Skip to content
11:11 Systems
Rethink Connected
11:11 Systems11:11 Systems
  • Why 11:11
    • Submenu
      • Column 1
        • Cloud Console
          Cloud Console
          Compliance
          Compliance

      • Column 2
        • Global Regions
          Cloud Regions
          Catalyst
          Planning and Assessment

      • WHY CHOOSE 11:11
      • Overview
      • Leadership
      • News & Media
      •  
      • Careers
      • Technology Partners
      • Customer Stories
  • Products & Services
    • Products & Services
      • CLOUD
      • Cloud Overview
      • Public Cloud
      • Private Cloud
      • Object Storage
      • Cloud Labs
      • Colocation/Bare-Metal
      • BACKUP
      • Backup Overview
      • Backup
      • Microsoft 365 Backup
      • DISASTER RECOVERY
      • DRaaS Overview
      • DRaaS for Veeam
      • DRaaS for Zerto
      • Autopilot
      • SECURITY
      • Security Overview
      • Continuous Risk Scanning
      • Managed SIEM
      • Managed EDR
      • Managed Firewall
      • CONNECTIVITY
      • Connectivity Overview
      • SD-WAN
      • Multi-Cloud Connect
      • Managed IP
  • Solutions
    • Solutions Submenu
      • INDUSTRY
      • Education
      • Financial
      • Government
      • Healthcare
  • Partners
    • Partners Submenu
      • Overview
      • Become a Partner
      • Partner Portals
  • Resources
    • Resources Submenu
      • Events
      • Webinars
      • News & Media
      • White Papers
      • Podcast
      • Data Sheets
      • Customer Stories
      • Innovation Blog
  • Support
    • Support Submenu
      • Contact Support
      • Product Documentation
      • API Documentation
Search:
  • Console Login
  • Contact
Header Right Menu
Free Trial
  • Why 11:11
    • Cloud Console
    • Compliance
    • Cloud Regions
    • Planning and Assessment
    • WHY CHOOSE 11:11
    • Overview
    • Leadership
    • News & Media
    • Careers
    • Technology Partners
    • Customer Stories
    • Blog
  • Products & Services
    • CLOUD
    • Cloud Overview
    • Public Cloud
    • Private Cloud
    • Object Storage
    • Cloud Labs
    • Colocation/Bare-Metal
    • BACKUP
    • Backup Overview
    • Backup
    • Microsoft 365 Backup
    • DISASTER RECOVERY
    • DRaaS Overview
    • DRaaS for Veeam
    • DRaaS for Zerto
    • Autopilot
    • SECURITY
    • Security Overview
    • Continuous Risk Scanning
    • Managed SIEM
    • Managed EDR
    • Managed Firewall
    • CLOUD CONNECTIVITY
    • Connectivity Overview
    • SD-WAN
    • Multi Cloud Connect
    • Managed IP
  • Solutions
    • INDUSTRY
    • Education
    • Financial
    • Government
    • Healthcare
    • Column 2
  • Partners
    • Overview
    • Become a Partner
    • Partner Portals
  • Resources
    • Events
    • Webinars
    • News & Media
    • Whitepapers
    • Podcast
    • Datasheets
    • Customer Stories
    • Innovation Blog
  • Support
    • Contact Support
    • Success Center
    • API Documentation
  • Contact
  • Console Login
  • Free Trial
Tags: The NIST CyberSecurity Framework
Author: Brian Knudtson
Date: January 11, 2023

Risky Business: Managing Vulnerabilities by Prioritizing Risk

The key to protecting a network from cybercriminals is easier said than done: Build defenses around the areas said criminals are most likely to enter. Of course, these entry points aren’t always obvious — leaving our networks frighteningly vulnerable.  

The National Institute of Standards and Technology (NIST) defines a “vulnerability” as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Identifying these vulnerabilities is an important step (in fact, it’s first key function of the NIST Cybersecurity Framework), but it cannot be the only step. Once identified, these vulnerabilities need to be protected. 

In today’s increasingly treacherous IT landscape, most people are familiar with the cybersecurity concepts of vulnerability scanning and penetration testing. Both are designed to pinpoint network vulnerabilities, so that better defenses can be built. Utilizing such tools can sometimes reveal an overwhelming number of vulnerabilities, especially on the first scan. The type of protection needed can vary depending on the vulnerability, but may rely on patching the affected system, blocking ports on a central or host-based firewall, changing ACLs on the network, or adjusting permissions on a server.  

Since many of these remediations not only require execution time, but also planning, and no company has infinite resources to address these vulnerabilities immediately, it’s important to prioritize the protection of these vulnerabilities. 

