Discover the best practices for ranking cybersecurity vulnerabilities so that you can eliminate them.
If there’s one thing you can expect from cybercriminals, it’s that they’re always looking for new ways to locate and exploit your organization’s vulnerabilities.
The National Institute of Standards and Technology (NIST) defines a vulnerability as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.”
Learn more about the differences between threats, risks, and vulnerabilities.
As the NIST definition suggests, there are many different types of vulnerabilities that cybercriminals might exploit. Identifying your organization’s vulnerabilities and then ranking them is critical to defending your data against cybercrime.
If a cybercriminal should successfully exploit a vulnerability in your operating system, they can gain access to your most sensitive data.
A successfully exploited vulnerability opens up your organization to a multitude of cyber threats, including malware, ransomware, distributed denial of service (DDoS) attacks, spam and phishing, cross-site scripting, and more.
To best protect your business from these types of cyberattacks, you should begin by familiarizing yourself with the most common vulnerabilities. Then, you need to identify them within your own organization and rank them so that you can remediate them accordingly.
Main Types of Cybersecurity Vulnerabilities
A cybersecurity vulnerability is any flaw or weakness in your computer system, its security procedures, internal controls, or design and implementation, which could be exploited to violate the system security policy.
To prevent your cybersecurity vulnerabilities from being exploited by malicious actors, you should familiarize yourself with the most common types of vulnerabilities so that you can identify them in your own organization.
At the most basic level, vulnerabilities can be classified into six categories. Here are those categories with examples of vulnerabilities for each:
- Hardware: firmware vulnerabilities, poor encryption, humidity, dust, soiling, and natural disasters.
- Software: insufficient testing, lack of audit trail, design flaws, memory safety violations (buffer overflows, over-reads, dangling pointers), input validation errors (code injection, XXS, directory traversal, email injection, format string attacks, HTTP header injection, HTTP response splitting, SQL injection), privilege-confusion bugs (clickjacking, cross-site request forgery, FTP bounce attack), race conditions (symlink races, time-of-check-to-time-of-use bugs), side channel attacks, timing attacks, and user interface failures (blaming the victim, race conditions, warning fatigue).
- Network: unprotected communication lines, man-in-the-middle (MITM) attacks, insecure network architecture, lack of authentication or default authentication.
- Personnel: poor recruiting policy, lack of security awareness and training, poor adherence to security training, poor password management or downloading malware via phishing email attachments.
- Physical site: area subject to natural disaster, unreliable power source, or no keycard access.
- Organizational: lack of audit, continuity plan, security or incident response plan.
From these broader categories, we have selected some of the most common cybersecurity vulnerabilities and provided suggestions for what you can do to prevent them or remediate them to avoid a potentially significant cybersecurity incident.
Endpoint Security Defenses
Your organization most likely already has some sort of endpoint protection in place. Antivirus tools are the most common endpoint protection that organizations rely on to protect their operating systems from infiltration.
However, antivirus tools alone are not enough. Many endpoint security defenses are inadequate when it comes to combating cyber threats such as advanced malware or intrusions targeting end users and server platforms.
Cybercriminals can easily bypass standard signature-based antivirus tools to gain access, and many tools don’t monitor for unusual or unexpected behaviors at the endpoint — the places where savvy cyberattackers are most likely to be caught.
Outdated endpoint security defenses also won’t give your security team the ability to dynamically respond to or investigate endpoints, especially on a large scale.
To bolster your endpoint security defenses, your organization should invest in modern endpoint detection and response tools that incorporate next-generation antivirus, behavioral analysis, and actual response capabilities.
Data Backup and Recovery
The recent rise in ransomware attacks should be enough to encourage organizations to regularly backup their data in case they need to recover it. Unfortunately, backing up data is still not a common practice for many organizations.
Neglecting one or more facets of backup and recovery — including database replication, storage synchronization or end-user storage archival and backup — could result in a ransomware attack that leaves you high and dry.
Even if you can afford to pay the hefty ransom to recover your data, you may not get anything in return. A recent study shows that 17% of organizations that experienced a ransomware attack and paid the ransom did not get their data back from their attackers.
Network Segmentation and Monitoring
Weak network segmentation and monitoring can allow cybercriminals to gain full access to the systems in your network subnet once they’ve gained initial access.
This vulnerability is common in many large enterprise networks, and has led to attackers compromising new systems and maintaining access for longer periods of time. It’s especially difficult for large organizations to monitor their networks, as hundreds or thousands of systems may be communicating simultaneously and sending outbound traffic.
Focus on controlling your network access among systems and within subnets, and build better detection and alerting strategies for any movement between systems that have no business communicating with each other.
Pay particular attention to odd DNS lookups, system-to-system communication with no apparent use, or odd behavioral trends in network traffic. Tools that may help you create more restrictive policies for traffic and systems communications include proxies, firewalls, and micro segmentation tools.
