Look beyond CVSS scores

Common Vulnerability Scoring System (CVSS) scores have been viewed as the de facto measure to prioritize vulnerabilities. Vulnerabilities are assigned CVSS scores ranging from one to 10, with 10 being the most severe. However, they were never intended as a means of risk prioritization. If you’ve relied on CVSS scores alone to safeguard your organization, here’s why you’re probably using them incorrectly.

Because of its reputation as an industry standard, and the rate vulnerabilities are burgeoning, organizations leaned on CVSS scores for a framework for prioritization. But CVSS scores come with a slew of pitfalls. For instance, it’s a general practice among organizations to consider anything above a severity score of seven as a High Risk. A large portion of the total vulnerabilities discovered ever year fall into this bracket.

Out of the 787 Common Vulnerabilities and Exposures (CVEs) published by Microsoft 2019, 731 of them had a severity rating of seven or above.

Worse still, only a small percentage of them were leveraged in cyberattacks. This is because an exploit of a vulnerability is based on the benefit that an attacker can leverage by exploiting it. Or, in other words, the impact that the attacker can unleash on an organization. Factors such as the technical feasibility of an exploit, and public availability of proof-of-concept also influence the hacker’s decision for which vulnerability to exploit.

CVSS scores are established for vulnerabilities within two weeks of their discovery, and are never revised. Sometimes, vulnerabilities with lower severity levels are exploited in the wild after the disclosure, and are never reflected in the CVSS scores.

Did you know? Nine out of 12 widely exploited vulnerabilities reported in 2019 on Microsoft’s Windows operating system and its applications were labeled only as Important, not Critical.

Organizations prioritizing vulnerabilities based only on CVSS and severity ratings are left dealing with a substantial number of vulnerabilities classified as Severe but which pose little to no risk, defeating the whole purpose of vulnerability prioritization. As a result, plenty of remediation efforts are dispersed on less exploitable vulnerabilities, while the important ones that require immediate attention remain exposed. This can be a slippery slope that gives you a false sense of security.

For vulnerability management efforts to pay off, organizations should augment their assessments derived from CVSS scores by adopting a multi-faceted, risk-based prioritization process based on factors such as vulnerability age, exploit availability, current exploitation activity, number of assets affected, affected asset criticality, impact type, and patch availability.

Now that we’ve established the variables essential to rigorously assessing your risk, let’s discuss how they help you direct your attention to the most alarming areas, and adopt the best possible course of action.

Understand the exploit availability and the exploit activity

Knowing whether an exploit is publicly available for a vulnerability is pivotal to vulnerability prioritization. These are the vulnerabilities that need immediate attention, irrespective of the severity levels, since the exploit is out in the wild and anyone could leverage it to break into your network and steal sensitive data.

Security teams should stay up to date on attacker activities by actively leveraging newly disclosed vulnerabilities, and focusing their attention and efforts on ridding their endpoints of high-profile issues.

Include affected asset count and criticality to vulnerability prioritization

Some assets are more important than others. Since web servers are at the perimeter of your network and are exposed to the internet, they’re easy targets for hackers. Database servers—which record a wealth of information like your customers’ personal information and payment details—should also be prioritized over other assets when defining the scope of your assessment, since even a lower-rated vulnerability on a business-critical asset like this may pose a high risk.

Also, if a moderate to critical-level vulnerability is found to be impacting a larger proportion of IT assets, then it only makes sense to patch them immediately to lower the overall risk. In cases like these, a vulnerability management tool that wipes out a group of vulnerabilities across multiple endpoints using a single patch deployment task could come in handy.

Identify how long a vulnerability has been lurking in your endpoint

Once information on a vulnerability is out, the clock starts ticking, and the game is on between your security teams and threat actors. It’s essential to keep track of how long high-profile vulnerabilities have been lurking within your endpoints. Letting a vulnerability reside in your network for a long time is an indication of weak security.

A vulnerability that seems less critical at first, might prove to be fatal over time, since attackers eventually develop programs that can take advantage of these flaws. A best practice is to immediately resolve vulnerabilities that have a known exploit, or are actively exploited in the wild, followed by vulnerabilities that are labeled as Critical. Vulnerabilities categorized as Important are generally more difficult to exploit but, as a rule of thumb, they should be remediated within 30 days.

Triage vulnerabilities based on impact type

Though ease of exploitation plays a significant role in risk assessment, exploitable vulnerabilities don’t necessarily warrant an attack. In fact, attackers doesn’t pick on vulnerabilities just because they’ve have a readily available exploit or require their least effort to exploit, but because the vulnerability furthers their goals. Only then is the availability, and ease of an exploit factored in.

Impact of vulnerabilities might include but not limited to, denial-of-service, remote code execution, memory corruption, privilege elevation, cross-site scripting, and sensitive data disclosure. More daunting ones are the wormable vulnerabilities, which allow any future malware exploiting them to propagate from vulnerable computer to vulnerable computer without user instigation.

CVSS scores aren’t the only problematic areas of vulnerability management though. You’ve also likely grappled with some or all of these questions:

How often should I scan my network? Which areas should I focus on first? Will vulnerability management actually lower risks, or is it merely a compliance chore? Should I employ different tools for vulnerability assessment and patch management? Should my security architecture be entirely dependent upon patching? What if I come across a zero-day vulnerability in my network? 

If you’re looking for answers to those, look no further. Our new ManageEngine e-book, 7 essential vulnerability management questions answered, aims not only to provide penetrating insights into those questions but also serve as a comprehensive guide to adopting the best possible course of action at various stages of your vulnerability management endeavors.

Employing solutions that analyze vulnerabilities based on the risk factors discussed above helps you triage vulnerabilities better, and adopt an appropriate security response for your organization. ManageEngine Vulnerability Manager Plus, a prioritization-driven threat and vulnerability management solution, accomplishes this vital task. Run a free, 30-day vulnerability assessment with ManageEngine and address your low hanging fruits.

Joyal Bennison
content writer