Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

Risk-Based Vulnerability Management is a Must for Security & Compliance

Vulnerability management and compliance go hand-in-hand. Just as adhering to certain regulatory standards can help an organization manage vulnerabilities more effectively, managing vulnerabilities effectively can make an organization less susceptible to the sorts of security incidents that could render it noncompliant. 

Vulnerability management and compliance go hand-in-hand. Just as adhering to certain regulatory standards can help an organization manage vulnerabilities more effectively, managing vulnerabilities effectively can make an organization less susceptible to the sorts of security incidents that could render it noncompliant. 

But given that different regulatory bodies have different standards, managing vulnerabilities in a manner that is both effective and compliant can mean different things for different organizations. One notable exception, however, is an emphasis on risk. Specifically:

● Requirement 6.1 of PCI DSS states that organizations must “establish a process to identify…and assign a risk ranking to newly discovered security vulnerabilities.”

● Article 32 of GDPR requires the implementation “of appropriate technical or organizational measures to ensure a level of security appropriate to the risk.”

● The HIPAA Security Rule mandates an “assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”

● The GLBA Safeguard Rule requires organizations to “identify and assess risks to customer information…and evaluate the effectiveness of current safeguards for controlling these risks.”

The above regulatory standards are just a few of many examples for which achieving and maintaining compliance requires assessing, and acting according to, risk. In the context of vulnerability management—and as is stated in requirement 6.1 of PCI DSS—compliance means prioritizing and patching vulnerabilities based on risk.

Doing so, however, is easier said than done because the risk posed by a given vulnerability is situational and can vary significantly across different organizations. Assessing it accurately requires first determining 1) how likely the vulnerability is to be weaponized; and 2) if weaponized, what the impact on a given organization is likely to be. Here are some tips to consider when evaluating these variables:

Advertisement. Scroll to continue reading.

Know your assets

It should almost always be a top priority to patch a vulnerability that could impact a critical asset. And for most organizations, critical assets include (but are not limited to) those to which one or more security compliance requirements apply. For organizations governed by HIPAA, these assets include personal health information; for those governed by PCI DSS, they include payment card data; for those governed by GDPR, they include user data; and so on.

After identifying these assets, it’s crucial to determine and document how they are stored, processed, managed, and could potentially be compromised. Which technologies are connected to them and how? Which users can access them and for what purpose? Who might seek to compromise them and why? And if these assets were to be compromised, what would the consequences be? Your answers to these sorts of questions can help prepare you to identify, triage, and prioritize vulnerabilities that could impact these assets should one arise. 

Look beyond CVSS scores

A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables—namely, weaponization likelihood and potential impact—that factor into the risk the vulnerability poses to an organization.   

In fact, a 2014 study on CVSS scores found that “fixing a vulnerability just because it was assigned a high CVSS score is equivalent to randomly picking vulnerabilities to fix”. The study also found that while a vulnerabililty’s CVSS score does not appear to correlate with its likelihood of being weaponized, certain other factors do. These include the existence of proof-of-concept (POC) exploit code for the vulnerability, as well as mentions of it in illicit online communities such as deep & dark web (DDW) forums and marketplaces. 

Given that the vast majority of common vulnerabilities and exposures (CVEs) are never weaponized, the results of this study make sense. A CVE with a high CVSS score is only a true danger if threat actors are able to weaponize it. But in order to weaponize it, threat actors must first determine how—and this usually requires POC code. The process of using (or developing) POC code typically entails substantial trial-and-error. And for many threat actors, this often leads to discussions with other threat actors on the DDW and other illicit online communities.

In other words, it’s important to recognize the presence of POC code and relevant threat-actor chatter as key risk factors when assessing a vulnerability—no matter its CVSS score. 

Consider a risk assessment framework

One way to help optimize the risk assessment process with respect to patch prioritization is to use a framework. There are numerous risk assessment frameworks—some of which are recommended or even required by certain regulatory bodies—that can help security teams evaluate, rank, and manage different risks more effectively. 

But regardless of which framework you use, it’s crucial to operationalize it in the context of your organization’s unique environment and risk factors. This means accounting for your assets, what the consequences might be if they were compromised, and how likely a given vulnerability is to be weaponized in a manner that could lead to such a compromise. Accurately evaluating the risk a vulnerability poses to your organization is nearly impossible to achieve without this information, whether you use a framework or not.

Above all else, keep in mind that while compliance should never be the end goal of any security program, there is a reason why the various compliance requirements outlined in this article all emphasize risk. Managing vulnerabilities—and in particular, prioritizing patching—effectively is only feasible when informed by risk.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.