Which Fix First?
I had the opportunity to oversee a cybersecurity assessment of a department of a federal agency recently. During the assessment, the IT staff was asked, “How do you decide which vulnerabilities to fix first?”
After much hesitation, the head of the IT department answered, “They try to do them all,” adding that they lack the staff to keep up with new patches that would reduce their vulnerability exposure.
Vulnerabilities in operating systems or applications are excellent attack vectors for cyber criminals. These vulnerabilities are weaknesses in the code that facilitate numerous types of attacks – from SQL injections, to man-in the-middle attacks, credential spoofing, and privilege escalation – that can cause systems to behave erratically or information to be lost or exposed.
Many organizations use monitoring software to identify vulnerabilities or belong to services that identify new vulnerabilities as they are discovered. These vulnerabilities are typically assigned a severity level, which is an indicator as to the amount of harm an individual or organization will suffer if the vulnerability were exploited.
Methods to Prioritize Fixes
Following are three “reasonable methods” to determine which vulnerabilities to fix first.
- Most serve remediate vulnerabilities first. Vulnerabilities are rated critical, high, moderate, or low. So some organizations focus on the critical and high vulnerabilities. The downside is that they seldom have an opportunity to work on anything below high.
- Widest footprint in the organization. Monitoring software will identify how widespread each vulnerability is within the organization. Some organizations work on the most wide-spread vulnerabilities first. The downside is that a major vulnerability that may affect just your finance or payroll server (versus a vulnerability that affect all workstations) may not get remediated.
- Oldest vulnerabilities first. All vulnerabilities contain a date when they were first discovered. Remediating the oldest vulnerabilities first provides some assurance that new patches that rely on previous patches being installed will load correctly however your organization will be susceptible to zero day, or near zero day attacks that may have been prevented if you installed the most recent patches first.
Clearly, each method is lacking in some critical fashion. The best method is to understand your environment and how your business systems work, so that your IT organization can make informed decisions as to which vulnerabilities are the most important. A critical vulnerability that affects routers may not be applicable if your routers are not configured to use that service or function. Likewise, an old vulnerability may still be applicable if your organization runs legacy applications or older versions of operating systems.
The following condensed recommendations are from the Ponemon institute. The Ponemon institute is a research center specializing in privacy, data protection, and information security policy.
- Take an unbiased inventory of vulnerability response capabilities. What is the time frame between detecting vulnerabilities and patching them in a timely manner?
- Start with basic hygiene items that can be addressed quickly. For instance, if security teams don’t scan for vulnerabilities, they need to make it a top priority to acquire and deploy a vulnerability scanner or outsource this function.
- Create a common view combining vulnerability and IT configuration data. This lays the foundation for prioritizing vulnerabilities based on impacted business systems and routing vulnerabilities to the right IT system owners for patching.
- Define end-to-end vulnerability response processes, and then automate (or outsource) as much as possible. Ensure that security teams and IT teams have a shared view of these processes, and create situational awareness by providing dashboards and heat maps.
- Retain talent by focusing on culture and environment. People want to work in high-performance organizations where success is the norm. Creating this environment is the best way to attract and retain talent.
Why Choose ASCERTIS Solutions
ASCERTIS Solutions can conduct a security assessment of a small business in a week and provide a roadmap for your company to implement a cyber defense strategy that fits your budget. Trained security professionals can be hired on a part-time basis to fill the role of Chief Cyber Security Officer (CISO) to assure that your roadmap is implemented in a timely and cost-effective fashion.
If interested, please contact firstname.lastname@example.org.