Vulnerability management is the time-consuming process of finding and patching a seemingly unlimited number of potential risks. The National Institute of Standards and Technology (NIST) reports more than 23,000 new vulnerabilities for 2022, where more than 17,000 are classified as critical. For many organizations, simply prioritizing vulnerabilities becomes a monumental task on its own. The resulting backlog makes an attractive target for threat actors who strike before fixes roll out.

A recent study revealed more than half of the organizations surveyed reported having more than 100,000 vulnerabilities sitting in backlogs. These organizations reported over a whopping 1.1 million backlogged vulnerabilities overall. Prioritization, effective tools and lack of detailed information about risks contributed to the massive backlogs accumulated.

How can organizations stay ahead of this tidal wave of backlogged vulnerabilities? A new Cybersecurity and Infrastructure Security Agency (CISA) initiative may hold some of the answers.

CISA proposes a new approach

NIST recently released its National Vulnerability Database statistics for 2022. Interestingly, the distribution of severe vulnerabilities over time dropped in 2022 compared to 2021, but this doesn’t mean vulnerabilities are any less of a threat. New risks will continue to spring up for as long as hardware and software run important systems. Balancing time between addressing severe and lesser vulnerabilities will always be a challenge.

This November, CISA announced a new initiative to transform vulnerability management. The agency is introducing a standardized approach to help shorten the time required for vendors to find and address vulnerabilities:

• CISA will release machine-readable advisories to simplify the identification and patching process, focusing on automating vulnerability patching.
• Each advisory will clearly communicate the risks associated with each vulnerability and detail which are exploitable. The standardized format will minimize the time required to sift through data to act.
• CISA strongly encourages using a vulnerability management framework and has released the Stakeholder-Specific Vulnerability Categorization (SSVC) framework. The document is used to determine vulnerability priority and exploitation status, which will allow organizations to better target remediation efforts.

Why is it so important to prioritize vulnerabilities?

Many widespread vulnerabilities remain unpatched. Up to 40% of Log4j downloads are still vulnerable to Log4Shell. Threat actors don’t strike during typical business hours or cease attacks once a vulnerability becomes public knowledge. They rely on an organization’s slow response. State-sponsored Iranian attackers are actively exploiting Log4Shell vulnerabilities and most recently targeted an unpatched VMWare server at a federal civilian agency.

Long-term vulnerabilities don’t simply disappear from view because of their age. The 2020 IBM X-Force Threat Intelligence Index reported recurrent attacks through known vulnerabilities many years after they were first discovered. The vulnerabilities highlighted in the report illustrate how threat actors leverage well-documented but unpatched vulnerabilities long after discovery. In fact, many remained targets for longer than two years.

Microsoft recently discovered more than one million unsupported web servers still in service after an outdated server was used in a cyberattack against Indian electrical grids. The Boa web server was discontinued in 2005. Attackers leveraged vulnerabilities present in the web server architecture, which was bundled with software development kits (SDKs) for Internet of Things devices. These vulnerabilities affect a wide range of cameras, routers, access points and more.

The outdated and unsupported web server, which was bundled in multiple SDKs, illustrates the importance of examining hardware along with hardware vulnerabilities within your organization.

Address high-priority vulnerabilities before CISA rules are in place

Unaddressed vulnerabilities are a risk to your organization. However, addressing vulnerabilities based on the threat they pose to your specific environment can be a time-consuming process. You may find your team is spending a lot of time going through vendor vulnerability disclosures, MITRE’s annual CWE Top 25 Most Dangerous Software Weaknesses and the OWASP Top 10 Web Application Security Risks. Suddenly, your list of potential vulnerabilities to address has grown exponentially with no signs of slowing.

The good news is that narrowing the list of vulnerabilities to the highest priority for your organization is possible with a few guidelines.

Be industry-specific: What are the most common attack types in your industry?

Vulnerability assessment begins by examining the most common attack types for your industry. Attacks in the healthcare sector, for example, may not mirror cyberattacks on small businesses. Focusing on attacks common to your industry can help you set parameters for addressing the most relevant vulnerabilities.

Consider your hardware and software: Which vulnerabilities are the most widespread?

Uncovering the most widespread vulnerabilities across your hardware and software systems is an important step in determining what to address first. A widespread vulnerability is an attractive target since it can affect a large number of systems, giving attackers plenty of opportunities for exploitation. CISA publishes a list of Top Routinely Exploited Vulnerabilities which includes several vulnerabilities from popular office and collaboration software common across multiple sectors.

Think about access and function: Which vulnerabilities affect high-impact accounts and devices with high-level access and permissions?

Criminal attackers seek the highest level of permissions on the most important systems within an organization. Addressing vulnerabilities within these areas is critical to preventing access that might not otherwise be achieved on patched systems. Consider the risks to assets with high-level permissions. Determine how high-level access and functionality must be protected. Will unpatched vulnerabilities in the systems you use allow attackers to bypass security controls or other failsafe features to gain access to mission-critical data or systems? How might a system be impacted by a compromised high-level user account versus lower-level accounts?

Don’t wait to address vulnerabilities

CISA’s focus on providing machine-readable data to help speed the vulnerability patching process will help guide vulnerability prioritization. However, waiting for the program to mature before addressing outstanding vulnerabilities within your organization can have lasting negative effects.

The IBM X-ForceThreat Intelligence Index 2022 observed phishing and vulnerability exploitation as the top infection vectors last year. Threat actors continue exploiting known vulnerabilities long after they fall out of the news cycle and will also go after highly publicized weak points. Prioritizing and addressing vulnerabilities within your environment now is important for minimizing risk and loss from cyberattacks most common to your industry.