WIXLIB

Are my vulnerability management efforts in vainwithout risk-based assessment?22,316 new security vulnerabilities were disclosed inpatching efforts are directed at low-risk vulnerabilities,2019, and exploits were revealed for over one-third ofyour attempt to speed up patching using automationsthem.will be rendered futile.One of the common woes of vulnerability managementNot all vulnerabilities pose an equal risk. Attackers knowfor organizations of all sizes is that there are literallywhat works and what doesn't. Your ability to distinguishtoo many vulnerabilities to fix.which vulnerabilities present imminent risk to yourenterprise security and which are less likely to beWith attackers developing exploits off publicexploited makes all the difference between stayingdisclosures pretty soon, organizations need to be swiftsecure and falling victim to a cyber incident.in their remediation efforts. But it can sometimes feellike there are too many vulnerabilities, and too littleFor instance, assume your vulnerability scan identifiestime to address them all.1,000 vulnerabilities in your network at one time.Patching them all at once is impossible, and patchingWith limited resources and not enough time on hand,them all in random order could leave highly criticalmanually administering patches to all theflaws at the end of the queue while non-criticalvulnerabilities in your network is practicallyvulnerabilities are being patched first. But if you canimpossible. Even if you can afford to considerablycherry-pick those 100 high-profile vulnerabilities andbump up your sys admin/system ratio, it's unrealistic topatch them promptly, you'll stand a much better chancehave all Windows machines up to date with the latestagainst cyberattacks.patches the day after Patch Tuesday, since patching initself will take a great deal of time depending on theTo clarify, we're not advocating against patching allnumber of systems, number of applications, type ofvulnerabilities. Given the rate at which newresources to be patched, load handling capacity of thevulnerabilities surface, it's safe to consider vulnerabilitiespatching tool, organization's patching window, anda constant threat to your network. That being said, thetesting process associated with patching. Additionally,most reasonable approach is to eliminate vulnerabilitiespatching window for servers are too narrow andthat present the highest risk at any given time first andextreme care must be taken when patching servers.automate rest of the patches after thorough testing.One mistake can cause extended downtime anddisruption to on-going business activities.This is why performing a risk-based vulnerabilityassessment to predict what is likely to be exploited andThough automation helps in shrinking the patchingwhat the consequences will be is essential in effectivelywindow to a significant extent, mindlessly automatingsecuring your network. This helps direct the IT securitypatches to all machines without significant thoughtteam's attention to the low hanging fruits instead ofabout remediation priority is utterly pointless. If thewasting time and resources on less critical issues, theattacker manages to slip in and steal data by exploitingcost of fixing which can sometimes outweigh the risks.an imminent high profile vulnerability while your

Here's more on the benefits you'll reap from risk-based vulnerability assessment:Identifying imminently exploitable and impactful vulnerabilities early on since most of them are wormable,meaning an exploit leveraging the vulnerability could worm through the network without requiring any interactionfrom admins or users.Giving context to vulnerabilities, which can be leveraged to determine their priority, urgency, and potential impact.Patching often can disrupt the normal operations of the business, as it consumes a good deal of network bandwidthand is typically accompanied by a subsequent reboot, which results in inevitable downtime. Prioritizing what trulyneeds to be patched immediately would help you strike a balance between risk mitigation and concomitantdowntime.What metrics do I need to track beyond CVSS scoresto prioritize risks?Common Vulnerability Scoring System (CVSS) scoresThis is because an exploit of a vulnerability is based onhave been viewed as the de facto measure to prioritizethe benefit that an attacker can leverage by exploiting it.vulnerabilities. Vulnerabilities are assigned CVSSOr, in other words, the impact that the attacker canscores ranging from one to 10, with 10 being the mostunleash on an organization. Factors such as thesevere. However, they were never intended as atechnical feasibility of an exploit, and public availabilitymeans of risk prioritization. If you've relied on CVSSof proof-of-concept also influence the hacker's decisionscores alone to safeguard your organization, here'sfor which vulnerability to exploit.why you're probably using them incorrectly.CVSS scores are established for vulnerabilities withinBecause of its reputation as an industry standard, andtwo weeks of their discovery, and are never revised.the rate vulnerabilities are burgeoning, organizationsSometimes, vulnerabilities with lower severity levels areleaned on CVSS scores for a framework forexploited in the wild after the disclosure, and are neverprioritization. But CVSS scores come with a slew ofreflected in the CVSS scores.pitfalls. For instance, it's a general practice amongorganizations to consider anything above a severityDid you know? Nine out of 12 widely exploitedscore of seven as a High Risk. A large portion of thevulnerabilities reported in 2019 on Microsoft'stotal vulnerabilities discovered ever year fall into thisWindows operating system and its applications werebracket.labeled only as important, not critical.Out of the 787 CVEs published for Microsoft productsOrganizations prioritizing vulnerabilities based only onin 2019, 731 of them had a severity rating of 7 orCVSS and severity ratings are left dealing with aabove.substantial number of vulnerabilities classified as Severebut which pose little to no risk, defeating the wholeWorse still, only a small percentage of them wereleveraged in cyberattacks.purpose of vulnerability prioritization.

