Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

6/25/2010
05:53 PM
50%
50%

Prioritizing And Fixing Security Vulnerabilities: A Reader's Guide

You've done your vuln scanning and found some flaws. What do you do now?

[The following is excerpted from "In a Fix? Try a Vulnerability Remediation Life Cycle," a new report posted today in the Dark Reading Vulnerability Management Tech Center.]

For many, the term "vulnerability management" conjures images of scanning tools and penetration tests. But finding the flaws is only half of the battle. Fixing them -- sometimes called vulnerability remediation -- is often the hardest part.

Scanning tools are an excellent starting point -- an automated solution to mapping of possible problems and exposures within a network. But the findings are not very useful without additional information and context. To be effective at reducing and remediating flaws, organizations must implement an ongoing vulnerability remediation life cycle (VRLC).

It's important to go beyond the initial scan into penetration analysis and attack path discovery to get a more complete picture of the possible exposures to business data. It may sound counterintuitive, but there are times when you may not need to fix flaws. Penetration analysis may reveal that there are compensating controls that protect an application or device at an acceptable risk level for the organization, even though the scanner is showing a vulnerability.

For many companies, compliance is the next step. After performing scans, penetration-testing analysis, and validation, an organization should match exposures and vulnerabilities to the required compliance activities.

If, for example, you have an externally facing Web server and are required to be compliant with PCI-DSS, then a cross-site request forgery (CSRF) vulnerability in the Web server would make the company noncompliant. The actual risk of exposure associated with the CSRF may be low, but the fact that it would result in a failed PCI audit increases the related risk and would, most likely, move the vulnerability up in the priority queue.

After compliance, risk management often is the next step in the VRLC. Having complete and accurate scan, penetration test, and compliance requirements data is a great beginning for the business risk analysis process.

These steps provide the foundation for establishing where the problems are, whether they are exploitable, and whether there is any risk of being noncompliant if they aren't corrected. Building on that information, the business or organization must complete its own risk analysis to identify which problems are of highest concern based on such factors as the likelihood of a successful exploit, the business impact if there is a compromise, and the value of the asset.

With a list of vulnerabilities and risk levels in hand, the organization can move on to the prioritization phase of the VRLC. In this phase, the laundry list of vulnerabilities defined during the initial scan is organized by order of remediation criticality. The goal is to merge all of the information from the previous steps in a way that intelligently establishes priority.

Now that the organization has determined what needs to be fixed and in what order of priority, the last thing to consider is the best way to fix that flaw -- both in the short and the long term.

While long-term fixes are often the most desirable, the reality is that organizations don't always have the time and/or resources to be able to implement them immediately. It's acceptable to have a mixture of both short- and long-term fixes as long as the repercussions of the decisions and the associated risks are understood.

To see the step-by-step process of the VRLC -- and to get details on the options available for remediation -- download the full report.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-25250
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a sensitive file could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privil...
CVE-2021-25253
PUBLISHED: 2021-04-13
An improper access control vulnerability in Trend Micro Apex One, Trend Micro Apex One as a Service and OfficeScan XG SP1 on a resource used by the service could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to exec...
CVE-2021-28645
PUBLISHED: 2021-04-13
An incorrect permission assignment vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to escalate privileges on affected installations. Please note: an attacker must first obtain the ability to execute low-privileged code on the target ...
CVE-2021-28646
PUBLISHED: 2021-04-13
An insecure file permissions vulnerability in Trend Micro Apex One, Apex One as a Service and OfficeScan XG SP1 could allow a local attacker to take control of a specific log file on affected installations.
CVE-2021-28647
PUBLISHED: 2021-04-13
Trend Micro Password Manager version 5 (Consumer) is vulnerable to a DLL Hijacking vulnerability which could allow an attacker to inject a malicious DLL file during the installation progress and could execute a malicious program each time a user installs a program.