80% of data breaches arise from poor patch management, according to D Zone. Knowing this, most IT professionals will work overtime to patch vulnerabilities within the shortest time possible. Given that there are situations where you will have to deal with an overwhelming amount of vulnerabilities at the same time, it only makes sense to rank vulnerabilities in terms of their severity profile.
By scanning IT assets, IT professionals typically offer vulnerabilities ranks which include high, medium and low severity. While the trick is to prioritize patching the high and medium severities, low severity vulnerabilities are often ignored and even forgotten. Unfortunately, following this kind of process is never enough in the quest to achieve high levels of security in your organization.
Read on to learn why your focus should be beyond severity profiles:
How Vulnerabilities Risk Profiles Are Issued
There are various ways you can use to offer your vulnerabilities rankings with using manual means and using the CVSS (common vulnerability scoring system) being some of the most popular. In the manual means, you can wait for vulnerability symptoms to appear in tools such as your log management or server monitoring tool. Once you assess the threat, you can then offer to deal with them according to your priority list.
As for vulnerabilities that are in the public knowledge, you can easily find them cataloged in databases such as the US national vulnerability database where they are often given a score based on the CVSS. The scoring system allocates a risk profile from 1-10 with critical vulnerabilities having a threshold score of 9, high severity having a threshold of 7 and medium severity risks having a score of 4-7. This score factors in aspects such as the complexity of the exploit, the need for hacker authentication and the impact of the threat to availability, confidentiality, and integrity.
The Loophole in This Model
The CVSS model considers the risk that a vulnerability could have to environments in general, but it doesn’t consider that different environments will be exposed to different risk profiles. For instance, in the hospital environment, you will typically need a network-connected medical machine to be available all the time for a person on life support. A vulnerability that affects the availability of such machines might have been ranked as a low severity vulnerability, but what happens when it affects the machine?
The results could be fatal since the vulnerability could be more damaging than how the score theorized the threat. For such a hospital, it would have to look at threats with its environment in mind to avoid such mishaps.
Vulnerabilities Can Be Chained Together
Focusing on only allocating a risk profile to the vulnerabilities ignores the fact that some hackers can still combine two vulnerabilities. In most cases, the vulnerabilities will be more damaging when combined than when used separately. For instance, one system vulnerability will allow a hacker to gain access to a low privilege account while the other will allow the hacker to escalate their privileges to that of an administrator.
If a hacker can manage to combine both vulnerabilities, it will mean that the previously low ranked vulnerabilities need to be given more attention. A great example of this situation is the ‘hot potato exploit.’
Don’t Fly Blind
Severity profiles are always helpful in organizing a disorganized threat landscape, but it is never enough. While still using these profiles, you should assess the threat that a vulnerability poses to your organization before ignoring all your low severity ones. Additionally, you should also assess how damaging a combination of any vulnerability will be to your organization. You might find that a previously low priority risk will turn into a high priority one.
Risk profiles are meant to make managing vulnerabilities more effective, but this shouldn’t mean low severity threats aren’t threats at all. It’s all about giving all vulnerabilities the attention they deserve. The more you understand your threat landscape, the easier it will be to excel in patch management.