Security Experts:

Risk-Based Vulnerability Management is a Must for Security & Compliance

Vulnerability management and compliance go hand-in-hand. Just as adhering to certain regulatory standards can help an organization manage vulnerabilities more effectively, managing vulnerabilities effectively can make an organization less susceptible to the sorts of security incidents that could render it noncompliant. 

But given that different regulatory bodies have different standards, managing vulnerabilities in a manner that is both effective and compliant can mean different things for different organizations. One notable exception, however, is an emphasis on risk. Specifically:

● Requirement 6.1 of PCI DSS states that organizations must “establish a process to identify…and assign a risk ranking to newly discovered security vulnerabilities.”

● Article 32 of GDPR requires the implementation “of appropriate technical or organizational measures to ensure a level of security appropriate to the risk.”

● The HIPAA Security Rule mandates an “assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”

● The GLBA Safeguard Rule requires organizations to “identify and assess risks to customer information…and evaluate the effectiveness of current safeguards for controlling these risks.”

The above regulatory standards are just a few of many examples for which achieving and maintaining compliance requires assessing, and acting according to, risk. In the context of vulnerability management—and as is stated in requirement 6.1 of PCI DSS—compliance means prioritizing and patching vulnerabilities based on risk.

Doing so, however, is easier said than done because the risk posed by a given vulnerability is situational and can vary significantly across different organizations. Assessing it accurately requires first determining 1) how likely the vulnerability is to be weaponized; and 2) if weaponized, what the impact on a given organization is likely to be. Here are some tips to consider when evaluating these variables:

Know your assets

It should almost always be a top priority to patch a vulnerability that could impact a critical asset. And for most organizations, critical assets include (but are not limited to) those to which one or more security compliance requirements apply. For organizations governed by HIPAA, these assets include personal health information; for those governed by PCI DSS, they include payment card data; for those governed by GDPR, they include user data; and so on.

After identifying these assets, it’s crucial to determine and document how they are stored, processed, managed, and could potentially be compromised. Which technologies are connected to them and how? Which users can access them and for what purpose? Who might seek to compromise them and why? And if these assets were to be compromised, what would the consequences be? Your answers to these sorts of questions can help prepare you to identify, triage, and prioritize vulnerabilities that could impact these assets should one arise. 

Look beyond CVSS scores

A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables—namely, weaponization likelihood and potential impact—that factor into the risk the vulnerability poses to an organization.   

In fact, a 2014 study on CVSS scores found that “fixing a vulnerability just because it was assigned a high CVSS score is equivalent to randomly picking vulnerabilities to fix”. The study also found that while a vulnerabililty’s CVSS score does not appear to correlate with its likelihood of being weaponized, certain other factors do. These include the existence of proof-of-concept (POC) exploit code for the vulnerability, as well as mentions of it in illicit online communities such as deep & dark web (DDW) forums and marketplaces. 

Given that the vast majority of common vulnerabilities and exposures (CVEs) are never weaponized, the results of this study make sense. A CVE with a high CVSS score is only a true danger if threat actors are able to weaponize it. But in order to weaponize it, threat actors must first determine how—and this usually requires POC code. The process of using (or developing) POC code typically entails substantial trial-and-error. And for many threat actors, this often leads to discussions with other threat actors on the DDW and other illicit online communities.

In other words, it’s important to recognize the presence of POC code and relevant threat-actor chatter as key risk factors when assessing a vulnerability—no matter its CVSS score. 

Consider a risk assessment framework

One way to help optimize the risk assessment process with respect to patch prioritization is to use a framework. There are numerous risk assessment frameworks—some of which are recommended or even required by certain regulatory bodies—that can help security teams evaluate, rank, and manage different risks more effectively. 

But regardless of which framework you use, it’s crucial to operationalize it in the context of your organization’s unique environment and risk factors. This means accounting for your assets, what the consequences might be if they were compromised, and how likely a given vulnerability is to be weaponized in a manner that could lead to such a compromise. Accurately evaluating the risk a vulnerability poses to your organization is nearly impossible to achieve without this information, whether you use a framework or not.

Above all else, keep in mind that while compliance should never be the end goal of any security program, there is a reason why the various compliance requirements outlined in this article all emphasize risk. Managing vulnerabilities—and in particular, prioritizing patching—effectively is only feasible when informed by risk.

view counter
Josh Lefkowitz is the CEO of Flashpoint, which delivers Business Risk Intelligence (BRI) to empower organizations worldwide with meaningful intelligence and information that combats threats and adversaries. Lefkowitz has worked extensively with authorities to track and analyze terrorist groups. He has also served as a consultant to the FBI's senior management team and worked for a top tier, global investment bank. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.