Vulnerability Management: Fix It, Then Prove It

J.R. Hernandez
Security Services Manager

Organizations must remediate prioritized vulnerabilities, or at least take mitigation actions. Remediation processes must be well defined, including applying patches, updating configurations, and other actions to reduce the likelihood a cybercriminal can exploit a vulnerability. True remediation includes mitigating the vulnerability, then testing to ensure that the remediation has been implemented correctly.

Penetration and application tests have become a basic component of an organization’s security program. The purpose is to identify vulnerabilities in your environment so you have the opportunity to manage the risks associated with those vulnerabilities. These are often the same vulnerabilities cybercriminals are leveraging to attack your organization. Your goal is to close those vulnerabilities before an attacker can take advantage of them.

Ultimately, you have several options how to deal with vulnerabilities in your environment:

1. Remediate – Apply patches to update code that removes the identified vulnerability. Remediation includes actions to find and download appropriate patches designed to remove identified vulnerabilities. Remediation can be as simple as applying a simple patch which may take a few minutes, to manually accessing systems to patch firmware in geographically distributed environments which could require thousands of hours of effort.

2. Mitigate – Apply other controls to protect the vulnerability from exploitation. Not every vulnerability can be readily patched, and in some cases, appropriate mitigation can accomplish the same goals. This includes things like configuration changes, network updates, updating firewall rules, and using an application gateway firewall. Mitigation can be as simple as changing a single configuration setting or as complex as rebuilding your entire application suite, using new tools and libraries, and following secure-coding techniques. Removing the affected system would be a mitigating control.

3. Accept risk – Make a conscious decision the risk is not worth the cost and effort to remediate or mitigate it, or the forecasted loss does not warrant additional mitigation. This is often backed up by cybersecurity insurance – to cover the cost of accepted risks.

4. Ignore it – This is not really a strategy, but only a byproduct of not assigning adequate priority to remediation that would require the organization to take action. Unfortunately, too many organizations use this approach, and they continue to expose the same vulnerabilities year after year.

If you are interested in improving your security posture and reducing risk, a key part of your security program should include remediation and mitigating controls designed to reduce your exposure to identified vulnerabilities. But this does not mean the organization is on its own. An effective penetration test will not just identify the vulnerability by name and description, it will also identify the systems on which the vulnerability was located, as well as remediation recommendations. The security professionals responsible for the testing are often better equipped to identify fixes than the information systems professional who may not have a complete cybersecurity background.

Mitigating controls are important, since not all vulnerabilities have an easy patch associated with them. An outside cybersecurity resource may not have all of the available information to identify full mitigating controls for your organization, but they can help with information and context. The goal should be to gather enough information so that your own information system and cybersecurity staff can complete mitigation actions as appropriate, using their own more detailed knowledge of your environment.

Finally, once remediation and mitigation are complete for a given vulnerability, the organization should retest the targeted environment. This is both a validation test and a regression test.

Remediation testing – First, you are testing to make sure that the identified vulnerability is addressed. This verifies that you identified the right vulnerability, identified the right fix, and applied the fix correctly, regardless of if it was a patch, a configuration update, a new firewall, or other form of mitigation.

Regression testing – Second, you are verifying you did not break anything else when you addressed the vulnerability and accidentally expose your organization to additional risk.

Once you verify your actions have been successful, and that you have not exposed new vulnerabilities, you can track the vulnerability as “closed” and feel confident that you have reduced cybersecurity risk to your organization.

Ready to find more vulnerabilities than your last pentest?

Unlock your organization's full security potential and uncover even more vulnerabilities than before by choosing our advanced penetration testing services.