Page 153 - Cyber Defense eMagazine January 2023
P. 153
Vulnerability Prioritization is Not a One-Size Fits All
Approach
By Victor Gamra, CISSP, Founder and CEO of FortifyData
System vulnerabilities are ever increasing as adoption of new and emerging technologies are
implemented. Security professionals struggle to keep up with remediation efforts presented by a variety
of new technologies and the lack of vulnerability prioritization. In 2022, we have already surpassed 22,000
recorded Common Vulnerabilities and Exposures (CVEs), which exceeds the previous record set in 2021
with 20,170, according to the National Vulnerability Database. Security teams are already stretched and
are drowning in a sea of vulnerabilities. With new ones popping up each day, plus a shortage of IT security
staff, mitigating them all would be impossible. So, security teams must do their due diligence to prioritize
them.
Historically, a de facto prioritization method relied on Common Vulnerability Scoring System (CVSS)
scores, combined with regulatory guidance on which level of vulnerability should be remediated in a
certain time frame. CVSS ratings do a good job at looking for opportunistic vulnerabilities (i.e. can they
be exploited remotely?), but they were never meant to be used to prioritize because they lacked the
association to asset criticality to an organization.
According to a 2021 publication by CISA, “CISA has observed that risk scores, based on the Forum of
Incident Response and Security Teams’ Common Vulnerability Scoring System (CVSS), do not always
accurately depict the danger or actual hazard that a CVE presents. Attackers do not rely on “critical”
vulnerabilities to achieve their goals; some of the most widespread and devastating attacks have included
multiple vulnerabilities rated “high,” “medium,” or even “low.”
“Since CVSS was never intended to provide risk prioritization within each enterprise’s unique
environment, this has led to goal misalignment. SLAs such as ‘Patch all critical CVSS scores within 30
days’ do not weigh the business context of asset criticality, whether exploits are published and active for
Cyber Defense eMagazine – January 2023 Edition 153
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.