Assessing Risk And Prioritizing Vulnerability Remediation

Vulnerabilities crop up constantly in your IT environment. How do you choose which ones to tackle first? Here are some risk-based recommendations

Excerpted from Assessing Risk and Prioritizing Vulnerability Remediation, a new, free report posted this week on Dark Readings
Vulnerability Management Tech Center
.]
A man is aboard a raft with five holes. Some of the holes are bigger than others, with the biggest of the bunch sending water spouting upward. But even the smallest of holes can sink the raft if left unattended for too long. So how does the man prioritize which of the holes to leave open while he tends to the other four?
The central question in this story is not unlike the challenge IT administrators face when they deal with the problem of remediating vulnerable applications. Making the wrong decision when it comes to remediation management can sink even the tightest-run ship in the IT world, and the problem isnt going away.
On the contrary: A thriving market for exploit kits and application vulnerabilities ensures that an endless number of financially motivated cyber criminals, hacktivists and attempts at corporate espionage will continue to keep security teams up at night. It also means that patching security holes and closing exploitable windows will remain a vital part of enterprise security strategies for years to come.
For organizations of all sizes, prioritizing vulnerability remediation can be the difference between a breach and a repelled attack recorded in security logs. The challenge lies in dealing with the volume of fixes that need to be deployed. Deciding what holes to plug -- and when -- begins with organizations understanding their environment: What assets are on the network? Which applications and data are critical? And whats the risk to the business if vulnerabilities in these assets, applications and data are successfully compromised?
Interestingly, the number of vulnerabilities may be declining among the major enterprise software vendors. According to the 2012 Mid-Year Trend and Risk Report from IBMs X-Force research team, the top 10 enterprise software vendors have seen their percentage of the overall number of vulnerabilities drop from 30% in 2011 to
22% in the first half of 2012. However, the same report found that the percentage of vulnerabilities without a patch available in the first half of 2012 was 47%--the highest IBM said it has seen since 2008. The X-Force team speculates that the increase is due to a jump in vulnerabilities in small Web apps and software made by smaller companies.
But it is often not the newer vulnerabilities that catch corporations off-guard. According to a recent report from security vendor Solutionary, 58% of the vulnerabilities targeted by the most popular exploit kits in the fourth quarter of 2012 were more than two years old.
The motto for risk prioritization should be know thyself, said Andrew Storms, director of security operations at nCircle. In order to prioritize any kind of patching you need to identify your critical systems and understand exactly where your business-critical information is. This isnt always as easy as it sounds--it requires an in-depth understanding of how users interact with critical business information and intellectual property.
For a detailed discussion of how to measure the risks associated with a new vulnerability -- and how to prioritize the fixes --
download the free report on vulnerability remediation
.
Have a comment on this story? Please click Add a Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Assessing Risk And Prioritizing Vulnerability Remediation