Vulnerabilities / Threats
07:30 AM
Dark Reading
Dark Reading
Quick Hits
Connect Directly

Assessing Risk And Prioritizing Vulnerability Remediation

Vulnerabilities crop up constantly in your IT environment. How do you choose which ones to tackle first? Here are some risk-based recommendations

Excerpted from "Assessing Risk and Prioritizing Vulnerability Remediation," a new, free report posted this week on Dark Reading's Vulnerability Management Tech Center.]

A man is aboard a raft with five holes. Some of the holes are bigger than others, with the biggest of the bunch sending water spouting upward. But even the smallest of holes can sink the raft if left unattended for too long. So how does the man prioritize which of the holes to leave open while he tends to the other four?

The central question in this story is not unlike the challenge IT administrators face when they deal with the problem of remediating vulnerable applications. Making the wrong decision when it comes to remediation management can sink even the tightest-run ship in the IT world, and the problem isn't going away.

On the contrary: A thriving market for exploit kits and application vulnerabilities ensures that an endless number of financially motivated cyber criminals, hacktivists and attempts at corporate espionage will continue to keep security teams up at night. It also means that patching security holes and closing exploitable windows will remain a vital part of enterprise security strategies for years to come.

For organizations of all sizes, prioritizing vulnerability remediation can be the difference between a breach and a repelled attack recorded in security logs. The challenge lies in dealing with the volume of fixes that need to be deployed. Deciding what holes to plug -- and when -- begins with organizations understanding their environment: What assets are on the network? Which applications and data are critical? And what's the risk to the business if vulnerabilities in these assets, applications and data are successfully compromised?

Interestingly, the number of vulnerabilities may be declining among the major enterprise software vendors. According to the 2012 Mid-Year Trend and Risk Report from IBM's X-Force research team, the top 10 enterprise software vendors have seen their percentage of the overall number of vulnerabilities drop from 30% in 2011 to

22% in the first half of 2012. However, the same report found that the percentage of vulnerabilities without a patch available in the first half of 2012 was 47%--the highest IBM said it has seen since 2008. The X-Force team speculates that the increase is due to a jump in vulnerabilities in small Web apps and software made by smaller companies.

But it is often not the newer vulnerabilities that catch corporations off-guard. According to a recent report from security vendor Solutionary, 58% of the vulnerabilities targeted by the most popular exploit kits in the fourth quarter of 2012 were more than two years old.

"The motto for risk prioritization should be 'know thyself,'" said Andrew Storms, director of security operations at nCircle. "In order to prioritize any kind of patching you need to identify your critical systems and understand exactly where your business-critical information is. This isn't always as easy as it sounds--it requires an in-depth understanding of how users interact with critical business information and intellectual property."

For a detailed discussion of how to measure the risks associated with a new vulnerability -- and how to prioritize the fixes -- download the free report on vulnerability remediation.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-10
Multiple cross-site scripting (XSS) vulnerabilities in group/control_panel/manage in Liferay Portal 6.1.2 CE GA3, 6.1.X EE, and 6.2.X EE allow remote attackers to inject arbitrary web script or HTML via the (1) _2_firstName, (2) _2_lastName, or (3) _2_middleName parameter.

Published: 2014-07-10
The File Transfer feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center does not verify that a requested file was an offered file, which allows remote attackers to read arbitrary files via a modified request, aka Bug IDs CSCup62442 and CSCup58463.

Published: 2014-07-10
Heap-based buffer overflow in the file-sharing feature in WebEx Meetings Client in Cisco WebEx Meetings Server and WebEx Meeting Center allows remote attackers to execute arbitrary code via crafted data, aka Bug IDs CSCup62463 and CSCup58467.

Published: 2014-07-10
Cross-site scripting (XSS) vulnerability in in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote attackers to inject arbitrary web script or HTML via an unspecified parameter, aka Bug ID CSCup76308.

Published: 2014-07-10
The Multiple Analyzer in the Dialed Number Analyzer (DNA) component in Cisco Unified Communications Manager allows remote authenticated users to bypass intended upload restrictions via a crafted parameter, aka Bug ID CSCup76297.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.