For any company managing a small number of vulnerabilities, prioritization of which vulnerability to focus your remediation efforts on first may not be considered a large issue.
However, as your company grows and your assets grow with it, the management of your devices and vulnerabilities can quickly become a demanding and time-consuming process if a solution for prioritization has not yet been considered.
Vulnerability prioritization can be approached in a number of ways and with varying complexity and considerations.
Some approaches can focus on a single detail, such as the severity rating of a vulnerability, whereas other approaches can form a more nuanced approach taking into consideration multiple factors.
Your prioritization method may also develop and mature over time, as your company also develops.
An initial approach to managing your vulnerabilities could solely focus on severity, with an increasing number of considerations and information being used over time to guide your decisions on prioritization.
Impact Priority
An initial consideration for any vulnerability should be its severity rating. Most vulnerabilities will be categorized based on their potential impact on a system, which typically derives from the Common Vulnerability Scoring System (CVSS) grading vulnerabilities with a score from 0-10.
The severity ratings for vulnerabilities are then labeled as:
- Critical (9.0-10.0)
- High (7.0-8.9)
- Medium (4.0-6.9)
- Low (0.1-3.9)
A prioritization method could therefore order vulnerabilities by severity or the specific CVSS score, to create an ordered list of issues for a company to address.
Asset Considerations For Priority
In addition to considering the severity of a vulnerability, another factor is also to consider what is impacted by the vulnerability.
This consideration can include the importance of the data that is stored or processed by the impacted device, and can also include the importance of the device to the continued operation of the business.
Not all devices and information within a business should be considered equal. Some systems which are in use form a critical component within a business, and need to be operational at all times. Other systems may include ones that are rarely used, and do not provide a core business function.
Company data can also be considered to be of high importance, with the need to be accessible and protected at all times. Whereas, there can be other information that is seldom used or intentionally made publicly available, containing no sensitive or critical client data.
These considerations for devices and information can be used to form an asset priority rating, which can also be graded from Low to Critical, and can be individually tailored to your business.
When ordering vulnerabilities by vulnerability severity, a secondary order can also be applied to take into account device severity, allowing for a more customized approach to remedy vulnerabilities based upon how they impact your business’s critical systems.
Prioritize Temporal Factors
After considering the most critical vulnerabilities that impact your critical assets, additional step can be taken that take into account, if a vulnerability has a currently known method of exploitation and is actively being exploited.
As vulnerabilities are identified, a common process known as responsible disclosure is often used. This approach typically involves:
- Security researches identify the vulnerability
- The vendor is informed of the security flaw and allowed time to produce a fix
- The vendor then issues an update and time is allowed for the update to be applied.
- After updates have been made available, the security researchers may release details regarding an exploitation method
This approach is intended to allow cooperation between researchers and vendors and to have the most minimal impact on those who use the vendor product, protecting them from exploitation.
Depending on the specific vulnerability and the point in time, there may not be any known method of exploitation that is publicly available.
In comparison, a company may also be impacted by a vulnerability that is well-known with an established method of exploitation.
The vulnerability which is well-known may have a High impact rating, whereas the vulnerability that is currently unknown may have a Critical rating.
While it is still important to address each vulnerability, the most direct threat to address can often be vulnerabilities of a lower severity rating.
Considerations For Asset Accessibility
In addition to understanding the severity of a vulnerability and if the issue is currently exploitable, an important consideration when prioritizing your remediation efforts is where the affected system is located.
Some of the most common exploitation methods involve targeting systems that are directly accessible over the internet or targeting users and their workstations through exploit strategies such as Phishing.
Where you have servers, switches, and other devices which are not directly accessible over the internet and not used as a user workstation on a day-to-day basis there can be a reduced likelihood of direct exploitation, and your attention can instead be diverted to those systems which may be directly targeted through common exploit methods.
It is important to consider, that the exploitation of internet-accessible systems, or workstations through Phishing attacks, can lead to further exploitation of internal systems which are not directly accessible over the internet. These systems can therefore not be completely ignored when impacted by vulnerabilities.
However, when prioritizing vulnerabilities, a Medium or High impact vulnerability which affects an internet-facing system, can be considered of greater importance than a Critical issue, which impacts a non-internet accessible system and has limited accessibility methods.
Prioritize Based On Compliance Requirements
When considering your order of vulnerabilities to address, there can be factors that influence your decisions that are outside your control.
If your company currently adheres to or plans to align with any compliance standards, there may be requirements to address certain types of vulnerabilities within a predefined timeframe.
Given compliance requirements, this can influence your priority order, and require vulnerabilities to be sorted based upon both the risk to your assets, but also the risk to maintaining your compliance standard.
Prioritize Based On Remediation Timeframes
When considering your priority order to address vulnerabilities the time and resources each remediation process may take will always play a factor.
In some situations, a vulnerability may impact several of your day-to-day workstations, and require a software update. This type of remediation process can likely be applied quickly, with minimal disruption to your organization’s daily operations.
However, other more critical vulnerabilities may require a more manual configuration process, which can take time to apply, and may impact a heavily used server which if disrupted can halt the continued activities of your organization.
In this example, it may take time to plan, apply, and test the critical vulnerability against your server. However, while this is being planned, the remediation process for other less critical vulnerabilities shouldn’t be halted.
Your vulnerability prioritization order can therefore be calculated, taking into account estimated remediation timelines, and a planned schedule to disrupt important servers during quiet periods to cause minimal disruption.
Vulnerability Management Process
Prioritizing your vulnerabilities forms part of the vulnerability management process, described in further detail here.
Your vulnerability prioritization will likely involve a nuanced and customized approach depending on the assets in use within your organization and also some of the largest threats that target your particular industry.
As vulnerabilities are identified over time, your systems will inevitably become impacted by vulnerabilities, regardless of the size of your business.
It is therefore important to begin planning your remediation efforts in advance, to ensure your business maintains its security and can mitigate against new threats as you continue to grow.
Author Bio : Andrew Lugsden
Security Consultant at Forge Secure Limited https://forgesecure.com/
Working within the Cyber Security industry for over ten years to provide consultancy, security testing, and compliance services.