Authentication and Credential Management
Poor credential management and lack of authentication is one of the most common causes of compromises and breaches for organizations. If your employees use the same password over and over again, and if your systems and services support weak authentication practices, then you are vulnerable to an attack.
Governance and oversight of credential lifecycle and policy — including user access, password policies, authentication interfaces and controls, and privilege escalation to systems and services — can help your organization better protect itself from a potential attack.
Implement stringent password controls that require longer passwords, more complex passwords, more frequent password changes, or some combination of these principles. You should also require multi factor authentication for anyone accessing sensitive data or sites.
Security Awareness
A 2019 Verizon Data Breach Incident Report states that end user error is the top threat action in breaches. The most common initial point of attack is through targeted social engineering, and particularly phishing.
However, organizations often struggle with how to train their employees to look for social engineering attempts and report them. Phishing, pretexting, and other social engineering attacks are usually caused by lack of sound security awareness training and end-user validation.
You should conduct regular security awareness training exercises, including phishing tests, pretexting, and additional social engineering as needed. Employee training should be contextual and relevant to their job functions, and you should track success or failure rates to make sure there’s improvement.
Now that we’ve listed the most common types of cybersecurity vulnerabilities along with some ideas for remediation, we can begin to think about how to identify any vulnerabilities that might exist in your systems.
Identifying Vulnerabilities for Your Business
Most of the time, vulnerabilities are categorized as either “known” or “unknown,” depending on your organization’s awareness of their existence.
Every year, there are new known vulnerabilities identified of which your organization needs to be aware. According to the 2021 X-Force Threat Intelligence Index, in 2020 alone there were 17,992 new vulnerabilities identified for a grand total of 180,171 vulnerabilities.
Although new vulnerabilities are constantly being identified — and remedies are usually made available almost immediately — known vulnerabilities often remain unpatched and attackers attempt to exploit them in large numbers.
At the same time, unknown vulnerabilities also pose risk to your organization, and are potentially exploitable via zero-day exploits.
A zero-day exploit exploits a vulnerability that is unknown or unaddressed by those who want to patch it — until the vulnerability is patched, cyberattackers can exploit it to adversely affect a computer program, data warehouse, computer, or network.
The majority of zero-day vulnerabilities that impact popular software put the customers using that software at a higher risk for a data breach or supply chain attack.
A sound vulnerability management process will enable your organization to identify, rank and remediate any vulnerabilities that could potentially be exploited by cybercriminals.
Vulnerability Management
Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating security vulnerabilities.
Typically, the first step of vulnerability management is to identify vulnerabilities. This can be done in a number of ways, but usually involves vulnerability detection. Vulnerability detection consists of either vulnerability scanning or penetration testing.
A vulnerability scanner is software that is designed to assess your computers, networks, or applications for any known vulnerabilities. A penetration test is a controlled attack simulation carried out using automated software or by penetration testers to identify and test any vulnerabilities in your IT security.
Whether you use a vulnerability scanner or a penetration test, the goal is to identify vulnerabilities in your security so they can be ranked and remediated. Once any vulnerabilities are found, you should then begin the vulnerability assessment process.
A vulnerability assessment will help you determine not only what vulnerabilities exist in your security system, but it also enables you to classify them so that you can prioritize those that have the most potential for harm.
You should rank your vulnerabilities by severity and prioritize your actions to remediate them. How critical a vulnerability is should dictate how quickly it is remediated. We will explore ranking cyber vulnerabilities in more depth below.
Remediating vulnerabilities involves taking direct action to fix the vulnerability. This includes closing ports, patching software, or through a detailed process exception. Your organization should remediate vulnerabilities as soon as you understand the risk and assign a priority.
Finally, you need to mitigate any future vulnerabilities by implementing controls with the ultimate goal of reducing the attack surface of your systems. Examples of mitigating controls include threat intelligence, entity behavior analytics, and intrusion detection with prevention.
Because cyberattacks are constantly evolving, your vulnerability management program should be a continuous and repetitive practice to ensure your organization stays protected.
Vulnerability Databases
In addition to a vulnerability management program that’s unique to your business needs, your organization should utilize vulnerability databases to stay current on the latest known vulnerabilities that might affect your systems or software.
A vulnerability database is a platform that collects, maintains, and shares information about known vulnerabilities.
One of the largest vulnerability databases is run by MITRE, called Common Vulnerabilities and Exposures (CVEs). MITRE assigns CVEs a vulnerability score using the Common Vulnerability Scoring System (CVSS) to reflect the potential risk a vulnerability could pose to your organization.
IBM Security X-Force ranked the top 10 CVEs of 2020 based on how frequently threat actors exploited or attempted to exploit them. The ranking is based on both IBM X-Force incident response (IR) and IBM managed security services (MSS) data for 2020.
