2

Looking at a typical vulnerability scan report from Nessus or Qualys most people are terrified, lost, and basically with more questions than answers. For example, how on earth am I going to deal with all these findings? From what I was taught, a vulnerability management process can be broken down into 4 steps (not mentioning its close relation to patch, change, risk management):

  1. Identifying vulnerabilities
  2. Evaluating vulnerabilities
  3. Treating vulnerabilities
  4. Reporting vulnerabilities

Vulnerability scanner scoring/risk rating and how does it match your org.

While the scanner provides its own risk ratings and scores such as CVSS, and I guess these are somehow helpful in telling org’s which vulns require immediate attention, but do they really reflect the true risk? I mean a vulnerability can depend on some other factors beyond the mentioned scores and vulnerability scanners do not have the intelligence to tell whether the finding is a true or false positive (to a certain extent, e.g. issues with backported patches), whether there are any security controls that would reduce the likelihood and/or impact of this vulnerability being exploited, how would it impact confidentiality, integrity and availability of the exploited system, data, how would it impact your business, what your org’s risk management strategy is and many others.

So I guess that vulnerability scanners, like any other security-related software, are not perfect, but still, they provide us with a large amount of information (sometimes valid, sometimes not) and here’s where we as human beings take over to produce something more meaningful that will aim to increase an org’s security posture and lower its risk exposure. I guess that’s step 2 in the process, vulnerability evaluations.

While exploring the topic, I hear voices like “your vulnerability management needs to be risk-driven, so that you make informed decisions” or “your vulnerability management needs to be threat-intelligence-driven, to learn and predict how an adversary might strike”.

How to evaluate, prioritize, remediate?

So what I’m looking for is maybe not a recipe but direction or guidance from experienced members on how to:

  • not waste unnecessary time on findings, because they are false positives anyway (e.g. backports). Should the first step be verification whether it’s a false positive or not?

  • select the correct ones to address first (I’m looking here for suggestions on whether vulnerabilities should be first grouped based on their nature, e.g. injection vulnerabilities or any other criteria. What I know, that it's generally recommended to export or filter scanning results by plugin ID instead of IP’s so that we will have only a few hundred vulnerability groups that will have x amount of systems in those groups). I’m aware of the CVSS scoring system, so could or perhaps should I use it to conduct a more accurate assessment based on my org/environment?).

  • I really would want to avoid a situation where I’m only the guy that bothers others with calls and emails asking whether given vuln’s have been addressed but would rather want to make an impact on the security posture of the organization where I’m currently working. Other than that, I could possibly go through the list of all the findings and provide information in form of advisories on how to verify and patch a given vulnerability, but in some cases my ability is limited I guess, meaning I don’t know all the details about a given system, so just providing a recommendation to upgrade to the latest PHP version where a number of functions were deprecated is not going to help the concerned system owners.

PS. If there are any books one could recommend, I would greatly appreciate it !

schroeder
  • 123,438
  • 55
  • 284
  • 319
cyzczy
  • 1,518
  • 5
  • 21
  • 34
  • 2
    This is far too many questions rolled into one. – schroeder Mar 01 '21 at 15:22
  • 1
    Yes, this was the reason for the downvote. Much better now to read and thus downvote taken back. Thanks. – Steffen Ullrich Mar 01 '21 at 15:23
  • 1
    Do CVSS scores represent risk? No. they aren't meant to. "an open framework for communicating the characteristics and severity of software vulnerabilities". It describes the ***vulnerability*** not its impact. – schroeder Mar 01 '21 at 15:23
  • You outline a process at the start of this post that seems to answer all the questions in the post. Where is your confusion? – schroeder Mar 01 '21 at 15:26
  • "threat-intelligence" is a form of risk evaluation and only relevant for things that get attacked – schroeder Mar 01 '21 at 15:44

1 Answers1

4

This entire thing boils down to one simple concept: risk management.

You have a piece of software that gives you raw information about potential threats. Now you go through the process you outlined:

  1. Identifying vulnerabilities
  2. Evaluating vulnerabilities
  3. Treating vulnerabilities
  4. Reporting vulnerabilities

False positives: you evaluate the identified vulnerabilities to determine if they are a risk that needs to be treated.

Vulnerability prioritisation: you evaluate the identified vulnerabilities to determine which risks need to be treated first based on what risks matter most. You can use scores or any other method that works for you.

Getting others to remediate: you need to communicate in a way that is effective in your environment. We certainly cannot provide a single answer to address this. This is often far more political and cultural than it is something related to security or risk.

So, given all this, it appears that you want to know how to evaluate vulnerabilities in a way that is relevant to the risks in your organisation. Relevance being key here. And this is more of a risk management process.

Risk management:

  1. you assess the threats (the vulns in this case) as to whether they might have an impact on goals and objectives, and how much impact that might be (known as assessing "inherent risk")
  2. you determine whether existing controls affect the impact (known as assessing "residual risk")
  3. you tackle the ones that will have the highest residual risk

This can take seconds, or it could take months, depending on your context and how many variables there might be. So, a lot of orgs take shortcuts and just use CVSS scores without assessing existing controls unless remediation has a high cost and a cost/benefit analysis needs to be made.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Fair enough. I'll try to break the questions into single threads. In the meantime, are there any books, papers you could recommend to me to expand my knowledge about the subject? Thanks ! – cyzczy Mar 02 '21 at 10:17
  • @cyzczy. I suggest you read NIST SP800-30. Vulnerability identification is part of risk management. NIST RMF (Risk Management Framework) is one popular risk framework that US federal system owners are mandated to use. Other risk frameworks include CSF (Cybersecurity Framework), ISO31000, COBIT, FAIR and more. – fpmurphy Mar 02 '21 at 18:17