Vulnerability management is a continuous cycle to identify, evaluate, and remedy the
vulnerabilities that impact your organization.
There is an increasing trend in the number of data breaches recorded each year, and so the
importance of effectively managing, prioritizing, and addressing your organization’s
vulnerabilities continues to grow.
Vulnerability management is a multi-staged process that requires the cooperation of multiple
individuals and teams within a business to allow for effective and cost-efficient actions to be
taken to reduce risk and improve security.
1. Prioritize Your Assets
Any organization will make use of an assortment of devices and systems. Some of these
systems will be considered a high priority and critical for the ongoing operation of your business.
Other systems will be considered less important and non-critical to maintaining business
continuity.
It is important to catalog each of the different systems in use throughout the business and to
identify which systems are considered critical so that remediation work for vulnerabilities can be
effectively prioritized.
To effectively categorize your assets the following points can be considered:
● Is the system accessible over the internet
● Is the data the system uses critical to your business or your clients
● Does the system provide a critical business service
● Does the device provide access to other critical business systems
2. Prioritize Your Vulnerabilities
As vulnerabilities are identified, through scanning tools, security testing, and other processes,
an array of different severity levels will be recorded for each issue.
Vulnerabilities are often graded with a severity rating using the Common Vulnerability Scoring
System (CVSS). This system provides a score of 0-10 and a severity rating of Low to Critical.
To accurately assess and prioritize your vulnerabilities it is important to consider several factors:
● The severity rating of the vulnerability.
● The importance of the system the vulnerability impacts.
● Is the impacted system Internet accessible
● Is there a known exploit method for the vulnerability
Each of these factors can be used to create an ordered list of vulnerabilities for your
organization to address.
3. Addressing Your Vulnerabilities
Resolving your vulnerabilities will require an organized effort from multiple teams to effectively
resolve each of the issues in a timely manner.
It is important to use the vulnerability data you have collated to report and inform your directors
and key decision-makers.
This process can involve a summarized report, which clearly outlines the risks to the business
and the cost-effectiveness of addressing each of the identified vulnerabilities.
With approval in place, a more detailed technical report can then be provided to your security
teams to resolve each issue and improve the overall security posture of your business.
When addressing vulnerabilities there are several factors that can also be taken into account:
● The impacts of the remediation on the system and other connected systems.
Some changes to a system can impact its operation and the operation of any connected
devices, and this consideration should be accounted for.
● The time required for remediation.
While some solutions can be straightforward, others may require configuration changes,
development work, and other time-consuming tasks.
● The cost required for remediation.
Where remediation work becomes resource and time-intensive or requires new products
and services, costs can quickly escalate.
Where vulnerabilities are considered as non-critical it can be necessary to weigh the costs of
remediation against the impacts of exploitation to determine if a vulnerability should be
considered as an acceptable risk.
However, this categorization should be considered as temporary and continually reviewed as a
new cost-effective remediation strategy may be identified, or the exploitation method for the
vulnerability may change requiring a review of its original non-critical label.
4. Verify Your Remediation Process
As the vulnerability management process is an ongoing cycle, it is important to continually
reassess your systems.
This reassessment confirms that the remediation work that has been completed, was effective,
and has resolved the previously identified vulnerabilities. The reassessment also works to
provide assurance that no new vulnerabilities have been identified.
New vulnerabilities are continually being identified and reported. The National Vulnerability
Database (NVD) has received over 18,000 new vulnerabilities just in the first half of 2024 and
there is an increasing number of vulnerabilities that are reported year on year.
Where vulnerabilities are identified to persist within your organization’s systems it can also
provide an opportunity to review your management process, determine any gaps within the
process, and prevent issues from reoccurring.
Continuing To Improve
Vulnerability management is a process that requires continual review and improvement.
Implementing a perfect system to manage your vulnerabilities is unlikely to occur immediately,
and will require gradual refinement and changes to be made over time.
As part of this process, it is important to set up communication channels within your
organization so that those involved in the management process can feel encouraged to actively
participate and work towards the security of the business.
Andrew Lugsden
Security Consultant at Forge Secure Limited
https://forgesecure.com/
Working within the Cyber Security industry for over ten years to provide consultancy, security
testing, and compliance services.
