A recent question was received regarding the increasing number of vulnerabilities that are identified each year.  What is a company to do in the face of all those vulnerabilities?  

In the 2019 Global Threat Intelligence Report, we note that the “…number of vulnerabilities has only served to increase complexity as organizations strive to keep up with patches and mitigating controls on a weekly and daily basis”.  What message does this convey about an organization’s strategy on patching and vulnerability mitigation?  

Looking at the new vulnerabilities identified in 2018, the sheer number could be overwhelming for an information technology group responsible for vulnerability assessment and patching. There were 16,555 new vulnerabilities identified; this following the 14,714 new vulnerabilities identified in 2017.  

Considering the number of vulnerabilities, each company must develop a patching and assessment strategy that fulfils two objectives; safe-proofing their enterprise and meeting the compliance obligations under which their company operates.  This two-prong strategy for vulnerability lifecycle management is critical to the operation of a company.  

What are the drivers that guide decision-making on how you conduct a vulnerability assessment and patching process?  

The first and foremost driver is the necessity to reduce the mean time to mitigation (the time from which a vulnerability is identified), until the time a patch is applied, or a mitigation is implemented, such as a web application firewall.  In an era when malicious software can spread across your network in minutes, identifying and mitigating vulnerabilities as quickly as possible is critical.  

However, the number of new vulnerabilities identified each month makes it difficult to reduce the mean time to mitigation. Complexity is borne from the volume of vulnerabilities, plus environmental factors such as compliance rules, capital constraints, network design, and human resource limitations.  

Until all vulnerabilities in an enterprise’s network are addressed, the company incurs a technical debt that can be as impacting on the health of the company as any financial debt.  The burden of the technical debt increases if the company does not keep up with its patching and vulnerability mitigation. This increases the risk that the company may be compromised or fail a compliance audit.  

Not every new vulnerability identified and assigned a CVE number pertains to your environment. An enterprise must comb through the 1,000+ new vulnerabilities each month to determine which are pertinent. Patching applications assist in this by automating the process, but a strategy must be developed to cover all the types equipment and software that you have in your environment.  

Many vulnerabilities in your environment can be identified with a vulnerability assessment application.  The tool will identify which devices and applications in your network have deficiencies that need to be addressed and provide a severity scoring of each vulnerability.  Not all vulnerabilities will need to be addressed with a patch, but each identified vulnerability should have an individual (or team) assigned to determine how it will be mitigated and within what time frame. 

There are several factors that can impact your vulnerability assessment and patching strategy. The number of endpoints, servers, networking equipment, infrastructure design, and trust relationships across your network can increase the complexity and cost of implementing your strategy.  The more complex and distributed your IT environment, the more costly your plan may be.

As mentioned above, temporal factors are important to your strategy.  In order to minimize the time between discovering a vulnerability and its mitigation, the enterprise must determine how often to run the assessment tool. 

In many strategies, the devices and applications that are considered critical to the operation are scanned more frequently, while less critical systems are scanned less frequently.  This stratification can also take into account whether the systems are internal or external-facing.  

External-facing devices, those with exposure either to the internet or directly to third-party partners, should be scanned more frequently.  This is not to imply that internal-facing systems are not as important in the assessment process.  There is awareness of one major breach that was enabled by the compromise of a non-critical internal-facing system.  The application was exposed to the internet and subsequently compromised by SQL injection.  

Vulnerability assessment tools run the gamut of expense from relatively inexpensive to quite expensive.  Several companies offer cloud-based versions of their applications as well as on-premises versions.  For complex networks, the scanners can be distributed in various places within the network to speed up the assessment process.  When determining the total cost of operation, include any equipment needs, any network alterations that may be needed to accommodate the assessment process, and the cost of additional analysts needed to process the results of the assessments.  

One additional factor that must be considered is the nexus of your security strategy with that of compliance and the privacy of personal data.  These obligations must be designed into your mitigation and patching strategy and can impose additional requirements in your plan.  For instance, the Payment Card Industry Data Security Standard (PCI DSS) directly addresses vulnerability assessment and mitigation.  

In PCI DSS Requirement 11.2.3.b states: 

“Review scan reports and verify that the scan process includes rescans until:

  • For external scans, no vulnerabilities exist that are scored 4.0 or higher by the CVSS.
  • For internal scans, all “high risk” vulnerabilities as defined in PCI DSS Requirement 6.1 are resolved.” (Payment Card Industry (PCI) Data Security Standard, page 99).

Further, PCI DSS Requirement 6.2 states: 

“Consider prioritizing patch installations such that security patches for critical or at-risk systems are installed within 30 days, and other lower-risk patches are installed within 2-3 months.” (Payment Card Industry (PCI) Data Security Standard, page 54).

Using the National Vulnerability Database definitions of CVSS scoring criticality,  vulnerabilities with CVSS scores of 4.0 to 6.9 are considered Medium in severity, scores between 7.0 and 8.9 are rated High, and scores above 9.0 are rated Critical.  If we look at that all the vulnerabilities identified in 2018 (Figure 1), the size of the task imposed by this compliance obligation can be observed. 

Figure 1:  A chart of the total vulnerabilities identified each month during 2018.  The Total category includes are vulnerabilities of all CVSS scores.  GTREQ4, GTREQ7, and GTREQ9 represent vulnerabilities with CVSS scores of 4.0 or greater, 7.0 or greater, and 9.0 or greater respectively.  (https://www.cvedetails.com).

In order to meet the provision for PCI DSS 11.2.3.b for external-facing devices and applications, 86.63% of the vulnerabilities identified in 2018 (those with a CVSS score of 4.0 or greater) would potentially apply.  Likewise, for your internal-facing devices and applications, 25.13% of the potential vulnerabilities would need to be mitigated. The vulnerabilities identified as “Critical” by their CVSS score only account for 9.24% of the vulnerabilities identified in 2018, but by Requirement 6.2, your vulnerability assessment and patching strategy must highlight the 30-day limit to mitigating these vulnerabilities.

There are many factors involved in determining your vulnerability assessment and patching strategy.  We’ve touched on several of these factors. Given the volume of vulnerabilities identified each year, it is imperative to have your strategy defined and the resources available to meet the difficult goal of a maintaining a safe environment for your enterprise.