As a result, plenty of remediation efforts are dispersedthen it only makes sense to patch them immediately toon less exploitable vulnerabilities, while the importantlower the overall risk. In cases like these, vulnerabilityones that require immediate attention remain exposed.management solutions that wipe out a group ofThis can be a slippery slope that gives you a false sensevulnerabilities across multiple endpoints using a singleof security.patch deployment task could come in handy.For vulnerability management efforts to pay off,Identify how long a vulnerability has been lurking inorganizations should augment their CVSS scores basedyour endpointassessment by adopting a multi-faceted, risk-basedOnce information on a vulnerability is out, the clockprioritization process based on factors such asstarts ticking, and the game is on between your securityvulnerability age, exploit availability, currentteams and threat actors. It's essential to keep track ofexploitation activity, number of assets affected, affectedhow long high-profile vulnerabilities have been lurkingasset criticality, impact type, and patch availability.within your endpoints. Letting a vulnerability reside inyour network for a long time is an indication of weakNow that we've established the variables essential tosecurity.rigorously assessing your risk, let's discuss how theyhelp you direct your attention to the most alarmingA vulnerability that seems less critical at first, mightareas, and adopt the best possible course of action.prove to be fatal over time, since attackers eventuallydevelop programs that can take advantage of theseNow that we've established the variables essential toflaws. A best practice is to immediately resolverigorously assessing your risk, let's discuss how theyvulnerabilities that have a known exploit, or are activelyhelp you direct your attention to the most alarmingexploited in the wild, followed by vulnerabilities that areareas and adopt the best possible course of action.labeled as Critical. Vulnerabilities categorized asImportant are generally more difficult to exploit but, as aUnderstand the exploit availability and theexploit activityrule of thumb, they should be remediated within 30days.Knowing whether an exploit is publicly available for avulnerability is pivotal to vulnerability prioritization.Triage vulnerabilities based on impact typeThese are the vulnerabilities that need immediateThough ease of exploitation plays a significant role inattention, irrespective of the severity levels, since therisk assessment, exploitable vulnerabilities don'texploit is out in the wild and anyone could leverage itnecessarily warrant an attack. In fact, attackers doesn'tto break into your network and steal sensitive data.pick on vulnerabilities just because they've have areadily available exploit or require their least effort toSecurity teams should stay up to date on attackerexploit, but because the vulnerability furthers their goals.activities by actively leveraging newly disclosedOnly then is the availability, and ease of an exploitvulnerabilities, and focusing their attention and effortsfactored in.on ridding their endpoints of high-profile issues.Impact of vulnerabilities might include but not limitedInclude affected asset count and criticality toto, denial-of-service, remote code execution, memoryvulnerability prioritizationcorruption, privilege elevation, cross-site scripting, andSome assets are more important than others. Since websensitive data disclosure. More daunting ones are theservers are at the perimeter of your network and arewormable vulnerabilities, which allow any futureexposed to the internet, they're easy targets for hackers.malware exploiting them to propagate from vulnerableDatabase servers—which record a wealth ofcomputer to vulnerable computer without userinformation like your customers' personal informationinstigation.and payment details—should also be prioritized overother assets when defining the scope of yourEmploying solutions that categorizes and profilesassessment, since even a lower-rated vulnerability on avulnerabilities based on the risk factors discussed abovebusiness-critical asset like this may pose a highhelps you triage vulnerabilities better, and adopt anrisk.Also, if a moderate to critical-level vulnerability isappropriate security response for your organization.found to be impacting a larger proportion of IT assets,

