How to Prioritize Vulnerability PatchingNew Report Asserts That Using CVSS Scores Alone Is Inadequate
Rather than focusing solely on rankings offered by the common vulnerability scoring system, or CVSS, when setting priorities for risk mitigation, organizations need to size up the specific potential risks that vulnerabilities pose to their critical assets, according to a new report by the security firm RiskSense.
Because CVSS does not adequately reflect the severity of vulnerabilities, “organizations depending on the CVSS scores as their exclusive means to prioritize vulnerabilities for patching will very likely miss important vulnerabilities that are used by ransomware,” according to the report, “Enterprise Ransomware Through the Light of Threat and Vulnerability Management.”
“Unfortunately, vulnerability management has become one of the challenging tasks for security and IT teams, who typically have far more vulnerabilities than they could ever hope to patch” the report notes. “To keep pace, teams need to prioritize vulnerabilities based on real-world context, such as whether vulnerabilities have been weaponized, their impact to the enterprise, and whether they have active exploits trending in the wild.” (see: Cleaning Up After Ransomware Attacks Isn't Easy)
The below graph shows how ransomware has increasingly become a big threat for enterprises.
Sizing Up Threats
Other security experts also stress the need to carefully assess the threat posed by a particular vulnerability based on an organization’s specific risk posture.
“Organizations have a limited amount of resources, especially when it comes to labor, so identifying the specific risks facing the organization and prioritizing them so resources can be applied efficiently is key. CVSS scores are not going to do that for you,” says Erich Kron, security awareness advocate, KnowBe4, a security awareness training and simulated phishing platform. “For example, if your organization runs 95 percent Windows machines with only a handful of Linux devices on an isolated network, even if a Linux vulnerability with a very high CVSS score is released, it makes sense to use the available resources to focus on Windows vulnerabilities.”
A risk-based approach to addressing vulnerabilities is essential, adds Joe Dibley, security researcher with STEALTHbits Technologies, a U.S.-based cybersecurity software company.
“We often prioritized patches based on additional qualifiers such as whether or not it stops an exploit and if it was in the news or actively being discussed in reputable online communities,” he says. “Tooling that can automatically update as many resources as possible and other methodologies like Desired State Computing are also important components of a solution.”
Application vendors should allow for in-service software updates so that users do not have to lose service to apply a security patch, says Mounir Hahad, head of Juniper Threat Labs at Juniper Networks. “Many popular web browsers have already adopted this approach, and smartphones are well under way to achieve the same goal,” he says.
Don’t Rely Just on CVSS
In analyzing CVSS scores, RiskSense notes that 30 out of 57 of the ransomware vulnerabilities it studied had relatively low risk scores. Vulnerabilities with low scores can still carry high risks for many organizations, according to the report.
CVSS provides threat severity indexing on a scale of 0 to 10 based on three factors: base, temporal, and environmental. While base refers to the platform used for development, temporal generally reflects characteristics of a vulnerability during production environment where debug ports are kept open by developers, says Rohan Vibhandik, an India-based security researcher who works for a multinational company.
Vibhandik says the environmental metrics considers the physical access to a device - the environment in which the device is placed or the internet application being used. “So even if base and temporal are very high and critically rated, environmental metrics underscores it if there is a lack of physical access to the device,” he says.
If there is no easy access to the device through the internet, the CVSS score assumes that the device will not be attacked. Therefore, the environmental metrics fails to take into consideration backdoors, stuxnet, bots which are some common attack vectors on industrial plants, he argues.
Vulnerabilities by Vendor
While Microsoft and Adobe vulnerabilities have long been favorite targets for exploits and malware, other vendors’ products also are frequently targeted, the RiskSense report notes.
The 57 ransomware vulnerabilities studied in the report are spread across 12 vendors. Microsoft had by far the most vulnerabilities with 27, followed by RedHat (6), Adobe (5), Oracle (5), and Apache (4).
“Ransomware is targeting the application layer in addition to traditional infrastructure, which essentially means that organizations will need to include application security and open source security as part of their vulnerability management strategy,” says Srinivas Mukkamala, CEO and co-founder at RiskSense.