According to these findings, attackers focused on common enterprise applications and open source frameworks that many businesses use within their networks.
In addition, MITRE also published the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) list in 2021.
Using the IBM Security X-Force Top 10 CVEs of 2020 list and the CWE Top 25 list from MITRE in conjunction, you should identify any vulnerabilities that might be applicable to your organization and prioritize remediating them as quickly as possible.
Ranking Cyber Vulnerabilities
One of the most difficult parts of an effective vulnerability management program is deciding which vulnerabilities should be given highest priority for remediation. But many organizations are oftentimes overwhelmed before they even reach this step of the vulnerability management process.
Identifying vulnerabilities using vulnerability detection methods can produce an abundance of information — the results of vulnerability scans can contain hundreds or even thousands of vulnerabilities that are distributed throughout a number of your systems and applications.
So what’s the best way to begin ranking vulnerabilities when you’ve been given a surmountable amount of risk data?
Here are four steps you can take to successfully rank your vulnerabilities and prioritize your remediation efforts:
-
Assess the severity of each vulnerability.
Most of the time, you can get a severity assessment from the vendors that supply your vulnerability management tools. You should base your severity assessment on the potential damage of a successful exploit, and prioritizing known exploits.
Using a consistent scale like the Common Vulnerability Scoring System (CVSS) from the National Vulnerability Database (NVD) can help your organization quickly react to new vulnerabilities. In this system, vulnerabilities are rated using a 10-point scale, and scores are derived from a series of formulas that account for both the likelihood and impact of an exploit.
-
Determine the sensitivity of your data.
How sensitive your data is will determine how much risk each vulnerability poses. Any systems containing electronic personal health information (e-PHI) or personally identifiable information (PII) should be treated with more care than systems that contain publicly available information.
However, gathering information on data sensitivity can be difficult. For starters, you can use this simple model that divides data into categories based on the degree of sensitivity:
- Highly sensitive information: heavily regulated information or information that would be extremely damaging to your organization if exposed. This might include credit card numbers, e-PHI, or bank account details.
- Internal information: information that doesn’t fit the highly sensitive definition but shouldn’t be publicly released. This is usually the broadest category of data sensitivity, and should be subdivided at a later date once you have a more mature data classification program.
- Public information: anything your organization is willing to disclose to the general public. For example, product literature, public website data, or released financial statements.
You should start by focusing on highly sensitive information, working with security experts to determine the most critical pieces of information that your organization handles. Identify where that information is stored, processed, and transmitted, and then you can think about assigning a data sensitivity rating.
When assigning a data sensitivity rating to your systems, you should base your rating off of the highest level of information that is stored or processed on your system. For example, using a five-point scale, you should assign systems processing highly sensitive information a data sensitivity rating of five, while systems processing internal information should receive a rating of two, three, or four, depending on the degree of sensitivity. Any other systems can be rated as one.
-
Evaluate existing controls.
Finally, you need to evaluate the existing controls that protect your potentially vulnerable systems from being exploited. Which method you use to assign these ratings will depend on the controls your organization requires.
You should choose a rating scale that accurately reflects the controls in your environment, assigning higher ratings to your systems that have strong security controls.
-
Compare your results.
Once you have gathered all of this information, you can use it to assess the vulnerabilities that show up in vulnerability detection reports.
Using the 10-point CVSS scale for vulnerability severity in conjunction with five-point scales for data sensitivity and existing controls, you can rank your vulnerabilities on a scale of 0.2 for a low-severity vulnerability in a well-controlled system containing only public information to a maximum of 50 for a high-severity vulnerability in a system lacking security controls containing highly sensitive information.
If this seems like a lot of data to gather and math to perform, you’re right. Fortunately, there are ways you can automate the process to make it easier for you.
Protect Your Business from Vulnerabilities with ZenGRC
Ranking your system’s vulnerabilities can be challenging when you can’t get a clear picture of your full threat landscape. Good governance, risk management, and compliance software can help you see the big picture when it comes to your vulnerability management program.
ZenGRC from Reciprocity is an integrated platform that gives you real-time and continuous monitoring of your organization’s vulnerability management efforts.
Through automation and integration, ZenGRC allows for a complete view of your vulnerabilities, creating visibility and scalability throughout your entire organization.
With ZenGRC, a team of cybersecurity professionals is always looking out for your organization and its assets to make sure you get the best protection against security breaches and cyberattacks.
ZenGRC’s compliance, risk, and workflow management software is an intuitive, easy-to-understand platform that not only keeps track of your workflow, but also lets you find areas of high risk before that risk has manifested as a real threat.
To see how ZenGRC can help your organization implement a sound vulnerability management program, contact us for a demo today. Worry-free risk management is the Zen way.