Page 17 - Cyber Warnings August 2017
P. 17

•  Availability of public exploit code

                   •  Potential impact of a successful attack on the network and business


                   •  Exposure of the vulnerable asset

                   •  Use in active attack campaigns

                   •  Use by sophisticated delivery mechanisms, such as an exploit kit

               Vulnerabilities don’t exist in a vacuum. Relying solely on CVSS as a prioritization method again,
               as in the case of CVEs, fails to consider the full picture and gives security teams a fraction of
               the information they need to make accurate decisions.


               Big Scope, Small Focus

               Tracking every publicly disclosed vulnerability won’t improve your vulnerability management
               program. Many organizations have thousands, if not millions, of vulnerabilities in their systems;
               simply adding more to that pile — with or without identification numbers or baseline severity
               scores — will not tell security practitioners what vulnerabilities should be dealt with right away.

               A new approach is needed to collect data from as broad a range as possible, then contextualize
               it using information from the network environment and the current threat landscape. This type of
               approach is called “threat–centric vulnerability management” (TCVM) and helps focus on the
               small number of vulnerabilities posing an actual, imminent threat to an organization.

               Consider that vulnerabilities exploited in the wild only make up a single digit of the CVE IDs
               published each month. Vulnerabilities with published (but inactive) proof–of–concept (PoC)
               exploits are only slightly higher, still totaling around 10 CVE IDs published per month. The few
               vulnerabilities actively exploited in the wild as well as those exposed in a network should move
               to the top of the fix–it list; the rest take a lower priority because they pose less actual risk.

               Many vulnerabilities exploited in the wild also carry mid–range CVSS scores. According to the
               Verizon Data Breach Investigations Report, since 2008, most exploited vulnerabilities carry a
               “medium” CVSS score. Ignoring these vulnerabilities simply because they didn’t meet CVSS’s
               criteria for “critical” vulnerabilities would be a mistake, and may be why attackers exploit them in
               the first place.

               They understand resource–strapped vulnerability management teams will never make it to
               these seemingly benign vulnerabilities on the to–do list. The TCVM approach analyzes severity
               using the context of vulnerabilities in play in the threat landscape, not just the CVSS score they
               received.







                    17   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   12   13   14   15   16   17   18   19   20   21   22