Why juggling multiple tools for vulnerabilityassessment and patch management results in a siloedand inefficient workflow?Recent ESG research on cyber risk management, whichTwo different teams leveraging two separate products notinvolved 340 cybersecurity professionals, revealed thatonly causes delays in fixing the vulnerabilities, but also40 percent felt tracking vulnerability and patchintroduces the likelihood of potential disparity in datamanagement over time was their biggest challenge.between integrated solutions and can affect the accuracyof tracking the entire cycle of vulnerabilities—fromOrganizations tend to integrate a dedicated patchingdetection to closure—from a central location, therebytool to their vulnerability assessment software to carryundermining the efficiency of the vulnerabilityout remediation of vulnerabilities. There could be amanagement program.couple of reasons why. Some organizations just wanttop-tier solutions for both patching and vulnerabilityAdding to this challenge, installing more than one agentmanagement, thinking that would deliver the bestfrom multiple vendors impacts system resourcepossible result. Others might simply have no otherutilization and productivity. In dynamic environmentschoice if their vulnerability assessment tool doesn'tcharacterized by the frequent coming and going ofcome with built-in patching.assets, an instance of one of the agents not beinginstalled in any of the new assets could introduce furtherVulnerability management should be approached as acomplications in the workflow.unitary process, not an amalgamation of differentproducts. Juggling multiple tools for vulnerabilityAgain, there's a cost factor associated with implementingassessment and patch management results in a siloedseparate solutions for vulnerability assessment andand inefficient workflow. These tools are frequentlypatching.handled by individuals from different teams, making itdifficult to streamline processes like vulnerabilityTo do away with all these woes, your best bet is to investscanning and assessment, ticketing, and patching.in a vulnerability management solution that offersbuilt-in patching functions that helps you automaticallyWhen security teams identify and prioritizecorrelate patches for detected vulnerabilities as well asvulnerabilities, they need to send tickets to the IT teamsregulate and monitor remediation of vulnerabilities fromdetailing why the vulnerability a high priority alongthe same console.with required action items to fix the vulnerabilities.When the vulnerabilities are fixed, the remediation/IToperations team needs to revert the status back tosecurity team, requiring the latter to perform additionalvalidation to close the vulnerability management loop.

How do I defend my organization against zero dayvulnerabilities, public disclosures, and otherunpatchable situations?Though deploying patches and putting an end toinform the vendor about the issue and withhold allvulnerabilities once and for all sounds ideal, there aredetails on the vulnerability until the vendor is able tocases when vulnerability information is out but no fixrelease a patch to fix it. Cybercriminals, on the otherhas been rolled out by the vendor. This puts you behindhand, will use it to their own advantage if they're the firstthe eight ball, since attackers will be developing anto discover a vulnerability.exploit while your network is vulnerable, waiting for apatch. Let's look at a few different scenarios in whichThere's no silver bullet solution that renders yourthis could happen and possible methods to staynetwork impenetrable to zero-day exploits. But followingresilient.simple cyber hygiene can help organizations reinforcetheir cyber resilience and avoid joining the denselyZero-day vulnerabilitiespopulated club of cyber casualties.When proof of concept (PoC) code of a vulnerability isexposed before the security hole is patched by theStay up to date with the latest patches: Althoughvendor, a zero-day exploit can occur. Thesekeeping all systems up to date with the latest patchesvulnerabilities remain undisclosed and unpatchedcan't guarantee complete safety against zero-daywhile being exploited in the wild, even before theexploits, it will make it more difficult for attackers tovendor knows about it.succeed. With increased security in modern-dayoperating systems, it can take two or more knownThe very term "zero day" implies that the softwarevulnerabilities to successfully launch a zero-day attack.developer or the vendor has zero days to patch theSo staying current with the latest updates for all your OSflaw, since it often is unaware that the vulnerabilityand applications could save your day.exists before attackers begin to exploit it.Enforce the principle of least privilege (POLP): ByAccording to the Ponemon Institute’s 2020 State oflimiting users' access rights to the bare minimumEndpoint Security Risk report, an average of 80permissions required to perform their work,percent of successful breaches were new or unknownorganizations can diminish the effects of successful“zero-day attacks".attacks exploiting zero-day vulnerabilities.Generally, both security researchers and attackers alikeBlock vulnerable ports and disable legacyare constantly probing operating systems andprotocols: The Wannacry ransomware attack thatapplications in search of weaknesses. They use anwreaked havoc on thousands of organizations beforearray of automated testing tools and reverseMicrosoft came up with a fix could've easily beenengineering techniques to find any holes that may existprevented if SMB V1 had been disabled and the firewallin these infrastructures.rule was set to block port 445. Ensure connections areblocked in the firewall to the NetBIOS trio, and checkIf the good guys (i.e, security researchers, internetsecurity firms, etc.) find the vulnerability first, they'll

