The key to protecting a network from cybercriminals is easier said than done: Build defenses around the areas said criminals are most likely to enter. Of course, these entry points aren’t always obvious — leaving our networks frighteningly vulnerable.
The National Institute of Standards and Technology (NIST) defines a “vulnerability” as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Identifying these vulnerabilities is an important step (in fact, it’s first key function of the NIST Cybersecurity Framework), but it cannot be the only step. Once identified, these vulnerabilities need to be protected.
In today’s increasingly treacherous IT landscape, most people are familiar with the cybersecurity concepts of vulnerability scanning and penetration testing. Both are designed to pinpoint network vulnerabilities, so that better defenses can be built. Utilizing such tools can sometimes reveal an overwhelming number of vulnerabilities, especially on the first scan. The type of protection needed can vary depending on the vulnerability, but may rely on patching the affected system, blocking ports on a central or host-based firewall, changing ACLs on the network, or adjusting permissions on a server.
Since many of these remediations not only require execution time, but also planning, and no company has infinite resources to address these vulnerabilities immediately, it’s important to prioritize the protection of these vulnerabilities.
Traditionally, the easiest way to rank order vulnerabilities has been by CVSS score. The Common Vulnerabilities and Exposures (CVE) system provides a framework for announcing and scoring the potential impact of the vulnerability, then tracking them in a central database. As part of this system, the Common Vulnerability Scoring System (CVSS) is a standardized way for communicating the severity of a given vulnerability on a scale of 0.0 to 10.0. Based on several metrics, this score can help organizations prioritize vulnerabilities based on the ease and impact of exploiting the vulnerability. For example, the CVSS score of the original Log4j vulnerability (CVE-2021-44228) was a 10.0 (Reminder: The scale only goes to 10.0!) given the ease of exploitation and the ability to execute arbitrary payloads.
The downside to relying solely on CVSS score is that it fails to reflect the ease and impact of exploiting a vulnerability in any given environment. Returning to the Log4j example: If that vulnerability only existed on isolated systems, in a privileged administration network with minimal access rights, it may not be as important to remediate as one on systems with the latest Remote Desktop Protocol (RDP) vulnerability (CVE-2022-26940) that are exposed to the Internet, despite registering a score of “only” 6.5.
(Side note: Never expose RDP directly to the Internet. That is one definitively bad practice.)
The prioritization of a lower CVSS vulnerability is because the risk of the Log4j vulnerability is relatively less than the RDP vulnerability to that specific environment. A compounding factor to the risk of a given vulnerability is if it is actively being exploited in the wild, so both factors should be considered in the prioritization of vulnerability remediation.
Given the scale of today’s network environment and the number of vulnerabilities discovered each year — 28,695 in 2021, a new annual record — organizations need to have an automated way to discover and prioritize vulnerabilities based on the risk to their environment.
Of all those new vulnerabilities in 2021, just over 4,100 can be exploited remotely, have a known exploit available, and can be patched. Applying knowledge like this can drastically reduce the priority list for remediation. Utilizing a tool like 11:11 Continuous Risk Scanning (CRS) gives customers that knowledge in a context that makes it clear what vulnerabilities put them at risk based on their own infrastructure and the likelihood of it being exploited.
By approaching vulnerability remediation based on actual risk, organizations can be much more efficient when planning and executing their remediation plans, and thus achieve a more secure environment.