Yes, that is a strong password, but the sticky note needs to be hidden under the computer!
In our previous post, we determined that we need to organize our assets based upon their context. With that in mind, let's consider what vulnerabilities matter to us.
The oblivious place to start is the Common Vulnerability Scoring System (CVSS). Taking into account factors such as attack vector, complexity, privileges and user interaction, CVSS provides standardized way to assess the severity of security weaknesses. Sounds great right? Before you answer, consider the real-world context. Does a Critical vulnerability on a trivial asset, let's say an intern's laptop, matter as much as a Medium vulnerability on your mission-critical communications server? Ceteris paribus, eventually yes that laptop is concerning, but probably not in the immediate future.
Obsolete, end-of-life, of end-of-support, software is its own class of vulnerabilities. In most cases, the vendors no longer offer support or updates for these, so your only recourse is to upgrade, seek an alterative, or uninstall.
Another significant class of vulnerabilities are those that are known to be exploited. These are worth tracking anywhere in your organization. The U.S. Cybersecurity Infrastructure Security Agency (CISA) is one of several organizations that maintains a list of Known Exploited Vulnerabilities (KEV).
The last class of vulnerabilities to consider at this time are those with no remediation. Note that I did not specify patch. Remember that some vulnerabilities are simply misconfigurations such as a default password left in operation. The lack of remedy could simply be because a fix has not yet been developed. Or worse, a remediation might be incompatible with the system or might create other problems such as creating performance issues. In either case we're dealing with vulnerabilities with no solution in sight.
In summary, so far we're working with:
- Severity
- End-of-life/end-of-support software
- Known exploited
- Vulnerabilities with no remediation or mitigation
Let's now include some context and we have the following to get started:
- Known Exploited Vulnerabilities for any asset or group
- High-severity for Critical systems
- Rated vulnerabilities for all non-Critical systems
- Any severity above Informational (rated) for Internet-facing systems
- End-of-life/end-of-support software by business unit
Next week, we bring this topic home when we also consider remediation/mitigation efforts.