, look to your overall business strategy to determine the real value of your digital assets and the consequences – such as downtime or data exposure – if an asset is compromised by an attacker. Assets should be prioritized based on how critical they are to your business.
- Be aware of any internal or external compliance obligations that may require you to address certain known vulnerabilities by a set deadline – regardless of whether they pose a high risk to your specific business.
With this information in hand, move on to these 7 questions to quickly prioritize and address your vulnerability scan results:
- How severe is the vulnerability?
The higher the severity level or CVSS score, the greater priority the vulnerability should have. Severity and CVSS scores indicate how easily the vulnerability could be exploited and the potential impact on your organization. Keep in mind, though, that CVSS scores are not specific to your business. If the vulnerability exists on an asset that is not business-critical, for example, your exposure may not be as high as that CVSS score implies. Keep reading. The next few questions will help you start narrowing things down.
- Was the vulnerability detected with an authenticated scan?
Authenticated scans use valid account credentials to log into the systems to be scanned and provide an “insider’s” view of the environment. Unauthenticated scans, on the other hand, are an external view of those assets that are accessible from the internet – which is only a subset of the total inventory of assets in your environment. Unauthorized scans can produce false positive results which must be carefully researched and verified. A vulnerability detected with an authenticated scan is likely a real result and should be prioritized. Authenticated scans may also detect vulnerabilities that an unauthenticated scan will not detect.
- How common is the vulnerability among your assets?
Whether a vulnerability affects just a handful of machines or has been detected on more than 80% of your assets is a huge factor in the priority and speed at which you may need to remediate it. The more assets that are affected by a specific vulnerability, the more opportunity there is for an attacker to exploit it.
- What is the value of the asset and its context?
As we mentioned, one of the first steps to ranking a vulnerability is ranking the asset it exists on – based on how critical the asset is to your business. For example, if a server is compromised, would sensitive information be exposed? How would its resulting downtime affect your business operations, customers, or revenue generation? Whether an asset is connected to the internet also should be a consideration, since a direct external connection could mean a higher risk of attack.
- What is the context and priority of the vulnerability?
Once the asset value and context are established and its priority set, you can determine the context and priority of a vulnerability that exists on it. Generally, priority is highest for a vulnerability on a high-value, internet-accessible asset and lowest for an exposure on a system that is offline and not business-critical. Carefully prioritize vulnerabilities and focus your mitigation efforts based on a number of factors – including where the vulnerabilities exist, whether they are older known vulnerabilities, and whether a fix is necessary for regulatory compliance. Vulnerability prioritization allows you to address higher exposures more quickly, effectively reducing the overall risk to your data and business operations.
- What is the exposure time of the vulnerability?
The longer a vulnerability remains unmitigated, the more risk it poses. Additionally, the longer it has been since public disclosure of the vulnerability, the more likely hackers have developed an exploit script that is easy to deploy. Another factor for exposure time is how common the affected software is. Windows, Java, and Firefox are all so common and in broad use that hackers focus on exploiting them for the most return on their investment.
- What mitigation methods are available?
The priority of remediating a vulnerability may be influenced by the mitigation methods available and your specific needs and compliance obligations. There can be multiple ways to close a security gap. The most common solutions are software patches or upgrades, but these always come with the risk of breaking systems or functionality. Always read patch notes and be sure to test the patches before deploying them. Sometimes a system configuration change can close the gap on an exposure with less chance of impacting your business operations. But sometimes, there is no patch, configuration change, or other workarounds. In this case, you can choose to accept the risk and revisit the issue later, uninstall the vulnerable software, or shut the affected machine down entirely.
Vulnerability scans simply identify the security gaps in your environment – often in large numbers. Not all represent a risk to your business. Take the time to prioritize your assets and use these 7 questions to help you focus your efforts on the vulnerabilities that matter the most.