How organizations should prioritize security vulnerabilities

2 years ago 268

Organizations are not ever linking the existent information connected vulnerabilities with the circumstantial risks to their business, says Cyber Vulcan.

Security breach, strategy   hacked alert with reddish  breached  padlock icon showing unsecure information  nether  cyberattack, susceptible  access, compromised password, microorganism  infection, net  web  with binary code

Image: Getty Images/iStockphoto

With truthful galore information vulnerabilities putting companies astatine risk, determining which ones to tackle tin beryllium a challenge. Focusing connected each vulnerabilities is virtually impossible. Concentrating connected conscionable the captious ones is simply a sounder approach. But ultimately, you privation to face the ones that person the top interaction connected your organization, a strategy that galore information pros aren't needfully following.

SEE: Patch absorption policy (TechRepublic Premium)

For its caller study "How are Cyber Security Teams Prioritizing Vulnerability Risk?" information vendor Cyber Vulcan surveyed 200 IT information determination makers successful North America to find retired however vulnerability hazard is prioritized, managed and reduced. The survey was conducted from September 23 done October 17, 2021.

Asked however they radical vulnerabilities internally to determine which ones to prioritize, 64% said they bash it by infrastructure, 53% by concern function, 53% by application, 42% by stakeholder and 40% by concern department. To assistance them successful this process, 86% of the respondents said they trust connected information based connected the severity of the vulnerability, 70% crook to menace intelligence, 59% usage plus relevance and 41% usage their ain customized hazard scoring.

Security pros crook to antithetic models and guidelines to assistance prioritize information flaws. Some 71% of those surveyed said they trust connected the Common Vulnerability Scoring System (CVSS), 59% usage the OWASP Top 10, 47% beryllium connected severity scanning, 38% the CWE Top 25 and 22% the Bespoke scoring model. Some 77% of the respondents revealed that they usage astatine slightest 2 of these models to people and prioritize vulnerabilities.

Despite each the accusation and models disposable to them, astir of the professionals polled admitted that they don't ever fertile vulnerabilities appropriately. Asked whether galore of the vulnerabilities they fertile precocious should beryllium ranked little for their circumstantial environment, 78% of the respondents powerfully oregon somewhat agreed. And asked whether galore of the vulnerabilities they see debased should beryllium ranked higher for their organization, 69% powerfully oregon somewhat agreed.

"In an perfect world, each vulnerability would get the aforesaid magnitude of attraction arsenic Log4Shell," said Vulcan Cyber CEO and co-founder Yaniv Bar-Dayan. "But considering the information that NIST discloses and reports astir 400 caller vulnerabilities each week, IT information teams hardly person clip to measure and prioritize lone the astir critical."

SEE: How to negociate passwords: Best practices and information tips (free PDF) (TechRepublic)

The respondents besides were asked which of the astir susceptible areas were of the top concern. Some 54% pointed to the vulnerability of delicate data, 44% cited breached authentication, 39% mentioned information misconfigurations, 35% cited insufficient logging and monitoring and 32% pointed to injection attacks. Other concerns included cross-site scripting, utilizing components with known vulnerabilities and breached entree control.

And asked which circumstantial types of vulnerabilities disquieted them the most, 62% cited MS14-068 (Microsoft Kerberos unprivileged idiosyncratic accounts), 40% mentioned MS08-067 (Windows SMB, aka Conficker, Downadup, Kido, etc.), 32% pointed to CVE-2019-0708 (BlueKeep), 32% cited CVE-2014-0160 (OpenSSL, aka Heartbleed) and 30% listed MS17-010 (EternalBlue).

Other information flaws of interest were MS01-023 (Microsoft IIS, aka Nimda) Spectre/Meltdown (CPU vulnerabilities), CVE-2008-1447 (DNS, aka Kaminsky), CVE-2014-6271 (Bash, aka Shellshock) and MS02-039 (SQL Slammer).

Recommendations for IT information pros

Since prioritizing vulnerabilities tin beryllium truthful challenging, what tin information professionals bash to amended their process?

"Knowing wherever your enactment is susceptible is captious to moving an effectual cyber hazard absorption strategy, but you besides request to beryllium capable to rapidly person cyber hazard investigation into effectual mitigation processes," Bar-Dayan said. "That requires a heavy knowing of however to prioritize which vulnerabilities and risks you request to code first. The astir effectual mode to bash truthful is by consolidating vulnerability and cyber hazard lifecycle absorption for infrastructure, applications and unreality assets successful 1 place. That's indispensable to guarantee that each departments are moving unneurotic to place and mitigate hazard crossed your full onslaught surface."

Bar-Dayan advises organizations to absorption lone connected vulnerabilities of the top interaction to their circumstantial business. To execute this requires that you cod and aggregate information connected your assets though scanners, plus management, collaboration, IT work absorption and spot and configuration management. That accusation past needs to beryllium linked with information CVE information arsenic good arsenic with menace intelligence, vulnerability severity and plus exploitability. With truthful overmuch accusation to stitchery and correlate, astir organizations should see an automated approach, according to Bar-Dayan.

"The eventual extremity successful vulnerability prioritization is to make a metric that is much meaningful than the atomic hazard of immoderate 1 vulnerability instance, oregon the hazard wide of a grouping of susceptible instances," Bar-Dayan added. "A operation of inputs to make a information posture standing for a concern portion oregon a radical of assets gives IT information teams a realistic changeable astatine well-orchestrated cyber hazard reduction."

Cybersecurity Insider Newsletter

Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays

Sign up today

Also see

Read Entire Article