How organizations should prioritize security vulnerabilities

How organizations should prioritize security vulnerabilities

Organizations are not always linking the actual data on vulnerabilities with the specific risks to their business, says Vulcan Cyber.

Security breach, system hacked alert with red broken padlock icon showing unsecure data under cyberattack, vulnerable access, compromised password, virus infection, internet network with binary code

Image: Getty Images/iStockphoto

With so many security vulnerabilities putting companies at risk, determining which ones to tackle can be a challenge. Focusing on all vulnerabilities is virtually impossible. Concentrating on just the critical ones is a sounder approach. But ultimately, you want to confront the ones that have the greatest impact on your organization, a strategy that many security pros aren’t necessarily following.

SEE: Patch management policy (TechRepublic Premium)

More about cybersecurity

For its new report “How are Cyber Security Teams Prioritizing Vulnerability Risk?” security vendor Vulcan Cyber surveyed 200 IT security decision makers in North America to find out how vulnerability risk is prioritized, managed and reduced. The survey was conducted from September 23 through October 17, 2021.

Asked how they group vulnerabilities internally to decide which ones to prioritize, 64% said they do it by infrastructure, 53% by business function, 53% by application, 42% by stakeholder and 40% by business department. To help them in this process, 86% of the respondents said they rely on data based on the severity of the vulnerability, 70% turn to threat intelligence, 59% use asset relevance and 41% use their own custom risk scoring.

Security pros turn to different models and guidelines to help prioritize security flaws. Some 71% of those surveyed said they rely on the Common Vulnerability Scoring System (CVSS), 59% use the OWASP Top 10, 47% depend on severity scanning, 38% the CWE Top 25 and 22% the Bespoke scoring model. Some 77% of the respondents revealed that they use at least two of these models to score and prioritize vulnerabilities.

Despite all the information and models available to them, most of the professionals polled admitted that they don’t always rank vulnerabilities appropriately. Asked whether many of the vulnerabilities they rank high should be ranked lower for their specific environment, 78% of the respondents strongly or somewhat agreed. And asked whether many of the vulnerabilities they consider low should be ranked higher for their organization, 69% strongly or somewhat agreed.

“In an ideal world, every vulnerability would get the same amount of attention as Log4Shell,” said Vulcan Cyber CEO and co-founder Yaniv Bar-Dayan. “But considering the fact that NIST discloses and reports about 400 new vulnerabilities each week, IT security teams barely have time to assess and prioritize only the most critical.”

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

The respondents also were asked which of the most vulnerable areas were of the greatest concern. Some 54% pointed to the exposure of sensitive data, 44% cited broken authentication, 39% mentioned security misconfigurations, 35% cited insufficient logging and monitoring and 32% pointed to injection attacks. Other concerns included cross-site scripting, using components with known vulnerabilities and broken access control.

And asked which specific types of vulnerabilities worried them the most, 62% cited MS14-068 (Microsoft Kerberos unprivileged user accounts), 40% mentioned MS08-067 (Windows SMB, aka Conficker, Downadup, Kido, etc.), 32% pointed to CVE-2019-0708 (BlueKeep), 32% cited CVE-2014-0160 (OpenSSL, aka Heartbleed) and 30% listed MS17-010 (EternalBlue).

Other security flaws of concern were MS01-023 (Microsoft IIS, aka Nimda) Spectre/Meltdown (CPU vulnerabilities), CVE-2008-1447 (DNS, aka Kaminsky), CVE-2014-6271 (Bash, aka Shellshock) and MS02-039 (SQL Slammer).

Recommendations for IT security pros

Since prioritizing vulnerabilities can prove so challenging, what can security professionals do to improve their process?

“Knowing where your organization is vulnerable is critical to running an effective cyber risk management strategy, but you also need to be able to quickly convert cyber risk analysis into effective mitigation processes,” Bar-Dayan said. “That requires a deep understanding of how to prioritize which vulnerabilities and risks you need to address first. The most effective way to do so is by consolidating vulnerability and cyber risk lifecycle management for infrastructure, applications and cloud assets in one place. That’s necessary to ensure that all departments are working together to identify and mitigate risk across your entire attack surface.”

Bar-Dayan advises organizations to focus only on vulnerabilities of the greatest impact to their specific business. To achieve this requires that you collect and aggregate data on your assets though scanners, asset management, collaboration, IT service management and patch and configuration management. That information then needs to be linked with security CVE data as well as with threat intelligence, vulnerability severity and asset exploitability. With so much information to gather and correlate, most organizations should consider an automated approach, according to Bar-Dayan.

“The ultimate goal in vulnerability prioritization is to generate a metric that is more meaningful than the atomic risk of any one vulnerability instance, or the risk mass of a grouping of vulnerable instances,” Bar-Dayan added. “A combination of inputs to generate a security posture rating for a business unit or a group of assets gives IT security teams a realistic shot at well-orchestrated cyber risk reduction.”

