Feb 12, 2013
Strategy: Assessing Risk and Prioritizing Vulnerability Remediation
There are a number of products and processes that security pros can make use of to manage vulnerability remediation. The tricky part is figuring out which holes to plug first — a task made more difficult as the sophistication, reach and number of people looking to exploit those vulnerabilities grows. Organizations need to know what they are dealing with in their environment. They need to establish criteria so they can rank assets and applications according to criticality, with the goal of establishing a vulnerability risk score.
This process must bring together the business and IT sides of the house. It also requires a solid understanding of the nature of vulnerability itself. The more devastating an exploit would be to your organization, the higher the vulnerability should be on your patch priority list. Factors to consider include the complexity of the exploit and the ubiquity of the application that needs to be fixed. Something like Java, for example, should weigh differently than an application present on fewer systems. One of the most important considerations when developing any vulnerability risk assessment is whether a vulnerability is being actively exploited in the wild. For this information, organizations can turn to third-party services and security mailing lists.
In this report we provide context around today’s vulnerability landscape and the ways in which security professionals need to marshal organizationwide resources to assess risk and prioritize vulnerability remediation. (S6530213)