Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/24/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Vulnerability Management Isn't Just a Numbers Game

Attackers work 24/7, so you have to be vigilant around the clock. Time for some game theory.

Organizations will be quickly overwhelmed if they try to treat all vulnerabilities equally. Given the sheer volume of vulnerabilities, limited resources, and varying objectives across the teams involved, effective cybersecurity requires the ability to view vulnerabilities in the proper context and prioritize them accordingly for treatment — whether to remediate or mitigate or accept the risk.

Redefining "Vulnerability"
For starters, organizations must establish what it means to say they have a vulnerability. Vulnerabilities are often defined and interpreted in a silo or vacuum that fails to consider other relevant factors such as availability of exploits, threat actors, motivation, etc. Thus, the reality is that a vulnerability is only as bad as the threat exploiting it and the potential impact that a successful exploit could have on an organization or business.

Organizations often focus on CVSS (Common Vulnerability Scoring System) and CVE (Common Vulnerabilities and Exposure) numbers to rank or prioritize vulnerabilities, but neither can be used by itself to effectively manage vulnerabilities. 

CVSS measures the severity of a vulnerability but does not consider risk. It represents a worst-case scenario of the extent of the impact or damage if the vulnerability is successfully exploited but not how plausible it is that the exploit will occur. The CVE is even less useful from a risk management perspective because it is just a naming convention or library for identifying unique vulnerabilities. 

Context Is Key for Prioritizing Vulnerabilities
A vulnerability can be severe but be a low risk, or a vulnerability can be high risk but not severe. The two terms are not interchangeable, and it's important to understand the difference. 

IT security teams tend to focus on the most recent vulnerabilities — especially high-severity vulnerabilities. Attackers, on the other hand, don't necessarily prioritize based on severity. They have nothing to prove. Attackers are generally focused on ease of exploitation, and high return on investment. Many attacks target old vulnerabilities for which patches have existed for months or years because attackers can just buy an exploit, or make use of an existing exploit tool and automate the process of discovery and exploitation. Attackers tend to take an industrialized approach toward launching attacks.  

Game Theory and Vulnerability Management
One of the biggest fallacies when it comes to vulnerability management is that it's a numbers game. Many organizations have a skewed, metric-driven approach to vulnerability management that creates the illusion of progress and success while leaving the company exposed to significant risk.

If there are 1,000 vulnerabilities detected and the IT security team manages to patch (or remediate) or mitigate 990 of them, they've closed 99% of the vulnerabilities. At face value, that sounds impressive, but attackers only need one exploitable vulnerability to get into the enterprise network. The real questions are: What are the 10 vulnerabilities that are left, and what is the potential impact the organization faces if one of them is successfully exploited? 

Instead of viewing vulnerability management as a numbers game and measuring success based on an arbitrary percentage of the total vulnerabilities detected, organizations should view vulnerability management as a function of game theory. 

What do I mean by that? Game theory uses rational choice theory along with assumptions of adversary knowledge in order to predict utility-maximizing decisions. It allows someone to predict their opponents' strategies. Applying game theory to vulnerability management is a more effective and practical strategy than just counting vulnerabilities. 

There are a variety of factors to consider to effectively prioritize vulnerabilities and maintain effective vulnerability management. IT security teams must consider and negotiate multiple factors — vulnerability severity, asset criticality, asset accessibility, mitigating controls, potential impact, etc.  and think tactically about the opponent to develop a successful strategy.

Continuous Vigilance Is Crucial
The final piece of an effective vulnerability management strategy is that it has to be continuous. Running a monthly — or even a weekly — vulnerability scan to identify vulnerabilities to address only provides a snapshot of that moment in time. 

Attackers don't work on a weekly or monthly schedule. The Internet is global, and it's 10 a.m. somewhere all the time. Attackers work around the clock, so your vulnerability management efforts have to be vigilant 24/7.

Having an understanding of how to consider context when prioritizing vulnerability remediation efforts, a strategy based on game theory rather than treating vulnerability management as a pure numbers game, and a system of continuous vulnerability monitoring will help you reduce your attack surface and improve your security posture.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Prateek Bhajanka (CISA, CEH) is a VP of Product Management, where he is responsible for product definition, road map, marketing and strategy for the VMDR product offering. He has comprehensive experience in the security domain, where he has played roles across the board, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
State of Cybersecurity Incident Response
State of Cybersecurity Incident Response
Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11509
PUBLISHED: 2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows remote attackers to upload page templates containing arbitrary JavaScript via the c37_wpl_import_template admin-post action (which will execute in an administrator's browser if the template is used to create a page).
CVE-2020-6647
PUBLISHED: 2020-04-07
An improper neutralization of input vulnerability in the dashboard of FortiADC may allow an authenticated attacker to perform a cross site scripting attack (XSS) via the name parameter.
CVE-2020-9286
PUBLISHED: 2020-04-07
An improper authorization vulnerability in FortiADC may allow a remote authenticated user with low privileges to perform certain actions such as rebooting the system.
CVE-2020-11508
PUBLISHED: 2020-04-07
An XSS vulnerability in the WP Lead Plus X plugin through 0.98 for WordPress allows logged-in users with minimal permissions to create or replace existing pages with a malicious page containing arbitrary JavaScript via the wp_ajax_core37_lp_save_page (aka core37_lp_save_page) AJAX action.
CVE-2013-7488
PUBLISHED: 2020-04-07
perl-Convert-ASN1 (aka the Convert::ASN1 module for Perl) through 0.27 allows remote attackers to cause an infinite loop via unexpected input.