Appalachia Technologies Blog
After a Penetration Test - The Road to Remediation (appTECH TALK Ep. 3)
Your company has been proactive in having a penetration test performed and you have the report in hand - so now what do we do with it?
First, let’s talk about vulnerabilities. What is a vulnerability? A vulnerability is a weakness or flaw in an IT resource that could potentially allow an attacker to gain unauthorized access. It’s as simple as that. When researching vulnerabilities, you will come across two acronyms: CVE and CVSS. Let’s start with CVE. CVE stands for Common Vulnerabilities & Exposures. Think of a CVE as a reference number for a vulnerability. Documented vulnerabilities typically find themselves in the NVD (National Vulnerability Database). This is a database of all “known” vulnerabilities. With each vulnerability in the database, you will find a CVE which is used as a reference for that vulnerability. This makes it easier to do research on a given vulnerability to ensure that you are looking at the correct one. Alongside of the CVE, you will typically see a CVSS score. CVSS stands for Common Vulnerability Scoring System. This gives each vulnerability a score that assigns a severity level. For example, 1 to 3.9 would be considered a Low severity. 4 to 6.9 would be considered a Medium severity. 7 to 8.9 is High, which leads to the scoring from 9 to 10 being Critical. Of course, the higher the rating, the more severe the vulnerability. To put it into perspective, a Low vulnerability might allow an attacker to gain intelligence of a company’s digital assets. It may allow for recon of a network that allows an attacker to gain more information such as versions of software or internal IP addresses. However, the vulnerability would not allow for a malicious takeover from that particular CVE. A Critical vulnerability could possibly give an attacker the ability to do a complete takeover of the system affected, allowing for a significantly impactful and disruptive outcome.
How to Prioritize?
Now that we understand CVSS scores, you would think it would be easy to prioritize and fix vulnerabilities, right? Not always. Although CVSS scores are great for determining the level of risk for a vulnerability, it isn’t always a 1-to-1 for which vulnerabilities to fix first. For example, of course we want to look at critical vulnerabilities first, but what if there is a critical vulnerability on a system on the inside of a corporate network vs the outside? You may find yourself wanting to fix the “medium” vulnerabilities that are public-facing, being accessed by millions before you fix the critical vulnerability internally. This is where it becomes important to understand the organization’s biggest business risk. If you understand the business and what risks are associated with it, it will help in deciding how to prioritize vulnerability remediation.
So is it Remediation or Mitigation?
You will see both terms thrown around when talking about vulnerabilities. Aren’t remediation and mitigation the same thing? Absolutely not. Remediation is a complete resolution of the vulnerability that existed. Mitigation is often a “workaround” in order to reduce the risk of a vulnerability because complete remediation cannot be achieved. For example, if there is a vulnerability within an organization that does not have an existing patch, mitigation might involve reducing access to only those who need it. This reduces the attack surface for the vulnerability but does not achieve overall remediation. Many times, companies will mitigate until they can fully remediate. However, organizations need to make sure they don’t find themselves in constant mitigation because it is easier and less expensive than full remediation.
What about Compliance?
Each compliance framework is different; however, most require vulnerabilities that rate from High to Critical must be fixed before achieving compliance. For example, PCI compliance requires that any vulnerability above Medium must be remediated for full compliance. By mitigating High and Critical vulnerabilities, risk is reduced which allows for safer storage and flow of data.
There is no blueprint for choosing which vulnerabilities to fix first. Understanding the business risk as well as risk of the technical vulnerability will allow for a full measurement of threat that the vulnerability brings to the table.
Mike Miller is a cybersecurity professional with 25 years of experience through the IT industry. He has focused on security, specializing in the areas of Virtual Chief Information Security Officer services, Governance, Risk, and Compliance, PCI, SOC, Intrusion Detection, Penetration Testing, and Incident Response. In 2011, Mike founded Cyber Protection Group, which was acquired by Appalachia in 2022. Mike is passionate about mentoring and assisting aspiring cybersecurity professionals and can be found regularly sharing insight on his LinkedIn profile. When he isn’t fighting cyber crime, Mike loves spending time with his wife and kids, often boating in the Ozarks.