Traditionally, the easiest way to rank order vulnerabilities has been by CVSS score. The Common Vulnerabilities and Exposures (CVE) system provides a framework for announcing and scoring the potential impact of the vulnerability, then tracking them in a central database. As part of this system, the Common Vulnerability Scoring System (CVSS) is a standardized way for communicating the severity of a given vulnerability on a scale of 0.0 to 10.0. Based on several metrics, this score can help organizations prioritize vulnerabilities based on the ease and impact of exploiting the vulnerability. For example, the CVSS score of the original Log4j vulnerability (CVE-2021-44228) was a 10.0 (Reminder: The scale only goes to 10.0!) given the ease of exploitation and the ability to execute arbitrary payloads. 

The downside to relying solely on CVSS score is that it fails to reflect the ease and impact of exploiting a vulnerability in any given environment. Returning to the Log4j example: If that vulnerability only existed on isolated systems, in a privileged administration network with minimal access rights, it may not be as important to remediate as one on systems with the latest Remote Desktop Protocol (RDP) vulnerability (CVE-2022-26940) that are exposed to the Internet, despite registering a score of “only” 6.5.  

(Side note: Never expose RDP directly to the Internet. That is one definitively bad practice.) 

The prioritization of a lower CVSS vulnerability is because the risk of the Log4j vulnerability is relatively less than the RDP vulnerability to that specific environment. A compounding factor to the risk of a given vulnerability is if it is actively being exploited in the wild, so both factors should be considered in the prioritization of vulnerability remediation. 

Given the scale of today’s network environment and the number of vulnerabilities discovered each year — 28,695 in 2021, a new annual record — organizations need to have an automated way to discover and prioritize vulnerabilities based on the risk to their environment.  

Of all those new vulnerabilities in 2021, just over 4,100 can be exploited remotely, have a known exploit available, and can be patched. Applying knowledge like this can drastically reduce the priority list for remediation. Utilizing a tool like 11:11 Continuous Risk Scanning (CRS) gives customers that knowledge in a context that makes it clear what vulnerabilities put them at risk based on their own infrastructure and the likelihood of it being exploited. 

By approaching vulnerability remediation based on actual risk, organizations can be much more efficient when planning and executing their remediation plans, and thus achieve a more secure environment.

Categories: Cybercrime, Ransomware, SecurityBy Brian KnudtsonJanuary 11, 2023
Tags: The NIST CyberSecurity Framework

Author: Brian Knudtson

In his 20-year career, Brian has experienced many different perspectives of the IT industry. He has worked as a value-added reseller, vendor and service provider in roles in web development, system administration, post-sales deployment, pre-sales architecting, public cloud design and technical marketing. Currently, Brian is the Director of Cloud Market Intelligence at 11:11. He enjoys spending time with his wife and three kids. He is also heavily involved with the Destination Imagination program and has been a long-time member of the VMware community, notably starting the Omaha VMUG and putting on VMunderground at VMworld. You can find him online occasionally blogging at http://knudt.net/vblog and tweeting at @bknudtson.

Post navigation

PreviousPrevious post:How businesses can respond to IT disruptions during the holiday seasonNextNext post:11:11 Managed Connectivity Solutions

Related Posts

Preparing for 2023 with 11:11 Systems: IT Trends in Security, Cloud, and More
February 1, 2023
What is 11:11 Systems?
What is 11:11 Systems? A company built on cloud, connectivity, and security
January 30, 2023
11:11 Systems Wins 2022 Backup and Disaster Recovery Award from Cloud Computing Magazine
January 25, 2023
Why Staying Connected to the Cloud Can Be Simple, Secure, and Seamless
Why Staying Connected to the Cloud Can Be Simple, Secure, and Seamless
January 24, 2023
11:11 Managed Connectivity Solutions
11:11 Managed Connectivity Solutions
January 23, 2023
The CloudBytes Podcast: Season 3 is Here!
December 2, 2022
PRODUCTS & SERVICES
  • Cloud
  • Backup
  • Disaster Recovery
  • Managed Security
  • Connectivity Solutions
  • Compliance
COMPANY
  • Why 11:11
  • Customer Stories
  • Careers
  • Leadership
  • Technology Partners
  • News & Media
  • Contact Support
CLOUD REGIONS
  • North America
  • EMEA
  • APAC
CONNECT
  • LinkedIn
  • Twitter
  • Facebook
  • Youtube

© 2023 11:11 Systems Inc., All Rights Reserved | Privacy Notice

Go to Top
PRIVACY POLICY AND COOKIE CONSENT
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}
PRIVACY POLICY AND COOKIE CONSENT
To provide the best experiences, we use technologies like cookies to store and/or access device information that allows us to process data such as browsing behavior. Not consenting or withdrawing consent, may adversely affect certain features and functions. By clicking Accept, closing this message, or continuing to browse, you consent to these technologies and accept our Privacy Notice.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}