Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/24/2020
10:00 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Vulnerability Management Isn't Just a Numbers Game

Attackers work 24/7, so you have to be vigilant around the clock. Time for some game theory.

Organizations will be quickly overwhelmed if they try to treat all vulnerabilities equally. Given the sheer volume of vulnerabilities, limited resources, and varying objectives across the teams involved, effective cybersecurity requires the ability to view vulnerabilities in the proper context and prioritize them accordingly for treatment — whether to remediate or mitigate or accept the risk.

Redefining "Vulnerability"
For starters, organizations must establish what it means to say they have a vulnerability. Vulnerabilities are often defined and interpreted in a silo or vacuum that fails to consider other relevant factors such as availability of exploits, threat actors, motivation, etc. Thus, the reality is that a vulnerability is only as bad as the threat exploiting it and the potential impact that a successful exploit could have on an organization or business.

Organizations often focus on CVSS (Common Vulnerability Scoring System) and CVE (Common Vulnerabilities and Exposure) numbers to rank or prioritize vulnerabilities, but neither can be used by itself to effectively manage vulnerabilities. 

CVSS measures the severity of a vulnerability but does not consider risk. It represents a worst-case scenario of the extent of the impact or damage if the vulnerability is successfully exploited but not how plausible it is that the exploit will occur. The CVE is even less useful from a risk management perspective because it is just a naming convention or library for identifying unique vulnerabilities. 

Context Is Key for Prioritizing Vulnerabilities
A vulnerability can be severe but be a low risk, or a vulnerability can be high risk but not severe. The two terms are not interchangeable, and it's important to understand the difference. 

IT security teams tend to focus on the most recent vulnerabilities — especially high-severity vulnerabilities. Attackers, on the other hand, don't necessarily prioritize based on severity. They have nothing to prove. Attackers are generally focused on ease of exploitation, and high return on investment. Many attacks target old vulnerabilities for which patches have existed for months or years because attackers can just buy an exploit, or make use of an existing exploit tool and automate the process of discovery and exploitation. Attackers tend to take an industrialized approach toward launching attacks.  

Game Theory and Vulnerability Management
One of the biggest fallacies when it comes to vulnerability management is that it's a numbers game. Many organizations have a skewed, metric-driven approach to vulnerability management that creates the illusion of progress and success while leaving the company exposed to significant risk.

If there are 1,000 vulnerabilities detected and the IT security team manages to patch (or remediate) or mitigate 990 of them, they've closed 99% of the vulnerabilities. At face value, that sounds impressive, but attackers only need one exploitable vulnerability to get into the enterprise network. The real questions are: What are the 10 vulnerabilities that are left, and what is the potential impact the organization faces if one of them is successfully exploited? 

Instead of viewing vulnerability management as a numbers game and measuring success based on an arbitrary percentage of the total vulnerabilities detected, organizations should view vulnerability management as a function of game theory. 

What do I mean by that? Game theory uses rational choice theory along with assumptions of adversary knowledge in order to predict utility-maximizing decisions. It allows someone to predict their opponents' strategies. Applying game theory to vulnerability management is a more effective and practical strategy than just counting vulnerabilities. 

There are a variety of factors to consider to effectively prioritize vulnerabilities and maintain effective vulnerability management. IT security teams must consider and negotiate multiple factors — vulnerability severity, asset criticality, asset accessibility, mitigating controls, potential impact, etc.  and think tactically about the opponent to develop a successful strategy.

Continuous Vigilance Is Crucial
The final piece of an effective vulnerability management strategy is that it has to be continuous. Running a monthly — or even a weekly — vulnerability scan to identify vulnerabilities to address only provides a snapshot of that moment in time. 

Attackers don't work on a weekly or monthly schedule. The Internet is global, and it's 10 a.m. somewhere all the time. Attackers work around the clock, so your vulnerability management efforts have to be vigilant 24/7.

Having an understanding of how to consider context when prioritizing vulnerability remediation efforts, a strategy based on game theory rather than treating vulnerability management as a pure numbers game, and a system of continuous vulnerability monitoring will help you reduce your attack surface and improve your security posture.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "Three Ways Your BEC Defense Is Failing & How to Do Better."

Prateek Bhajanka (CISA, CEH) is a VP of Product Management, where he is responsible for product definition, road map, marketing and strategy for the VMDR product offering. He has comprehensive experience in the security domain, where he has played roles across the board, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
4 Security Tips as the July 15 Tax-Day Extension Draws Near
Shane Buckley, President & Chief Operating Officer, Gigamon,  7/10/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...