Do you patch all critical vulnerabilities within 'X' days?
If you've dealt with an audit, cyber insurance, or third-party vendor due diligence, you've probably seen some variant of that question above. The dirty IT secret is, I bet not a single organization can answer yes – not if they're being 100% true to the question, as stated and implied.
Many factors affect the criticality and timeliness of vulnerability patching, for example:
- When was the vulnerability published vs when did your organization become aware of it?
- Is a patch available (yet)?
- Is your organization in control of the system? Perhaps it's managed by someone else.
- What's the maintenance window? Some systems are so critical that downtime for maintenance is only permitted at certain intervals.
- What's the actual Risk to your organization?
...What's that last one? Risk? Isn't the title "critical" the indicator of risk?
It's not! At least, it's not that simple. Let's dive in...
Why vulnerabilities are often labeled "critical" upon release:
Most software security vulnerabilities are scored using the Common Vulnerability Scoring System (CVSS). In fact, America's cyber defense agency (CISA) and the National Institute of Standards and Technology (NIST)'s National Vulnerability Database rely on CVSS scoring when publicizing the latest cyber threats.
Yet, the very second sentence of NIST's summary of the CVSS is, "CVSS is not a measure of risk" (and the bold text comes from them!).
The CVSS score assigned to each vulnerability is a way of scoring the potential severity of a threat, and the likelihood of it happening, absent other factors. This scoring system is both an indicator of potential severity and a resource for calculating the severity specific to your organization.
How to evaluate a vulnerability's risk to your organization:
To evaluate the actual risk of a particular vulnerability, first the environmental aspects must be considered. The CVSS Base Score (the published score) is functionally the "worst case scenario" for that particular issue, but how it maps to your specific organization's characteristics might alter the practical risk to you.
Seems intuitive, yes? That's why the CVSS calculators, all the way back to version 1.0 in 2005, have always included an "environmental" section of factors! Since that section is specific to each organization, it's left blank by default when calculating the CVSS Base Score. And rarely do organizations use it...
So how does this recalculate the threat of a particular vulnerability? Let's go through a hypothetical rescoring situation to see:
Take a CVSS v3.0 score of 9.8 out of 1.0 – a "near worst case" vulnerability, where the attacker can easily exploit the vulnerability without anyone else's involvement, over the internet, no credentials required, and it compromises the entire software package.
What if you have that software, but it's only accessible from within your organization? It's not exposed to the internet; the attacker can't easily "reach out and touch it." If you change the CVSS "attack vector" metric to "adjacent network", that vulnerability score drops to 8.8, a "High" instead of a "Critical" score.
Now what if the impact of that system being hacked is not significant to your organization? Perhaps it's a single system in its own demilitarized zone (DMZ) segmented from your primary business operations, the data it contains is not of high value, and you can rebuild the whole thing without much effort. Setting these three impact metrics to "low" results in a new final score of 6.9, a "Medium" risk. That significantly changes how you prioritize this theoretical vulnerability.
And there's that magic word: Prioritize. That's ultimately the point of any of these evaluations – whether by your cyber insurance provider or an auditor – to gauge how you manage practical risk factors and prioritize them. Like any other aspect of risk management, you can never take care of everything, and never all at once. No organization has unlimited money and unlimited time for IT security improvements. You must prioritize the risks that are most probable and are of higher impact to you.
Prioritizing Vulnerabilities: Recommended Resources
So which critical vulnerabilities should you address first? This is where the newer Exploit Prediction Scoring System (EPSS) comes into play. The EPSS comes from the same working group that publishes the CVSS model, "FIRST".
If a vulnerability is not already being exploited (zero-day), then there's a window to secure systems before hackers begin to exploit the published vulnerability. By providing a data-driven model to predict which vulnerabilities are most likely to be exploited (and thus might be exploited sooner than others, if at all), EPSS can help you confidently determine what to patch or otherwise secure first in your organization.
EPSS should not be used alone without considering the environmentally-adjusted CVSS score, as well as other risk factors specific to your scenario.
So do you patch all "critical" vulnerabilities within a certain number of days?
If you evaluate and re-score every vulnerability first, then perhaps you can safely answer yes!
It's understandable, though, that this article may have raised more questions for you than it did answers. That's okay – risk management is a complex job best left up to IT security experts. If you're in need of some IT expertise or assistance with risk management in your organization, reach out to an expert here at Five Nines. We're here to help!
