Thursday, 11 August 2011

Prioritizing Vulnerability Fixes

The unfortunate thing is that the easiest targets are rarely aligned with risk. A risk-based approach dictates that the vulnerabilities that pose the highest risk to the organization are addressed first.

To go about this it is necessary to build a prioritized list of vulnerabilities. SANS created a “Top 20” list for just this reason. For most organizations, this is a great place to start.

SANS sponsors the consensus top twenty vulnerability list. The list is available free from the web at Just securing the network against the 20 exploits in this list will provide your organization with a greater level of security than most organizations. A list of ports that should be blocked is also available. Start with the organization’s perimeter security. Address the top vulnerabilities first. Next move down to the next riskiest level of vulnerabilities. The exercise may never end, but security has never been a point in time exercise.

In thinking about what to include in a vulnerability mitigation list consider the following:

  • Historical exploits,
  • Current exploits, and
  • Trojan programs and other malware.
Next consider any compensating controls that may be in place and how much effort is required to fix the vulnerability. At times, a compensating control may be more effective than fixing the vulnerability itself. For instance, it can be extremely difficult to fix a legacy application. An alternative to rewriting legacy code could be the implementation of an application firewall.

No comments: