With so many security vulnerabilities putting companies at risk, determining which ones to tackle can be a challenge. Focusing on all vulnerabilities is virtually impossible. Concentrating on just the critical ones is a sounder approach. But ultimately, you want to confront the ones that have the greatest impact on your organization, a strategy that many security pros aren’t necessarily following.
SEE: Patch management policy (TechRepublic Premium)
For its new report “How are Cyber Security Teams Prioritizing Vulnerability Risk?” security vendor Vulcan Cyber surveyed 200 IT security decision makers in North America to find out how vulnerability risk is prioritized, managed and reduced. The survey was conducted from September 23 through October 17, 2021.
Asked how they group vulnerabilities internally to decide which ones to prioritize, 64% said they do it by infrastructure, 53% by business function, 53% by application, 42% by stakeholder and 40% by business department. To help them in this process, 86% of the respondents said they rely on data based on the severity of the vulnerability, 70% turn to threat intelligence, 59% use asset relevance and 41% use their own custom risk scoring.
Security pros turn to different models and guidelines to help prioritize security flaws. Some 71% of those surveyed said they rely on the Common Vulnerability Scoring System (CVSS), 59% use the OWASP Top 10, 47% depend on severity scanning, 38% the CWE Top 25 and 22% the Bespoke scoring model. Some 77% of the respondents revealed that they use at least two of these models to score and prioritize vulnerabilities.
Despite all the information and models available to them, most of the professionals polled admitted that they don’t always rank vulnerabilities appropriately. Asked whether many of the vulnerabilities they rank high should be ranked lower for their specific environment, 78% of the respondents strongly or somewhat agreed. And asked whether many of the vulnerabilities they consider low should be ranked higher for their organization, 69% strongly or somewhat agreed.
“In an ideal world, every vulnerability would get the same amount of attention as Log4Shell,” said Vulcan Cyber CEO and co-founder Yaniv Bar-Dayan. “But considering the fact that NIST discloses and reports about 400 new vulnerabilities each week, IT security teams barely have time to assess and prioritize only the most critical.”
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
The respondents also were asked which of the most vulnerable areas were of the greatest concern. Some 54% pointed to the exposure of sensitive data, 44% cited broken authentication, 39% mentioned security misconfigurations, 35% cited insufficient logging and monitoring and 32% pointed to injection attacks. Other concerns included cross-site scripting, using components with known vulnerabilities and broken access control.
And asked which specific types of vulnerabilities worried them the most, 62% cited MS14-068 (Microsoft Kerberos unprivileged user accounts), 40% mentioned MS08-067 (Windows SMB, aka Conficker, Downadup, Kido, etc.), 32% pointed to CVE-2019-0708 (BlueKeep), 32% cited CVE-2014-0160 (OpenSSL, aka Heartbleed) and 30% listed MS17-010 (EternalBlue).
Other security flaws of concern were MS01-023 (Microsoft IIS, aka Nimda) Spectre/Meltdown (CPU vulnerabilities), CVE-2008-1447 (DNS, aka Kaminsky), CVE-2014-6271 (Bash, aka Shellshock) and MS02-039 (SQL Slammer).
Recommendations for IT security pros
Since prioritizing vulnerabilities can prove so challenging, what can security professionals do to improve their process?
“Knowing where your organization is vulnerable is critical to running an effective cyber risk management strategy, but you also need to be able to quickly convert cyber risk analysis into effective mitigation processes,” Bar-Dayan said. “That requires a deep understanding of how to prioritize which vulnerabilities and risks you need to address first. The most effective way to do so is by consolidating vulnerability and cyber risk lifecycle management for infrastructure, applications and cloud assets in one place. That’s necessary to ensure that all departments are working together to identify and mitigate risk across your entire attack surface.”
Bar-Dayan advises organizations to focus only on vulnerabilities of the greatest impact to their specific business. To achieve this requires that you collect and aggregate data on your assets though scanners, asset management, collaboration, IT service management and patch and configuration management. That information then needs to be linked with security CVE data as well as with threat intelligence, vulnerability severity and asset exploitability. With so much information to gather and correlate, most organizations should consider an automated approach, according to Bar-Dayan.
“The ultimate goal in vulnerability prioritization is to generate a metric that is more meaningful than the atomic risk of any one vulnerability instance, or the risk mass of a grouping of vulnerable instances,” Bar-Dayan added. “A combination of inputs to generate a security posture rating for a business unit or a group of assets gives IT security teams a realistic shot at well-orchestrated cyber risk reduction.”