Shulou(Shulou.com)06/02 Report--

Vulnerability management and compliance complement each other. Just as compliance with specific regulatory standards helps to effectively manage vulnerabilities, effective management of vulnerabilities also helps to avoid security incidents that can lead to violations.

But given the different standards of different regulators, effective and compliant vulnerability management may mean different things for different organisations. But there is one exception: risk! All standards emphasize risk! The details are:

PCI DSS requirement 6. 6 states that companies must "establish a vulnerability discovery process and assign a risk score to newly discovered security vulnerabilities." Article 32 of the GDPR requires that "appropriate technical or organizational measures be implemented to ensure a level of safety appropriate to the risk situation." HIPAA security rules dictate: "potential risks and vulnerabilities in assessing the confidentiality, integrity, and availability of electronic health information." GLBA security regulations require companies to "identify and evaluate customer information risks and evaluate the effectiveness of current risk control security measures."

Many regulatory standards require risk assessment and appropriate response in order to achieve and maintain compliance, and the above are just excerpts. In the context of vulnerability management, compliance means ranking and fixing vulnerabilities based on risk, as described in PCI DSS requirement 6. 1.

However, due to the different meaning of loopholes to different companies, it is not easy to manage vulnerabilities according to risk. Accurate assessment begins with the determination of:

What is the probability of weaponization of vulnerabilities?

If weaponized, what is the impact on a particular company?

To determine these variables, the following suggestions are available for reference:

1. Understand the assets situation

Vulnerabilities that may affect critical assets should definitely be fixed as a priority. For most enterprises, key assets include, but are not limited to, those that apply to one or more security compliance requirements. For example, companies under the jurisdiction of HIPAA should pay special attention to assets that contain personal health information; companies under PCI DSS should pay attention to payment card data; and companies under GDPR supervision should also focus on user data.

Once critical assets have been identified, identify and document how they are stored, processed, managed, and possibly destroyed. What are the technologies associated with these assets? How is it connected? Which users can access these assets for what purpose? Who might want to sabotage / leak these assets? Why? What will happen if these assets are destroyed / leaked? Answers to such questions help identify, classify, and sort potential vulnerabilities that may affect these assets.

2. CVSS score is not everything.

One of the most common mistakes in sorting repair actions is to equate the score of the Universal vulnerability scoring system (CVSS) with the risk value. Although the CVSS score can reflect the nature of the vulnerability and the possible behavior of the vulnerability after weaponization, these are standardized and do not reflect the above two variables that determine the specific risk value of the vulnerability-the weaponization probability and the specific potential impact on the company.

In fact, a 2014 study of CVSS scores found that "fixing vulnerabilities based solely on CVSS scores is tantamount to randomly picking vulnerability fixes." The study also found that although the CVSS score of the vulnerability does not seem to be related to its weaponization probability, there are other factors related to it, including whether there is a proof of concept code for vulnerability exploitation, and whether the vulnerability exploitation code is mentioned by illegal online communities such as Deep Web forums and Dark Web Markets.

In view of the fact that the vast majority of general vulnerabilities and exposures (CVE) have never been weaponized, the conclusions of this study are of practical significance. CVE with high CVSS scores is a real threat only when malicious hackers can be weaponized. But to weaponize vulnerabilities, hackers first have to determine the weaponization method, which usually requires proof-of-concept (POC) code. The process of using or developing POC code often involves a large number of trial and error. Most hackers can't handle it if they don't communicate with other hackers in deep / dark networks and other illegal online communities.

In other words, regardless of whether the CVSS score is high or low, the existence of POC code and related hacker discussions need to be considered as important risk factors when assessing vulnerabilities.

3. Risk assessment framework

The risk assessment process optimization for the purpose of repair sequencing can consider the use of an assessment framework. There are many off-the-shelf risk assessment frameworks, some of which are mandatory or recommended by specific regulators, all of which can help security teams assess, rank, and manage different risks more effectively.

However, no matter which framework is adopted, it needs to be implemented according to the company's specific environment and risk factors. In other words, you need to count assets, assess the potential impact of assets being hacked, and judge the probability of vulnerability weaponization. Regardless of whether the vulnerability risk assessment framework is applied or not, it is impossible to accurately assess the specific risk of vulnerabilities to the company without the above information.

In addition, it is important to keep in mind that while compliance should not be the ultimate goal of a security project, each compliance requirement emphasizes that there must be a reason for risk. Effective management of vulnerabilities, especially reasonable ordering of repair actions, is only feasible based on risk.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.