Netizen: How to understand a Vulnerability Report and prioritize systems for remediation.
Efficiently digesting vulnerability reports can make or break a company’s security posture. Not entirely understanding a vulnerability or how to patch it can not only be discouraging for IT professionals, but it can leave an opening for malicious actors. Learning to look deeper than the graphs and indicative colors of a vulnerability report is a worthwhile skill to develop for any security-conscious individual or group.
What is a vulnerability?
Before breaking down a vulnerability report, it would help to have a straightforward definition of what a vulnerability is. A vulnerability, by definition, is any weakness or soft spot in a logical system. Vulnerabilities can arise just about anywhere; however, they are often a result of flawed computer code or loose controls for authentication or authorization. Security professionals will generally utilize the Common Vulnerability Scoring System (CVSS) to attempt to give vulnerabilities a numerical, zero through ten, severity score. CVSS scores are generated by understanding a specific vulnerability’s impact and attack metrics. Typically, the higher the CVSS score, the greater the vulnerability’s impact on confidentiality, integrity, and availability.
How do you begin remediation?
Prioritizing vulnerability remediation, while seemingly simple on the surface, goes deeper than just comparing the CVSS scores assigned to the vulnerabilities. Firstly, understand that even the most advanced, industry-standard tools will sometimes generate false positive results. To remedy this issue and prevent unnecessary patching, there are typically checks, or proof-of-concept (PoC) tests to conduct. Most proof-of-concept exercises can be found by searching various exploit databases for the CVE number related to the vulnerability.
Once the chance of false positive results is removed, you will be left with your ‘true’ vulnerability report. Depending on the size of your target selection, this report could have a handful or several hundred vulnerabilities, which will be unique to your organization’s situation. To prioritize these vulnerabilities, having a short-term and long-term security plan is helpful. A vulnerability like MS17-010, a critical Windows remote code execution, will likely take precedence over a vulnerable cipher suite found on an internal web server.
Where do you find information on different CVEs?
After creating your short-term and long-term security goals, it is time to act toward them. The steps taken to patch a vulnerability can vary drastically. Having the CVE number handy will improve your chances of finding helpful information. Generally, some of the most useful information for a specific vulnerability will be found on applicable vendor websites/ support forums, security blogs, or under the ‘references’ section of a CVE database. While remediating some vulnerabilities will be done with the click of an ‘update’ button, not all will be so willing to leave. Remediating vulnerabilities can, at times, require extensive research or outreach.
Creating a logical remediation plan will not only save you time, but also endless frustration. Assuming the absence of critical vulnerabilities, it can be helpful to patch vulnerabilities by host instead of strictly by CVSS score. If a specific node is noticeably overcontributing to your vulnerability report, this can be an excellent starting point for your remediation journey. Spooling up a virtual instance of the troubled node and tackling vulnerabilities from a system view will cut off some space from your following vulnerability report and lower your network’s overall attack surface. After all, nodes with higher vulnerability counts are significantly more likely to be targeted by malicious actors.
How do you test vulnerabilities before patching?
Industry best practices would tell us it is never a good idea to patch without testing. While remediating vulnerabilities as quickly and efficiently as possible is the goal of any security-conscious team, issues can arise without proper testing techniques in place. Creating a denial-of-service condition by an unexpected update during business hours or even an unironed-out bug in the latest patch isn’t necessarily the most efficient patching method. By standing up separate instances of nodes or services, you’re effectively creating a test bed for your production environment where hiccups in software won’t come at the cost of valuable uptime.
Discussing remediation almost always leads to the awkward discussion of currently unpatchable vulnerabilities. Whether the reason for not patching is due to the vulnerability not having a current patch available or the risk associated with patching is too significant, it places a heavy weight on a standard remediation plan. Though discussing risk management entirely may be out of the scope of this article, it’s essential to understand critical factors such as the annual loss expectancy of a vulnerability. When the annual loss expectancy is lower than the cost to patch, or even the potential cost to patch should something go wrong, the more educated decision may be to accept risk.
How do you accept risk without compromising your systems?
Accepting risk is all about doing so as intelligently as possible. Accepting risk doesn’t mean accepting an exploit of the vulnerability. There are endless ways to go about protecting a still-vulnerable asset. Utilizing firewall whitelisting or installing host-based IDS/IPS on the system is a way to compensate for the lack of a patch. Generating more in-depth logging routines for the device can also help ensure that if an exploit is conducted, it is immediately noticed by your organization’s security team. Frequently, especially with vulnerability reports, patching becomes a binary step. The device is viewed by whether it is patched or not, but that isn’t quite the case in a real-world production environment. By utilizing compensating methods to reduce risk, IT professionals can accept and mitigate risk more intelligently in their environments.
Becoming more familiar with your vulnerability report will help you better to understand your vulnerabilities, networks, and systems. As well as providing educated decisions on how and when to patch will prove invaluable to creating a secure and productive environment. To speak to a security professional about starting vulnerability scanning, reviewing vulnerability data, or any other security service, feel free to reach out to the Netizen team.
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time – https://www.netizen.net/contact