Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/24/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Vulnerability Management Isn't Just a Numbers Game

Attackers work 24/7, so you have to be vigilant around the clock. Time for some game theory.

Organizations will be quickly overwhelmed if they try to treat all vulnerabilities equally. Given the sheer volume of vulnerabilities, limited resources, and varying objectives across the teams involved, effective cybersecurity requires the ability to view vulnerabilities in the proper context and prioritize them accordingly for treatment — whether to remediate or mitigate or accept the risk.

Redefining "Vulnerability"
For starters, organizations must establish what it means to say they have a vulnerability. Vulnerabilities are often defined and interpreted in a silo or vacuum that fails to consider other relevant factors such as availability of exploits, threat actors, motivation, etc. Thus, the reality is that a vulnerability is only as bad as the threat exploiting it and the potential impact that a successful exploit could have on an organization or business.

Organizations often focus on CVSS (Common Vulnerability Scoring System) and CVE (Common Vulnerabilities and Exposure) numbers to rank or prioritize vulnerabilities, but neither can be used by itself to effectively manage vulnerabilities. 

CVSS measures the severity of a vulnerability but does not consider risk. It represents a worst-case scenario of the extent of the impact or damage if the vulnerability is successfully exploited but not how plausible it is that the exploit will occur. The CVE is even less useful from a risk management perspective because it is just a naming convention or library for identifying unique vulnerabilities. 

Context Is Key for Prioritizing Vulnerabilities
A vulnerability can be severe but be a low risk, or a vulnerability can be high risk but not severe. The two terms are not interchangeable, and it's important to understand the difference. 

IT security teams tend to focus on the most recent vulnerabilities — especially high-severity vulnerabilities. Attackers, on the other hand, don't necessarily prioritize based on severity. They have nothing to prove. Attackers are generally focused on ease of exploitation, and high return on investment. Many attacks target old vulnerabilities for which patches have existed for months or years because attackers can just buy an exploit, or make use of an existing exploit tool and automate the process of discovery and exploitation. Attackers tend to take an industrialized approach toward launching attacks.  

Game Theory and Vulnerability Management
One of the biggest fallacies when it comes to vulnerability management is that it's a numbers game. Many organizations have a skewed, metric-driven approach to vulnerability management that creates the illusion of progress and success while leaving the company exposed to significant risk.

If there are 1,000 vulnerabilities detected and the IT security team manages to patch (or remediate) or mitigate 990 of them, they've closed 99% of the vulnerabilities. At face value, that sounds impressive, but attackers only need one exploitable vulnerability to get into the enterprise network. The real questions are: What are the 10 vulnerabilities that are left, and what is the potential impact the organization faces if one of them is successfully exploited? 

Instead of viewing vulnerability management as a numbers game and measuring success based on an arbitrary percentage of the total vulnerabilities detected, organizations should view vulnerability management as a function of game theory. 

What do I mean by that? Game theory uses rational choice theory along with assumptions of adversary knowledge in order to predict utility-maximizing decisions. It allows someone to predict their opponents' strategies. Applying game theory to vulnerability management is a more effective and practical strategy than just counting vulnerabilities. 

There are a variety of factors to consider to effectively prioritize vulnerabilities and maintain effective vulnerability management. IT security teams must consider and negotiate multiple factors — vulnerability severity, asset criticality, asset accessibility, mitigating controls, potential impact, etc.  and think tactically about the opponent to develop a successful strategy.

Continuous Vigilance Is Crucial
The final piece of an effective vulnerability management strategy is that it has to be continuous. Running a monthly — or even a weekly — vulnerability scan to identify vulnerabilities to address only provides a snapshot of that moment in time. 

Attackers don't work on a weekly or monthly schedule. The Internet is global, and it's 10 a.m. somewhere all the time. Attackers work around the clock, so your vulnerability management efforts have to be vigilant 24/7.

Having an understanding of how to consider context when prioritizing vulnerability remediation efforts, a strategy based on game theory rather than treating vulnerability management as a pure numbers game, and a system of continuous vulnerability monitoring will help you reduce your attack surface and improve your security posture.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Prateek Bhajanka (CISA, CEH) is a VP of Product Management, where he is responsible for product definition, road map, marketing and strategy for the VMDR product offering. He has comprehensive experience in the security domain, where he has played roles across the board, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26252
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
CVE-2020-26278
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
CVE-2021-1235
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
CVE-2021-1241
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
CVE-2021-1247
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.