Prioritization – How Important is Everything?

Output of a vulnerability assessment includes the list of identified vulnerabilities to which the organization is exposed – the vulnerabilities that need fixing. But, fixing them is not simply a matter of “going through the list.” Some vulnerabilities are more important to prioritize since they potentially pose a greater risk to the organization. To manage vulnerabilities effectively, organizations must consider the potential likelihood and impact of the identified vulnerabilities, the priority of the affected systems, the complexity of a fix, as well as the number of affected systems.

The question, then, becomes, how do I best prioritize the vulnerabilities with which I am faced?

More than anything, prioritization is a matter of having the right information to help determine which vulnerabilities should be addressed before the others. With no additional information, all vulnerabilities are equal – there is no real means to figure out if one vulnerability should be fixed before another.

But most security professionals don’t believe that is true in the real world. Some vulnerabilities really are more important. Evolve Security believes the most efficient way to assist in prioritization is to provide clients with key qualifying information. This starts with clearly identifying the discovered vulnerabilities, both by listing them in the engagement report, as well as enumerating them clearly in the Darwin Attack portal. If you have 17 identified vulnerabilities (for instance), Darwin Attack will clearly list all 17 vulnerabilities.

This is not simply a list of the identified vulnerabilities, but a clear description, including the associated Common Vulnerability Scoring System (CVSS) of each vulnerability on a 1-10 scale, as well as a simplified representation of those scores in common language severity (Critical, Serious, Medium). These scoring criteria can be easily used to start prioritizing which vulnerabilities to fix first – a vulnerability assigned a “critical” severity should generally be fixed before a vulnerability assigned a “serious” severity, for instance. Darwin enables an organization to easily sort by severity to help this prioritization process.

Darwin Attack also identifies the specific system(s) in the organization upon which each vulnerability was found – by the organization provided description of the affected system (IP address, domain, or asset name). Organizations should use their knowledge of their environment to consider which systems are critical to the organization – this information can also be tracked within the Darwin Attack portal, making this evaluation even more straight forward. A system that includes, for instance, client data, and contains proprietary information, is of greater value than a portion of your website that only includes static pages. Employees responsible for fixing vulnerabilities should general focus on those affecting the most critical systems first.

Another prioritization consideration is the complexity of remediation activities. Some fixes will require a patch or upgrade. Some might require a configuration change. Some might require a firmware update. Some might require recoding, or extensive network rearchitecture. All these remediation activities include varying levels of effort and complexity. As a general rule, high severity vulnerabilities on critical systems, that are easy to fix should be prioritized first.

Another key feature available in Darwin Attack are “Nests.” Nests are important because they allow visibility into the number of systems which are affected by similar groups of vulnerabilities. An organization might have (for instance) 17 vulnerabilities, but if one of those vulnerabilities appears in seven different systems, it can be invaluable to see the potential impact not only that vulnerability has across your entire environment, but the potential impact that fixing those vulnerabilities could have as well. Nests help identify which vulnerabilities could be addressed by repeating similar remediation steps across a group of systems. Closing a significant number of vulnerabilities with the same actions is highly efficient, and enables more efficient risk management.

The easier and more transparent prioritization is, the more effective it is at enabling the organization to close vulnerabilities and reduce risk. And the goal of a good vulnerability management program is to manage risk.