With vulnerabilities skyrocketed in the recent years, organizations around the globe are still puzzled over how to do a successful vulnerability assessment. To answer this, we need to understand what are we aspiring to achieve with vulnerability assessment, so that we can shape our vulnerability assessment process to fulfill the need effectively.
It's apparent that the objective of vulnerability management is to reduce the risk of an IT infrastructure. As a crucial part of the vulnerability management lifecycle, vulnerability assessment helps you qualify the risks presented by vulnerabilities to your ecosytem, so that you can prioritize response to issues that are of serious consequence and need immediate attention to keep the risks under control at any given point of time.
For instance, assume your vulnerability scan returns a value of 1000 vulnerabilities in your network at an instance, patching them all at once is a impractical task and patching randomly could leave highly critical flaws overlooked. But if you can cherry pick those 100 vulnerabilities which are of serious consequence and patch them within a day or two of its exposure, I'd go out on a limb to say you'll stand a fair chance against cyber attacks.
If the goal of vulnerability assessment is to prioritize risky vulnerabilities at a given point in time, it's essential to arrive at the factors that would help us to that end. The risk of a vulnerability generally corresponds to how exploitable it is and how much impact it would cause if exploited. While Severity ratings and Common Vulnerability Scoring System (CVSS) ratings give you a superficial assessment of risk, there are few key factors you need to observe to truly understand the risks posed by a vulnerability:
Knowledge of whether an exploit is publicly available for a vulnerability is pivotal to vulnerability prioritization. Because these are the vulnerabilities that needs immediate attention since the exploit is out in the wild and anyone could leverage it to break into your network and steal sensitive data. Nine out of twelve publicly exploited vulnerabilities resolved by Microsoft last year were not rated as important. Now if you patch only critical vulnerabilities based on severity, you might miss out the other threatening vulnerabilities that were easily exploitable. It's absolutely essential to regard exploit availability as the top priority in your vulnerability assessment process. Also, looking back at last year's Patch Tuesdays, our seasoned experts have uncovered various anomalies similar to the one stated above. Download the ebook to learn the 8 surprising takeaways from 2019's Patch Tuesdays that could help you redefine your vulnerability management strategy for 2020.
Once the vulnerability information is out, the clock starts ticking, the game is on between your security teams and threat actors. With attackers developing exploits off public disclosures and patch releases within weeks or months, it's essential to keep track of how long severe vulnerabilities are lurking within your endpoints. Also, what would seem as less critical initially might prove to be fatal over time, since attackers eventually develop programs that can take maximum advantage of even seemingly less critical flaws in ways you could've never imagined. The best practice is to have the exploit-available vulnerabilities as well as the Critical vulnerabilities resolved immediately. Vulnerabilities categorized as important are more difficult to exploit, but should nevertheless be remediated within 30 days. Any vulnerability considered lower than critical or important should be remediated within 90 days.
If a patch is available for a vulnerability, you can immediately apply the patch to fix the flaw, but make sure to test the patch before deployment so that you can ensure it doesn't introduce unprecedented issues. But there are instances when patches aren't available for a vulnerability of high criticality. It's important to stay vigilant of these vulnerabilities and prioritize appropriate response to safeguard your assets. Let's discuss a couple of such cases that need to be attended as early as possible:
There are instances where a vulnerability gets exploited in the wild even before the vendor gets to know about it. What's worse is that an exploit is out, while a patch to fix the flaw isn't available. In such scenarios, your best bet is to harden the security of your IT ecosystem or isolate the system/ application affected until a patch or workaround is available. Learn the best practices you can implement now to harden your environment against zero day threats.
Sometimes, a disgruntled security researcher might post the vulnerabilities details in a public forum to teach a lesson to the vendor who keeps ignoring his alerts on a vulnerability in their products. Also, there are cases where the vendor might accidentally reveal the information of a flaw in their security bulletins without a patch in place. A good example of this could be recently leaked details of EternalDarkness flaw in Microsoft SMB v3. Usually, in such cases vendors are quick to come up with workaround to mitigate the exploitation of the flaw. Learn how you can deploy mitigation scripts to your environment to ensure they stay protected while waiting for a patch.
Some assets are more important than others. Since, the web servers are on the frontiers of your network and are exposed to the internet, they're the low hanging fruits for hackers. Also, the database servers which are a record of wealth of information like your customers' personal information and payment details should be prioritizied over other assets when defining the scope of your assessment.
If you're trusting your organization's security with a vulnerability management software, make it a rule to see if it classifies and presents the discovered vulnerabilities in a meaningful way, i.e, in the context of the above risk factors, and also provide actionable insights to mend the loopholes, so that you can consistently keep your network secure.
Vulnerability Manager Plus, being an end to end vulnerability management solution uses a continuously updated database of vulnerability information to help you detect vulnerabilities across your global hybrid IT, assess vulnerabilities based on the risk factors discussed above and facilitates the appropriate course of action to bring closure to vulnerabilities.
It features a score of interactive dashboard that provides you all the intelligence you need regarding vulnerabilities in the form of infographics, trends and other filters to help you make informed decisions. Dive right in to learn in detail how the dashboard infographics could help you prioritize vulnerabilities.
Furthermore, it offers a detailed resource view that puts vulnerabilities in context such as the asset type, so that you can focus your attention on critical assets like database servers and web servers when prioritize patching.
Also, it offers a dedicated view for zero-day and publicly disclosed vulnerabilities, so that needs immediate attention doesn't get mixed up with less critical flaws.
Once prioritized, you can proceed with suggested course of action, could be either patching in case the patch is available or mitigation workaround in the event that a patch isn’t available.
Being a complete threat and vulnerability management solution Vulnerability Manager Plus offers an extensive array of security features like security configuration management, web server hardening, automated patch management, high risk software uninstallation and port audit.
There's no silver bullet solution that renders your network impenetrable to exploits. But, by constantly assessing and reevaluating the security stance of your network with Vulnerability Manager Plus, you can surely stand a good chance against cyber trespassers.