Also see

Ransomware attacks are increasingly exploiting security vulnerabilities

Ransomware attacks are increasingly exploiting security vulnerabilities

The number of security flaws associated with ransomware rose from 266 to 278 last quarter, according to security firm Ivanti.

Young Asian male frustrated by ransomware cyber attack

Image: Getty Images/iStockphoto

Ransomware attackers use a few different tactics to initially breach an organization. One method is through phishing emails. Another is through brute-force attacks. But an always popular trick is to exploit a known security vulnerability. A report released Tuesday by security firm Ivanti looks at the rise in vulnerabilities exploited by ransomware attacks.

More about cybersecurity

As detailed in its “Ransomware Index Update Q3 2021,” Ivanti found that the number of security vulnerabilities associated with ransomware increased from 266 to 278 in the third quarter of 2021.

The number of trending vulnerabilities being actively exploited in attacks rose by 4.5% to 140. And the total volume of vulnerabilities identified before 2021 associated with ransomware is currently 258, which represents more than 92% of all security flaws tied to ransomware.

Organizations are continually being advised to practice good patch management and apply patches to known and critical vulnerabilities. But even that process can’t stop all exploits. In its research, Ivanti discovered that ransomware gangs continue to leverage zero-day vulnerabilities even before they’re added to the National Vulnerability Database (NVD) and patches are publicly released by vendors.

SEE: Ransomware: What IT pros need to know (free PDF) (TechRepublic)

Ransomware groups took advantage of some nasty vulnerabilities last quarter with exploits seen in the wild. Before being fixed by Microsoft, the PrintNightmare flaw could have allowed an attacker to take over a compromised computer. The PetitPotam attack against Windows domain controllers could have let hackers steal NT LAN Manager credentials and certificates. And the ProxyShell flaw in Microsoft Exchange could also have been exploited for ransomware attacks.

In terms of others vulnerabilities, the Cring ransomware group staged attacks that exploited security holes in Adobe ColdFusion. But the associated versions of ColdFusion were more than 10 years old, which means that Adobe no longer supported them and therefore had no patches for them, according to security firm Sophos.

The number of ransomware families increased by five in the third quarter, making for a total of 151, according to the report. And the criminals who deploy these ransomware strains are taking advantage of more advanced tactics to compromise their victims. One method known as Dropper-as-a-service lets criminals install malware through special programs that trigger the malicious payload on a targeted system. Another method called Trojan-as-a-service allows anyone to rent customized malware services.

To help government agencies, and by extension the private sector, patch critical vulnerabilities, the Cybersecurity Infrastructure Security Agency (CISA) recently set up a database highlighting amost 300 known security flaws with details on how and when to patch them.

SEE: Hiring Kit: Cybersecurity Engineer (TechRepublic Premium)

In its analysis of the database, Ivanti said it found 52 vulnerabilities associated with 91 different ransomware families, while one specific flaw, CVE-2018-4878, was linked to 41 families. Microsoft is the most exploited vendor on the list with 27 different CVEs. Further, 35 of the vulnerabilities are associated with Advanced Persistent Threat (APT) groups. CISA has ordered all federal agencies to patch 20 of the security flaws by the end of 2021 and the rest by May 2022.

To help your organization better handle patch management and protect itself from ransomware, Srinivas Mukkamala, Ivanti’s senior VP of security products, offers several tips:

  • Focus on the most critical security vulnerabilities susceptible to ransomware. Trying to patch every security hole is impossible as there are more than 200,000 vulnerabilities to date. Instead, put each threat in the proper context. Use adaptive intelligence to gauge your exposure to the security flaws being actively exploited, learn if they’re tied to ransomware, and determine how to quickly patch them.
  • Adopt good cyber hygiene. Ransomware is ultimately a cyber hygiene problem. To combat it, you need a zero trust strategy to protect your sensitive data from breaches and unauthorized access. Zero trust offers an ongoing way to evaluate your devices, assets, endpoints and network to allow for the proper access.
  • Set up a recovery plan. In the event of a ransomware attack, you can’t just restore data from a backup onto corrupted servers and systems. You may need to reimage hundreds or thousands of systems before you can restore your files. And that process takes a lot of time and testing. Without an effective recovery plan, you’re more likely to find that you need to pay the ransom in order to get your data back.

