To manage these vulnerabilities, it is important to have a plan in place which highlights those who are involved, the decision makers on risk, the vulnerability assessment and how remediation activities are handled.
Vulnerability Classification
Before looking at a vulnerability assessment, it is important to understand how vulnerabilities are classified to understand the amount or risk potential vulnerabilities pose to your business. Vulnerabilities are publicly disclosed and assigned a CVE (Common Vulnerability and exposure) identification number. This vulnerability is then given a CVSS (Common Vulnerability Scoring System) number. The scoring system works on a scale of 0-10, highlighting how severe the vulnerability is. See below for the scoring system:
|
SEVERITY
|
BASE SCORE
|
|
None
|
0
|
|
Low
|
0.1-3.9
|
|
Medium
|
4.0-6.9
|
|
High
|
7.0-8.9
|
|
Critical
|
9.0-10.0
|
The CVE database is maintained and managed by the Mitre corporation, and you can search the database on their website. https://cve.mitre.org/
Vulnerability Assessment
There are many ways to look for vulnerabilities, two of the common ways are listed below:
- Regular vulnerability scans of the network.
- Application Monitoring.
Regular vulnerability scans of the network are the act of using specialist tools to scan all parts of the network, looking at what is deployed and how it is deployed. These scans can show you which software or operating systems are out of date, which patches are required and even how the configuration of hardware can be modified to become more secure. These scans are important to reach all corners of your business ensuring that everything is scanned and evaluated.
Application monitoring is a more basic approach, in that it only looks at the vulnerabilities on software deployed. This is often done via an agent installed on a device, which uses application scanning to look at publicly disclosed vulnerabilities and matching these to the software deployed highlighting where patches are missing. It is common for EDR solutions to also provide this service, if you are using an EDR solution you may find that you already have access to this information.
Remediation
Once a vulnerability is found and requires remediation, it is at this time to identify the possible disruption and problems that this may cause. It may be a simple patch to software which requires deploying across the IT infrastructure, however it may also be more complicated and require evaluation to determine the risk and a careful approach to resolution or mitigation.
This can often be the case with legacy hardware or software which is no longer supported, but still need to be used within your business. Although it is recommended to only use supported software or hardware, there are times where this is not feasible, potential resolutions for this could include segregating the vulnerability from your main network. This is where the decision makers are to understand the risk, the implications and to approve the necessary actions.
