Vulnerabilities can be found in all types of software such as end-user applications, middle-ware. Vulnerabilities are also found in operating systems of mobile devices, laptops, desktops, servers, network devices and IoT devices. On daily basis, new vulnerabilities are discovered throughout the entire IT landscape. These vulnerabilities can be provided by your software vendor or by independent third parties such as NIST or Mitre. Whenever new vulnerabilities show up, your entire infrastructure may be at risk but that is never certain. To avoid panic and ensure you remediate the right vulnerabilities in time, a decent process of vulnerability analysis should be performed. In order to do so, several elements must be taken into consideration such as CVSS scores, applicability of the vulnerability and potential mitigating measures that are already taken. In other words, you should manage your vulnerabilities and their remediation.
Prioritizing vulnerabilities – applicability
The first step in prioritizing vulnerabilities is determining if a vulnerability is applicable at all. This is where Asset Management plays a crucial role. Having a good overview of your IT infrastructure and all of its hard- and software assets is the basis to start from. Knowing if you use devices with OpenSSL, vulnerable to HeartBleed, DROWN or the latest Sweet32 vulnerabilties (also depending on its configuration). Knowing if you are using that vulnerable version of the 7-zip application or are running a vulnerable MSSQL server. In prioritizing vulnerabilities, knowledge is everything!
Prioritizing vulnerabilities – it applies, now what?
So you have determined that the vulnerable asset is somewhere within your IT infrastructure. Now is the time to determine if the vulnerability should be remediated, and ifso, how fast!
There are several elements to keep in mind when assessing the vulnerability. Is it a local or remote vulnerability? Is an exploit known and available? What is the location of the asset? How difficult is it to exploit the vulnerability? The Common Vulnerability Scoring System is a way to classify and prioritize vulnerabilities. Or as the developer of CVSS, first.org puts it: “CVSS is a vendor agnostic, industry open standard designed to convey vulnerability severity and help determine urgency and priority of response“.
CVSS Scoring is built around three categories, Base scoring, Temporal scoring and Environmental scoring. Base scoring represents the severity of a vulnerability. Temporal scoring represents the urgency at a specific point in time. Both Base and temporal scores are usually pre-set on a vulnerability. The environmental scoring adjusts the overall vulnerability score and thereby prioritizes the response of an organization based on their own environment.