Skip to content
11:11 Systems
The Resilient Cloud Platform
11:11 Systems11:11 Systems
  • Why 11:11
    • Submenu
      • Column 1
        • 11:11 Systems Consulting
          Consulting Services
          Global Regions
          Cloud Regions
          11:11 Systems Security
          Security

      • Column 2
        • Cloud Console
          Cloud Console
          Catalyst
          Planning and Assessment
          Compliance
          Compliance

      • WHY CHOOSE 11:11
      • Overview
      • Leadership
      • News & Media
      • ESG Program
      •  
      • Careers
      • Technology Partners
      • Customer Stories
      • Innovation Blog
  • Products & Services
    • Products & Services

        • Cloud Overview
        • Managed Public Cloud
        • Private Cloud
        • Object Storage
        • Cloud Labs
        • Flexible Cloud Environment/Colocation
        • AWS Solutions
        • Managed OS Services
        • Managed DB Services

        Infrastructure as a Service

        Take a 30-day free trial of 11:11 Cloud.

        Cloud hosting built for your business.
        START FREE TRIAL
        REQUEST A QUOTE

        • Backup Overview
        • Veeam Backup
        • Microsoft 365 Backup
        • Managed Backup for Cohesity
        • Cyber Vault
        • Data Protection Services
        Backup as a Service

        11:11 Cloud Backup

        Protect your data wherever it lives.
        REQUEST A QUOTE
        REQUEST A DEMO

        • DRaaS Overview
        • DRaaS for Veeam
        • DRaaS for Zerto
        • DRaaS for Azure
        • DRaaS for Cohesity
        • Managed Recovery
        • Cloud Recovery
        • Cyber Recovery Platform
        • Infrastructure Recovery
        • Continuity Consulting Services
        • Disaster Recovery Consulting
        Disaster Recovery

        5TB 30Day Free Trial of DRaaS for Veeam

        Protect your business-critical workloads and reduce recovery time with the Leader in Disaster Recovery.
        START FREE TRIAL
        LEARN MORE

        • Security Overview
        • Continuous Risk Scanning
        • Managed Detection and Response
        • Managed SIEM
        • Managed EDR
        • Managed Firewall
        • Application and Zero Trust Services
        Security Services

        Take the first steps toward cyber resilience.

        Download our white paper and learn how to stay ahead of threats.
        REQUEST A QUOTE
        DOWNLOAD NOW

        • Networking Overview
        • SD-WAN
        • Managed Connectivity for AWS Direct Connect
        • Multi-Cloud Connect
        • Network Consulting Services
        Connectivity Services

        Transform your network.

        Take your infrastructure and performance to the next level.
        REQUEST A QUOTE
        WATCH VIDEO
  • Solutions
    • Solutions Submenu
      • INDUSTRY
      • Education
      • Financial
      • Government
      • Healthcare
    • Solutions Business Objective Submenu
      • BUSINESS OBJECTIVE
      • Cyber Resilience
      • Modernize
      • Protect
  • Partners
    • Partners Submenu
      • Overview
      • Become a Partner
      • Partner Portals
  • Resources
    • Resources Submenu
      • Events
      • Webinars
      • News & Media
      • White Papers
      • Podcast
      • Data Sheets
      • Customer Stories
      • Innovation Blog
  • Support
    • Support Submenu
      • Contact Support
      • Product Documentation
      • API Documentation
Search:
  • Login
  • Contact
Header Right Menu
Free Trial
  • Why 11:11
    • Consulting Services
    • Cloud Console
    • Cloud Regions
    • Planning and Assessment
    • Security
    • Compliance
    • WHY CHOOSE 11:11
    • Overview
    • Leadership
    • News & Media
    • ESG Program
    • Careers
    • Technology Partners
    • Customer Stories
    • Blog
  • Products & Services
    • CLOUD
    • Cloud Overview
    • Managed Public Cloud
    • Private Cloud
    • Object Storage
    • Cloud Labs
    • Flexible Cloud Environment/Colocation
    • AWS Solutions
    • Managed OS Services
    • Managed DB Services
    • BACKUP
    • Backup Overview
    • Veeam Backup
    • Microsoft 365 Backup
    • Managed Backup for Cohesity
    • Cyber Vault
    • Data Protection Services
    • DISASTER RECOVERY
    • DRaaS Overview
    • DRaaS for Veeam
    • DRaaS for Zerto
    • DRaaS for Azure
    • DRaaS for Cohesity
    • Managed Recovery
    • Cloud Recovery
    • Cyber Recovery Platform
    • Infrastructure Recovery Services
    • Continuity Consulting
    • Disaster Recovery Consulting
    • SECURITY
    • Security Overview
    • Continuous Risk Scanning
    • Managed Detection and Response
    • Managed SIEM
    • Managed EDR
    • Managed Firewall
    • Application and Zero Trust Services
    • NETWORK
    • Network Overview
    • SD-WAN
    • Managed Connectivity for AWS Direct Connect
    • Multi Cloud Connect
    • Managed IP
  • Solutions
    • INDUSTRY
    • Education
    • Financial
    • Government
    • Healthcare
    • BUSINESS OBJECTIVE
    • Cyber Resilience
    • Modernize
    • Protect
  • Partners
    • Overview
    • Become a Partner
    • Partner Portals
  • Resources
    • Events
    • Webinars
    • News & Media
    • Whitepapers
    • Podcast
    • Datasheets
    • Customer Stories
    • Innovation Blog
  • Support
    • Contact Support
    • Product Documentation
    • API Documentation
  • Contact
  • Login
  • Free Trial
Tags: The NIST CyberSecurity Framework
Author: Brian Knudtson
Date: January 11, 2023

Risky Business: Managing Vulnerabilities by Prioritizing Risk

The key to protecting a network from cybercriminals is easier said than done: Build defenses around the areas said criminals are most likely to enter. Of course, these entry points aren’t always obvious — leaving our networks frighteningly vulnerable.  