Also see

  • Ransomware: A cheat sheet for professionals (TechRepublic)
  • Ransomware attackers are now using triple extortion tactics (TechRepublic)
  • SolarWinds attack: Cybersecurity experts share lessons learned and how to protect your business (TechRepublic)
  • How to prevent another Colonial Pipeline ransomware attack (TechRepublic)
  • How to become a cybersecurity pro: A cheat sheet (TechRepublic)
  • Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
  • Cybersecurity and cyberwar: More must-read coverage (TechRepublic on Flipboard)  
  • 9 key security threats that organizations will face in 2022

    9 key security threats that organizations will face in 2022

    Supply chain attacks, misinformation campaigns, mobile malware and larger scale data breaches are just some of the threats to watch for next year, Check Point Software says.


    Image: Shutterstock/Maxx-Studio

    For 2021, cybercriminals took advantage of the coronavirus pandemic, the ongoing shift to hybrid work and the vulnerability of organizations to ransomware. For 2022, we can expect more of the same as well as a host of worsening threats to keep us on our toes. A report released Tuesday by cyber threat intelligence provider Check Point looks at some of the security challenges that organizations will likely face next year.

    SEE: Incident response policy (TechRepublic Premium)

    More about cybersecurity

    Supply chain attacks will continue to grow. Cyberattacks no longer just impact the targeted organization but often have a ripple effect that harms partners, providers, customers and others along the supply chain. For 2022, Check Point expects that trend to escalate with more data breaches and malware infections. As supply chain attacks become more common, however, governments will start to devise regulations to better protect vulnerable networks. Expect greater collaboration between government officials and the private sector to identify and combat more cybercriminal groups that operate regionally and globally.

    The cyber “cold war” will ramp up. The cyber cold war among different nations has been escalating, and that will intensify next year. More nation states and groups operating on their behalf will continue to try to destabilize rival countries and governments. Terrorist groups and activities will take advantage of better infrastructure and greater technological capabilities to launch more sophisticated attacks.

    Data breaches will scale up. As data breaches scale up, organizations and governments will be forced to spend more money to recover from them, Check Point says. Following the record $40 million ransom payment paid by insurance giant CNA Financial this year, ransom demands are expected to continue to increase next year.

    Misinformation campaigns will flourish. In 2021, misinformation and “fake news” surrounding the coronavirus pandemic and the efficacy of vaccines spread through social media and other venues. As one consequence, Dark Web cybercriminals turned a tidy profit by selling phony vaccine certificates to people who refused to get vaccinated. In 2022, fake news will continue to play a role in phishing campaigns and scams. Plus, expect to see propaganda and misinformation in advance of the US midterm elections in an attempt to influence voters.

    SEE: 27 ways to reduce insider security threats (free PDF) (TechRepublic)

    Deepfake technology will be weaponized. The tools needed to create fake but convincing videos and audios have become more advanced. Cybercriminals will increasingly use them to steal money, manipulate stock prices and sway the opinions of people via social media, Check Point says. As one example from 2020, attackers used technology to impersonate the voice of a director of a Hong Kong bank to trick a bank manager into transferring $35 million into their account.

    Cryptocurrency will play a greater role in attacks. As money becomes more digital, criminals will increasingly find innovative ways to steal it. Following reports of stolen crypto wallets triggered by free airdropped NFTs, Check Point discovered that attackers could steal such wallets by exploiting security flaws. Expect more cryptocurrency-related attacks in 2022.

    Criminals will exploit vulnerabilities in microservices. Microservices have become a more common method for application development and one supported by a greater number of cloud service providers (CSPs). But as with any popular trend, cybercriminals are taking advantage of vulnerabilities found in microservices to launch attacks. For 2022, expect more of these attacks targeting CSPs.

    Mobile malware attacks will increase. As organizations shifted to remote and hybrid work in 2020 and 2021, criminals increasingly turned to mobile malware as an attack vector. In 2021, almost half of all organizations reviewed by Check Point had at least one employee who downloaded a malicious mobile app. With the growing use of mobile wallets and mobile payment services, attackers will continue to exploit the reliance on mobile devices.

    Penetration tools will continue to be used in attacks. Though created to help organizations test their security defenses, penetration tools have been exploited by cybercriminals to help them launch more effective attacks. By customizing such tools, hackers have been able to target victims with ransomware. As this tactic continues to catch on, we’ll see them used to carry out more data exfiltration and extortion attacks in 2022.

    “In 2021, cyber criminals adapted their attack strategy to exploit vaccination mandates, elections and the shift to hybrid working, to target organizations’ supply chains and networks to achieve maximum disruption,” Check Point Software research VP Maya Horowitz said in a blog post.

    “Looking ahead, organizations should remain aware of the risks and ensure that they have the appropriate solutions in place to prevent, without disrupting the normal business flow, the majority of attacks, including the most advanced ones,” Horowitz added. “To stay ahead of threats, organizations must be proactive and leave no part of their attack surface unprotected or unmonitored, or they risk becoming the next victim of sophisticated, targeted attacks.”

    Also see