that insecure protocols such as Telnet, Server MessageUsually, vendors quickly develop a workaround toBlock (SMB), Simple Network Management Protocolmitigate the exploitation of the flaw. A tool that quickly(SNMP), and Trivial File Transfer Protocol (TFTP) areand efficiently applies this workaround across all yourdisabled.endpoints to secure your environment against newthreats is vital until a patch arrives to permanently fix theIn scenarios like this, your best bet is to harden theflaw.security of your IT ecosystem (discussed in detail in thefollowing section), isolate the systems affected, andForever-day vulnerabilitiesblacklist the applications affected until a patch orForget zero-day attacks on the latest software; legacyworkaround is available. Learn the best practices yousoftware that has reached end of life will no longercan implement now to harden your environmentreceive security updates from the vendor and will remainagainst zero-day vulnerabilities.forever vulnerable to any discovered vulnerabilities. Theconsequences of running an end-of-life softwarePublic disclosuresoutweighs its benefits. Legacy OSs often can't run theIn some rare cases, a software user might stumble uponlatest applications, meaning they're stuck with legacya flaw and mention it online somewhere. Anotherapplications, which will eventually reach end of life,instance may include a disgruntled security researcher,widening your attack surface.whose warning of a vulnerability in a product was leftunheeded by the vendor, posting the vulnerabilityBusinesses in regulated industries may also facedetails in a public forum. There are also cases wheresignificant fines for running out-of-date systems. This isthe vendor unwittingly reveals the details of a flaw in awhy it's essential to keep track of which applications andsecurity bulletin before a patch is in place. TheOSs are approaching or have already reached end of life.inadvertently leaked details of the EternalDarkness flawOnce they reach end of life, it's recommended that youin Microsoft SMB v3 in March 2020 is an example.migrate to the latest version of the end-of-life software.Should my security architecture be solely reliant onpatching vulnerabilities?Vulnerabilities are just an entryway into the network;Ensure your antivirus is up and running with thethere are several other security loopholes that attackerslatest signature filesleverage to laterally move through your network.It’s not uncommon for employees to temporarily disableTherefore, care must be taken to extend visibilitytheir antivirus solution when it overrides certain actionsbeyond just vulnerabilities in unpatched software andlike running installers then forget to re-enable it later.implement further controls to harden the security ofNew viruses are identified every day. Signature updatesyour endpoints. Below, we discuss some practices youthat detect new viruses are released for antivirus softwarecan implement that are effective in hampering attackersanywhere from four to six times a day. Even a short timeattempts to break into your network.disabling your antivirus solution could result in yourendpoint security falling behind.

28% of devices have missing or outdated AV/AMAside from enforcing long passwords, you should ensuretools, says the 2019 Endpoint Security Trends report.users adhere to a mix of predefined password policiesA vulnerability scanning tool is only as good as itsdatabase of known faults and signatures. This databasemust be kept up to date, since it serves as the baselineto continuously scan and rid your endpoints of securityloopholes. Sweep your network for endpoints withdisabled or out-of-date antivirus solutions, and makesure they’re running enterprise-grade antivirus softwarewith the latest definitions or signature files.Fine-tune User Account ControlOne of the best ways to maintain access control andprevent unauthorized changes to your computer isthrough User Account Control (UAC). To squeeze allsuch as password complexity, minimum password age,maximum password age, and how many uniquepasswords that must be used before old passwords canbe reused.Complement strong passwords with account lockoutpolicies to determine how many failed logon attemptsare allowed before the account is locked out and howlong it will be locked out. The account lockout policy iscomposed of three settings:The account lockout threshold allows you to set thenumber of failed logon attempts accounts are allowedbefo

of answers to the top vulnerability management questions, but also as a guide to adopting the best possible course of action at various stages of your vulnerability management endeavors. For this e-book, you'll need to be familiar with the fundamentals of vulnerability management.