Gartner Report Takes a New Look
At Vulnerability Management
There’s More to Vulnerability Management than CVSS score
IoT devices are making their way into every facet of life and business, with almost 4.8 billion IoT devices in use today. These devices are tempting targets for attackers, with 57% vulnerable to high or medium severity attacks. The abundance of these devices leaves gaping holes for attackers to capitalize and pivot to larger targets inside your organization.
Understanding the risk that IoT and other endpoints bring to your organization is crucial for maintaining security. It is not simply about the criticality of these vulnerabilities. More often, it is about the exploitability that comes into play. Cybercriminals can chain low-impact attacks to create footholds in your infrastructure that they can exploit.
Below we will cover how managing exploitability in vulnerabilities plays a significant role in securing your organization.
Exploitability Trumps Impact
Gartner’s recent guidance has recognized that managing vulnerabilities are no longer as straightforward as ranking them by CVSS score. Attackers can leverage even lower impact exploits to significant headway into an organization’s security. While this does not mean that all high scores that are both high impact and easily exploited should be ignored, it does mean that there is more nuance to sorting out vulnerabilities that might be scored lower.
For example, a low impact yet trivially easy vulnerability might calculate out to a score of 4. In contrast, one with high impact but is insanely challenging to exploit may also be scored a 4. The old rules of thumb would recommend going with the highest impact when prioritizing what to fix first, despite it being unlikely to be exploited. Instead, this new methodology avoids dealing with vulnerabilities that will almost certainly be exploitable.
The reason for reconsidering prioritization in this manner is because quickly executed vulnerabilities can serve as footholds for attacks. While the overall impact of that single vulnerability may not be high nor do much to elevate access, it improves the criminal’s posture during an attack. Think of it like gaining the high ground.
If enough of these low impact yet highly exploitable vulnerabilities are utilized, they may lower the difficulty of exploiting higher impact vulnerabilities. This allows attackers to quickly and efficiently escalate up in access to your organization.
The foothold argument also leads to the challenge of chaining vulnerabilities. Chaining vulnerabilities happen when multiple lower impact vulnerabilities are used together to create a higher impact that could not occur individually. This is similar to the scenario above, but the difference is that it does not require a higher impact vulnerability to exist, only the exploitation of multiple exposures together.
While there are ways of identifying scenarios where this can occur, highly trained security personnel require time to spot these scenarios. And in large and complex organizations, this might not even be possible as the amount of data to parse would be overwhelming. In this case, the only reasonable solution is to patch and remediate these holes before criminals can exploit them.
Understanding Your Landscape
The only way to gain control of the potential vulnerabilities on endpoints and devices in your organization is to have a complete and in-depth understanding of what can access your infrastructure. This partially comes from having an up-to-date inventory that could come from an existing CMDB (Configuration Management Database). The other part of this equation is to take this inventory and deduce what vulnerabilities exist in the items it contains.
Everything Contributes Differently
It is crucial to understand that every device and endpoint has a slightly different contribution to overall risk when identifying vulnerabilities. Consider something as simple as a smartphone, for example. Even if it runs the same OS and same version as another phone on the network, it has a different set of vulnerabilities due to the various configurations and software. Analyzing this and dealing with each device on a case-by-case basis is crucial for managing your complete threat landscape.
Many existing solutions either scan devices with an installed agent or run credentialed scans against them. While agent-based scans can deliver more in-depth results, it also comes with the challenge of maintaining agent installs and troubleshooting when there are issues. On the other hand, Agentless scans are more network intrusive and not functional for off-site devices and connect via VPN or occasionally on site.
Making Informed Decisions
The other part of knowing your landscape comes before acquiring new technology to integrate. The pre-purchase evaluation of products helps your organization understand what they might be getting themselves into and how much work it will take to keep it secure long term. When new devices come on board, they are often left with factory default software and settings. In many cases, these factory default configurations are less than secure. Studies have shown that cybercriminals can attack some IoT devices in less than a minute after being brought online. Identifying if your new technology solutions are a more considerable risk than they are worth before spending time and resources investing in their deployment can save your organization major security headaches in the long run.
When securing your organization, you need a solution that can thoroughly analyze and assess your attack surface. This solution needs to integrate with the existing data and solutions you already have to deliver in-depth vulnerability information tailored specifically to each device and endpoint.
DeviceTotal is the Industry’s 1st – Universal Device Security Repository. Our repository draws from the Cybersecurity and Infrastructure Security Agency (CISA) catalog of known exploited vulnerabilities. With this, we can deliver 100% risk accuracy and identify attack vector visibility for each device, site, and organization.
The granular visibility goes beyond risk to calculate actual exploitability for every device. This data provides your organization with a depth of risk visibility that allows you to determine your real priorities. As a fully automated solution, DeviceTotal protects attack surfaces for large organizations that can scale to meet your needs as they change. Contact us today to schedule a demo to learn more about how DeviceTotal can help your organization take control of its vulnerability risk.