The National Institute of Standards and Technology (NIST) defines a “vulnerability” as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Identifying these vulnerabilities is an important step (in fact, it’s first key function of the NIST Cybersecurity Framework), but it cannot be the only step. Once identified, these vulnerabilities need to be protected. 

In today’s increasingly treacherous IT landscape, most people are familiar with the cybersecurity concepts of vulnerability scanning and penetration testing. Both are designed to pinpoint network vulnerabilities, so that better defenses can be built. Utilizing such tools can sometimes reveal an overwhelming number of vulnerabilities, especially on the first scan. The type of protection needed can vary depending on the vulnerability, but may rely on patching the affected system, blocking ports on a central or host-based firewall, changing ACLs on the network, or adjusting permissions on a server.  

Since many of these remediations not only require execution time, but also planning, and no company has infinite resources to address these vulnerabilities immediately, it’s important to prioritize the protection of these vulnerabilities. 

Traditionally, the easiest way to rank order vulnerabilities has been by CVSS score. The Common Vulnerabilities and Exposures (CVE) system provides a framework for announcing and scoring the potential impact of the vulnerability, then tracking them in a central database. As part of this system, the Common Vulnerability Scoring System (CVSS) is a standardized way for communicating the severity of a given vulnerability on a scale of 0.0 to 10.0. Based on several metrics, this score can help organizations prioritize vulnerabilities based on the ease and impact of exploiting the vulnerability. For example, the CVSS score of the original Log4j vulnerability (CVE-2021-44228) was a 10.0 (Reminder: The scale only goes to 10.0!) given the ease of exploitation and the ability to execute arbitrary payloads. 

The downside to relying solely on CVSS score is that it fails to reflect the ease and impact of exploiting a vulnerability in any given environment. Returning to the Log4j example: If that vulnerability only existed on isolated systems, in a privileged administration network with minimal access rights, it may not be as important to remediate as one on systems with the latest Remote Desktop Protocol (RDP) vulnerability (CVE-2022-26940) that are exposed to the Internet, despite registering a score of “only” 6.5.  

(Side note: Never expose RDP directly to the Internet. That is one definitively bad practice.) 

The prioritization of a lower CVSS vulnerability is because the risk of the Log4j vulnerability is relatively less than the RDP vulnerability to that specific environment. A compounding factor to the risk of a given vulnerability is if it is actively being exploited in the wild, so both factors should be considered in the prioritization of vulnerability remediation. 

Given the scale of today’s network environment and the number of vulnerabilities discovered each year — 28,695 in 2021, a new annual record — organizations need to have an automated way to discover and prioritize vulnerabilities based on the risk to their environment.  

Of all those new vulnerabilities in 2021, just over 4,100 can be exploited remotely, have a known exploit available, and can be patched. Applying knowledge like this can drastically reduce the priority list for remediation. Utilizing a tool like 11:11 Continuous Risk Scanning (CRS) gives customers that knowledge in a context that makes it clear what vulnerabilities put them at risk based on their own infrastructure and the likelihood of it being exploited. 

By approaching vulnerability remediation based on actual risk, organizations can be much more efficient when planning and executing their remediation plans, and thus achieve a more secure environment.

Categories: Cybercrime, Ransomware, SecurityBy Brian KnudtsonJanuary 11, 2023
Tags: The NIST CyberSecurity Framework

Author: Brian Knudtson

In his 20-year career, Brian has experienced many different perspectives of the IT industry. He has worked as a value-added reseller, vendor and service provider in roles in web development, system administration, post-sales deployment, pre-sales architecting, public cloud design and technical marketing. Currently, Brian is the Director of Cloud Market Intelligence at 11:11. He enjoys spending time with his wife and three kids. He is also heavily involved with the Destination Imagination program and has been a long-time member of the VMware community, notably starting the Omaha VMUG and putting on VMunderground at VMworld. You can find him online occasionally blogging at http://knudt.net/vblog and tweeting at @bknudtson.

Post navigation

PreviousPrevious post:How businesses can respond to IT disruptions during the holiday seasonNextNext post:11:11 Managed Connectivity Solutions

Related Posts

Digital Operational Resilience Act (DORA)
Helping the Financial Sector Deliver Secure and Modern Infrastructure through Regulation
July 10, 2025
vulnerability management
A Modern Approach to Managing Vulnerabilities
May 30, 2025
Cyber Resilience
Data Protection vs. Cyber Resilience: Mastering Both in the Complex World of Gambling
May 27, 2025
ransomware attack, worst day
The Remedy Against Ransomware: Insights from Our April 2025 Webinar
May 19, 2025
Cyber Resilience
Reimagining Cyber Resilience in the Gambling Industry: A Strategic Imperative for the Digital Age
May 13, 2025
effective passwords
Creating Effective Password Policies in Your Organization
May 5, 2025
PRODUCTS & SERVICES
  • Cloud
  • Backup
  • Disaster Recovery
  • Managed Security
  • Network as a Service
  • Compliance
COMPANY
  • Why 11:11
  • Customer Stories
  • Careers
  • Leadership
  • Technology Partners
  • News & Media
  • Contact Support
CLOUD REGIONS
  • North America
  • EMEA
  • APAC
CONNECT
  • LinkedIn
  • X
  • Youtube

© 2025 11:11 Systems Inc., All Rights Reserved | Privacy Notice | Website Terms of Use |

Go to Top