Prioritizing Cybersecurity Vulnerabilities

The topic of vulnerability management and prioritization has been garnering significant attention lately. Traditional methods of prioritizing vulnerabilities often rely on the Common Vulnerability Scoring System (CVSS) or severity ratings, such as critical, high, medium, and low.

However, CVSS and severity ratings lack context, limiting their effectiveness as prioritization systems. Security tools typically lack the understanding and contextual knowledge held by actual security teams, and context is crucial for effective vulnerability management.

For example, consider when a new vulnerability is published with a Common Vulnerabilities and Exposures (CVE) identifier. To evaluate the actual risk posed by the vulnerability, we should ask ourselves several contextual questions:

• Does this vulnerability exist in my environment?
• Does the CVE have a proof of concept?
• Is the proof of concept publicly available?
• Are threat actors exploiting this vulnerability?

Only with a consideration of these contextual factors and an understanding of our environment can we assess the actual threats and risks posed to our systems by the new vulnerability.

So, what system do you use to determine severity or risk, and to prioritize vulnerabilities?

Contact Me

If you have any questions or feedback on my post, feel free to drop me a line at jay@stellersjay.pub.