Vulnerability management is the time-consuming process of finding and patching a seemingly unlimited number of potential risks. The National Institute of Standards and Technology (NIST) reports more than 23,000 new vulnerabilities for 2022, where more than 17,000 are classified as critical. For many organizations, simply prioritizing vulnerabilities becomes a monumental task on its own. The resulting backlog makes an attractive target for threat actors who strike before fixes roll out.

A recent study revealed more than half of the organizations surveyed reported having more than 100,000 vulnerabilities sitting in backlogs. These organizations reported over a whopping 1.1 million backlogged vulnerabilities overall. Prioritization, effective tools and lack of detailed information about risks contributed to the massive backlogs accumulated.

How can organizations stay ahead of this tidal wave of backlogged vulnerabilities? A new Cybersecurity and Infrastructure Security Agency (CISA) initiative may hold some of the answers.

CISA proposes a new approach

NIST recently released its National Vulnerability Database statistics for 2022. Interestingly, the distribution of severe vulnerabilities over time dropped in 2022 compared to 2021, but this doesn’t mean vulnerabilities are any less of a threat. New risks will continue to spring up for as long as hardware and software run important systems. Balancing time between addressing severe and lesser vulnerabilities will always be a challenge.

This November, CISA announced a new initiative to transform vulnerability management. The agency is introducing a standardized approach to help shorten the time required for vendors to find and address vulnerabilities:

  • CISA will release machine-readable advisories to simplify the identification and patching process, focusing on automating vulnerability patching.
  • Each advisory will clearly communicate the risks associated with each vulnerability and detail which are exploitable. The standardized format will minimize the time required to sift through data to act.
  • CISA strongly encourages using a vulnerability management framework and has released the Stakeholder-Specific Vulnerability Categorization (SSVC) framework. The document is used to determine vulnerability priority and exploitation status, which will allow organizations to better target remediation efforts.

Why is it so important to prioritize vulnerabilities?

Many widespread vulnerabilities remain unpatched. Up to 40% of Log4j downloads are still vulnerable to Log4Shell. Threat actors don’t strike during typical business hours or cease attacks once a vulnerability becomes public knowledge. They rely on an organization’s slow response. State-sponsored Iranian attackers are actively exploiting Log4Shell vulnerabilities and most recently targeted an unpatched VMWare server at a federal civilian agency.

Long-term vulnerabilities don’t simply disappear from view because of their age. The 2020 IBM X-Force Threat Intelligence Index reported recurrent attacks through known vulnerabilities many years after they were first discovered. The vulnerabilities highlighted in the report illustrate how threat actors leverage well-documented but unpatched vulnerabilities long after discovery. In fact, many remained targets for longer than two years.

Microsoft recently discovered more than one million unsupported web servers still in service after an outdated server was used in a cyberattack against Indian electrical grids. The Boa web server was discontinued in 2005. Attackers leveraged vulnerabilities present in the web server architecture, which was bundled with software development kits (SDKs) for Internet of Things devices. These vulnerabilities affect a wide range of cameras, routers, access points and more.

The outdated and unsupported web server, which was bundled in multiple SDKs, illustrates the importance of examining hardware along with hardware vulnerabilities within your organization.

Address high-priority vulnerabilities before CISA rules are in place

Unaddressed vulnerabilities are a risk to your organization. However, addressing vulnerabilities based on the threat they pose to your specific environment can be a time-consuming process. You may find your team is spending a lot of time going through vendor vulnerability disclosures, MITRE’s annual CWE Top 25 Most Dangerous Software Weaknesses and the OWASP Top 10 Web Application Security Risks. Suddenly, your list of potential vulnerabilities to address has grown exponentially with no signs of slowing.

The good news is that narrowing the list of vulnerabilities to the highest priority for your organization is possible with a few guidelines.

Be industry-specific: What are the most common attack types in your industry?

Vulnerability assessment begins by examining the most common attack types for your industry. Attacks in the healthcare sector, for example, may not mirror cyberattacks on small businesses. Focusing on attacks common to your industry can help you set parameters for addressing the most relevant vulnerabilities.

Consider your hardware and software: Which vulnerabilities are the most widespread?

Uncovering the most widespread vulnerabilities across your hardware and software systems is an important step in determining what to address first. A widespread vulnerability is an attractive target since it can affect a large number of systems, giving attackers plenty of opportunities for exploitation. CISA publishes a list of Top Routinely Exploited Vulnerabilities which includes several vulnerabilities from popular office and collaboration software common across multiple sectors.

Think about access and function: Which vulnerabilities affect high-impact accounts and devices with high-level access and permissions?

Criminal attackers seek the highest level of permissions on the most important systems within an organization. Addressing vulnerabilities within these areas is critical to preventing access that might not otherwise be achieved on patched systems. Consider the risks to assets with high-level permissions. Determine how high-level access and functionality must be protected. Will unpatched vulnerabilities in the systems you use allow attackers to bypass security controls or other failsafe features to gain access to mission-critical data or systems? How might a system be impacted by a compromised high-level user account versus lower-level accounts?

Don’t wait to address vulnerabilities

CISA’s focus on providing machine-readable data to help speed the vulnerability patching process will help guide vulnerability prioritization. However, waiting for the program to mature before addressing outstanding vulnerabilities within your organization can have lasting negative effects.

The IBM X-ForceThreat Intelligence Index 2022 observed phishing and vulnerability exploitation as the top infection vectors last year. Threat actors continue exploiting known vulnerabilities long after they fall out of the news cycle and will also go after highly publicized weak points. Prioritizing and addressing vulnerabilities within your environment now is important for minimizing risk and loss from cyberattacks most common to your industry.

More from Risk Management

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…