Assessing Risk And Prioritizing Vulnerability Remediation

Excerpted from "Assessing Risk and Prioritizing Vulnerability Remediation," a new, free report posted this week on Dark Reading's Vulnerability Management Tech Center.]

A man is aboard a raft with five holes. Some of the holes are bigger than others, with the biggest of the bunch sending water spouting upward. But even the smallest of holes can sink the raft if left unattended for too long. So how does the man prioritize which of the holes to leave open while he tends to the other four?

The central question in this story is not unlike the challenge IT administrators face when they deal with the problem of remediating vulnerable applications. Making the wrong decision when it comes to remediation management can sink even the tightest-run ship in the IT world, and the problem isn't going away.

On the contrary: A thriving market for exploit kits and application vulnerabilities ensures that an endless number of financially motivated cyber criminals, hacktivists and attempts at corporate espionage will continue to keep security teams up at night. It also means that patching security holes and closing exploitable windows will remain a vital part of enterprise security strategies for years to come.

For organizations of all sizes, prioritizing vulnerability remediation can be the difference between a breach and a repelled attack recorded in security logs. The challenge lies in dealing with the volume of fixes that need to be deployed. Deciding what holes to plug -- and when -- begins with organizations understanding their environment: What assets are on the network? Which applications and data are critical? And what's the risk to the business if vulnerabilities in these assets, applications and data are successfully compromised?

Interestingly, the number of vulnerabilities may be declining among the major enterprise software vendors. According to the 2012 Mid-Year Trend and Risk Report from IBM's X-Force research team, the top 10 enterprise software vendors have seen their percentage of the overall number of vulnerabilities drop from 30% in 2011 to

22% in the first half of 2012. However, the same report found that the percentage of vulnerabilities without a patch available in the first half of 2012 was 47%--the highest IBM said it has seen since 2008. The X-Force team speculates that the increase is due to a jump in vulnerabilities in small Web apps and software made by smaller companies.

But it is often not the newer vulnerabilities that catch corporations off-guard. According to a recent report from security vendor Solutionary, 58% of the vulnerabilities targeted by the most popular exploit kits in the fourth quarter of 2012 were more than two years old.

"The motto for risk prioritization should be 'know thyself,'" said Andrew Storms, director of security operations at nCircle. "In order to prioritize any kind of patching you need to identify your critical systems and understand exactly where your business-critical information is. This isn't always as easy as it sounds--it requires an in-depth understanding of how users interact with critical business information and intellectual property."

For a detailed discussion of how to measure the risks associated with a new vulnerability -- and how to prioritize the fixes -- download the free report on vulnerability remediation.

Have a comment on this story? Please click "Add a Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.