Page 153 - Cyber Defense eMagazine January 2023
P. 153

Vulnerability Prioritization is Not a One-Size Fits All

            Approach

            By Victor Gamra, CISSP, Founder and CEO of FortifyData


            System  vulnerabilities  are  ever  increasing  as  adoption  of  new  and  emerging  technologies  are
            implemented. Security professionals struggle to keep up with remediation efforts presented by a variety
            of new technologies and the lack of vulnerability prioritization. In 2022, we have already surpassed 22,000
            recorded Common Vulnerabilities and Exposures (CVEs), which exceeds the previous record set in 2021
            with 20,170, according to the National Vulnerability Database. Security teams are already stretched and
            are drowning in a sea of vulnerabilities. With new ones popping up each day, plus a shortage of IT security
            staff, mitigating them all would be impossible. So, security teams must do their due diligence to prioritize
            them.

            Historically, a de facto prioritization method relied on Common Vulnerability Scoring System (CVSS)
            scores, combined with regulatory guidance on which level of vulnerability should be remediated in a
            certain time frame. CVSS ratings do a good job at looking for opportunistic vulnerabilities (i.e. can they
            be exploited remotely?), but they were never meant to be used to prioritize because they lacked the
            association to asset criticality to an organization.

            According to a 2021 publication by CISA, “CISA has observed that risk scores, based on the Forum of
            Incident Response and Security Teams’ Common Vulnerability Scoring System (CVSS), do not always
            accurately depict the danger or actual hazard that a CVE presents. Attackers do not rely on “critical”
            vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included
            multiple vulnerabilities rated “high,” “medium,” or even “low.”

            “Since  CVSS  was  never  intended  to  provide  risk  prioritization  within  each  enterprise’s  unique
            environment, this has led to goal misalignment. SLAs such as ‘Patch all critical CVSS scores within 30
            days’ do not weigh the business context of asset criticality, whether exploits are published and active for




            Cyber Defense eMagazine – January 2023 Edition                                                                                                                                                                                                       153
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
   148   149   150   151   152   153   154   155   156   157   158