Prioritizing Cybersecurity Vulnerabilities
Posted on Mon 03 April 2023 in Thought, Cybersecurity, Vulnerability Management, CVSS, CVE
The topic of vulnerability management and prioritization has been garnering significant attention lately. Traditional methods of prioritizing vulnerabilities often rely on the Common Vulnerability Scoring System (CVSS) or severity ratings, such as critical, high, medium, and low.
However, CVSS and severity ratings lack context, limiting their effectiveness as prioritization systems. Security tools typically lack the understanding and contextual knowledge held by actual security teams, and context is crucial for effective vulnerability management.
For example, consider when a new vulnerability is published with a Common Vulnerabilities and Exposures (CVE) identifier. To evaluate the actual risk posed by the vulnerability, we should ask ourselves several contextual questions:
- Does this vulnerability exist in my environment?
- Does the CVE have a proof of concept?
- Is the proof of concept publicly available?
- Are threat actors exploiting this vulnerability?
Only with a consideration of these contextual factors and an understanding of our environment can we assess the actual threats and risks posed to our systems by the new vulnerability.
So, what system do you use to determine severity or risk, and to prioritize vulnerabilities?
Contact Me
If you have any questions or feedback on my post, feel free to drop me a line at jay@stellersjay.pub.