Vulnerability Management

Guidance to help organizations evaluate and prioritize vulnerabilities.

All software contains vulnerabilities; either defects that require patches to remedy, or misconfiguration that requires administrative activity to fix.

For this reason, organizations should have a vulnerability management process which helps them to know what vulnerabilities are present within their IT environment on a continuous basis. Executive staff should ideally be as aware of the major vulnerabilities in their IT environment as they are of their financial status.

This publication will help organizations to:

• evaluate and prioritize vulnerabilities
• identify which patches are high priority
• ensure funds and resources can be optimally deployed

Even if most of your data is not sensitive, vulnerability management will help you protect information about your staff and your reputation. It will also reduce the likelihood of you being a victim of successful ransomware attacks. Penetration Testing should be used to validate the effectiveness of the vulnerability management process and is not its replacement.

---

Fixing Vulnerabilities

Exploitation of known vulnerabilities in software remains the number one cause of security incidents. Patching is one of the most important things you can do to mitigate vulnerabilities. It is the process of applying updates from software vendors and hardware suppliers, to either improve functionality or to improve security.

Why vulnerabilities go without fixing?

The best practice would be to patch all vulnerabilities as soon as the relevant update is released for these systems. However, there are many limitations that make this impossible. The main limitations include:

• cost: upgrading servers and workstations to a new platform is expensive
• disruption: upgrades disrupt business and are mostly resource intensive
• compatibility: specialist applications may not operate as expected on newer operating systems
• operations: major software upgrades are risky, and software may not work as desired

The idea of a major upgrade unnerves businesses, and the right skills may not be available to plan and implement these upgrades. This leads to delays in upgrade, the delays in turn increases the size of the task, making it more expensive and less likely to get fixed.

Organisations need to prioritize patches in vulnerability management dealing with the most critical first.

It is better to make small incremental changes than to wait and feel overwhelmed by the task.

---

1. Assess vulnerabilities

We recommend that organisations perform vulnerability assessment of their entire IT environment on a regular basis.

A regular vulnerability assessment is important to ensure that your organisation is aware of the risks that are present. Tools are present that make this process simple eliminating the need for an external partner or specialized skills.

Automated vulnerability scanners

You should use an automated vulnerability scanner in your organization to identify vulnerabilities across your IT environment. These scanners assess target systems to identify if they are affect by commonly known vulnerabilities.

To get the value from Vulnerability Scanners you should:

• Perform scans from an external/internet facing posture and then internally scan your systems using admin credentials.
• Carefully monitor the admin credentials for any anomalous activity and disable them when not in use.
• Scan your entire environment to discover any rogue devices/systems

---

2. Triage vulnerabilities

Assign Vulnerability triage responsibility to a specific member of the information Security team to make sure critical vulnerabilities do not go unattended.

Vulnerability scanners usually assign a severity rating to issues; this should be considered a benchmark, but business risks and mitigation circumstances should also be considered to have a full picture of the issues.

The triage team/individual must take the time to assess issues with collaboration from all system owners and administrators.

Your triage process should divide all issues identified into three categories: Fixed, Risk Accepted and In Progress.

• Fixed – fixed issues should be assigned this marker
• Risk Accepted – if based on Business or Technological reasons vulnerabilities cannot be fixed, then they should undergo the risk acceptance process and be marked as accepted Risk
• In Progress – any issues that do not fall in any of the above categories should be marked as in progress.

The decision to fix or leave an issue is a business decision and every organisation has their own risk appetite.

---

3. Prioritise vulnerability fixes

You should prioritise vulnerability fixes by concentrating on issues that:

• Can be easily exploited by malicious actors
• would have the largest impact if exploited

A sample set of guidelines for deciding on what issues should be fixed are given below.

Step 1: How to decide what you need to fix first.

Priority 1: Fix Internet facing applications that can be exploited automatically across the Internet with no physical intervention from the attacker.

Priority 2: Fix Issues that can be exploited across the Internet with minimal user interaction (workstation vulnerabilities, drive-by downloads, email-based attacks).

Priority 3: Fix issues that can be exploited by attackers that have access to the organizations local network.

Step 2: decide what you can afford to fix first

You will also find issues that require financial intervention to fix, fixing these issues is a senior level decision based on business risk.

If a decision is made not to fix an issue then the formal risk acceptance process should be followed to make sure that decision can be sufficiently defended in case exploitation of this issue take place.

---